Hi, I am trying to monitor our Unix boxes (RedHat) without success. I deployed the universal forwarder following the instructions (https://docs.splunk.com/Documentation/Forwarder/8.2.4/Forwarder/Configuretheuniversalforwarder). I installed the RPM and register the deployment server  and the receiving indexer. ./splunk add forward-server <host name or ip address>:<listening port> ./splunk set deploy-poll <host name or ip address>:<management port> I correctly see the new linux box in slpunk web in the forwarder management. Then, I installed the Addon for Unix following the instructions too https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Enabledataandscriptedinputs I copied the addon to the folder C:\Program Files\Splunk\etc\deployment-apps and deployed it to the linux box using the Splunk Web. (I created the server classed and assign the client and the TA_nix ) Then , I logged into the linux box and I enabled the data input using the command line  https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Enabledataandscriptedinputs     /splunk cmd sh $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh --enable-all     I restarted the splunk forwarder as indicated in the instructions. Here is where I get lost... I dont see any mention to which index should the events go. I dont see any new index created by the addon so I created the index "os" myself. is this correct? I also added the index=os to all stanzas in the local/inputs.conf the events started to appear in the index "os". is this the way to do it? some other actions that I missed? Thanks a lot

Hell all,   In my organzation we are trying to collect logs from all Laptop/Desktop into Splunk. I read somewhere that we can use logs collected from AV agents instead of installing universal forwarders. I We have CrowdStrike agents on all our endpoint devices.    s this right method? If so, what is the use cases where we may have to install UF on endpoint devices.   Thank you

Upgrading from Splunk 7.3.9 to Versions before 8.0.8 or 8.1.1 will fail. During the install process the installer will error with the following messages relating to the files: libxml2.dll libeay32.dll ssleay32.dll                         After dismissing these messages, the installer rolls back and reverts to the previously installed version 7.3.9 This appears related to the dates on these files that the installer does not handle correctly and does not overwrite. At the end of the failed install (before rollback) these 3 files are missing from the $SPLUNK_HOME/bin folder I presume the installer removes (backs up) the original files and during the install process validates that the files to be installed are newer. In the case of these 3 files, the situation is not handled correctly and the installer fails to correctly remedy the situation.  

Hello experts,  If I have only IP address of  hosts from a search, how do I look for its hostname from a lookup table? Let say, I search, index=network_device.    I have a lookup table that contains IP address and host names of all assets.

Hello, i am aware that there already is a Question from way back called: "finding peak and low times from timechart" However in that solution i only can get max and min values overall.   i tried to adapt the solution for my issue. Here it goes... I have multiple customers and want to find peaks for everyone of them. Whilst the solution: index=web GET OR POST | timechart span=1h count | eventstats max(count) as high, min(count) as low | where (count=low OR count=high) | fields _time, count works perfectly for overall peaks i struggle to get it flying with an "by" command for customers...so something like: | timechart span=1hour count  by customer | eventstats max(count) as high, min(count) as low by customer at this point there however is no field "count" anymore Kind regards, Mike  

Hi, I've created an alert for one of my main API service and how it works is, it runs every 30 mins, looks into failure rate and failed requests and then based on the threshold which is (failedRequest > 200 AND failurerate > 10%), it triggers the alert and raises a incident. Now there are times when during those 30 mins, there is a short blip of 5 mins with large number of errors and for the rest of the time it was normal. Now in that case as well the alert gets fired because it meets the threshold. How can i avoid that? Is it possible to look for number of errors and if they are consistent for like 20 or 30 mins and if they are then trigger the alert? How can i achieve that? Here is my sample query - Let me know if anyone can advice on this. It will be immensely helpful. index=myapp_prod source=myapp "message.logPoint"=OUTGOING_RESPONSE (message.httpResponseCode=50* OR message.httpResponseCode=20*) | rename message.serviceName as serviceName message.httpResponseCode as httpResponseCode | where(serviceName LIKE "my-service") | stats count as totalrequests count(eval(httpResponseCode=200)) as successrequest count(eval(httpResponseCode=500 OR httpResponseCode=502 OR httpResponseCode=503)) as failedrequest | eval Total = successrequest + failedrequest | eval failureRatePercentage = round(((failedrequest/Total) * 100),2) | where failureRatePercentage > 10 AND failedrequest > 200