I have created a windows level brute force attack alert to alert me when X number of authentication failures occur in a 15 min interval. sometimes I see an alert where the user is the same hostname but ends in the $ sign I have searched the windows documentation but it is not completely clear to me, could someone give me their opinion on what it is, if it is relevant or a false positive.   tnx

Hello,  I went through some of the on-line resources, to have a clear idea on what Protocols SPLUNK UF/HF uses to send data/events to SPLUNK indexer. But I couldn't get any clear ideas. Any help/info on what protocol UF/HF uses ....would be highly appreciated. Thank you so much.  

Hi, I have splunk Waiting for queued job to start getting error for a particular user however no jobs are queued for that user in the Job monitor, the role can run 50 concurrent searches and is only affected this user. Also no jobs are in queued,Parsing,Finalising or Finalised.  Any advice?   Thanks

Hi everyone. I have three charts in a panel in a Simple XML dashboard and I'm trying to programmatically (i.e., with tokens) sync the maximum value of the Y axis. The idea is that the value, determined by the maximum value of all three charts, is used in all three charts. Any clues? I tried setting a token in each of the three searches and then another token as max of these tokens. The resulting token was used to set the maxY value, but it doesn't work. This is the token initialization:     <init> <set token="max_y_version">0</set> <set token="max_y_version1">0</set> <set token="max_y_version2">0</set> <set token="max_y_version3">0</set> </init>       And this is an example chart (I have three of these):     <chart> <search> <done> <eval token="max_y_version1">$result.max_count$</eval> <eval token="max_y_version">max($max_y_version1$, $max_y_version2$, $max_y_version3$)</eval> </done> <query>(some query which creates results containing max_count in the first row...)</query> </search> <option name="charting.axisY.maximumNumber">$max_y_version$</option> <option name="charting.axisTitleX.text">Date</option> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">top</option> <option name="refresh.display">progressbar</option> </chart>       Any clues? Thanks.

Hello everyone, i need a small help    In my search head splunkSRCH637T7.local If I search for any logs with sourcetype , logs not getting genarating,  Health status of splund is TailReader  Root cause: the monitor input cannot produce data because splunkds processing queues are full . This will be caused by inadequate indexing or forwarding rate, or a sudden burst of incoming data,   COULD ANY ONE PLEASE HELP  PLEASE SEE MY SCREEN SHOT

This ^ is sample xml log file that I want to onboard. Please guide me about the settings which I should set in order to properly input this data. Also tell me on which instances the settings (props.conf and transforms.conf) are required. I am running a Distributed system with indexer clustering. 

Hi, all! I wish to display the event without the fields like "host", "source", and "sourcetype" like the photo below on my dashboard. But when I save it as a dashboard, it still shows these fields!  How could I solve the problem?