On of the SHC member is going up and down every 5 mins. KV Store is stuck at starting first and then it is stuck at intial sync. The member is running fine from backend and going to up and down in the search head clustering page. I did try splunk restart on that member server and then the KV are rebuilding and getting stuck at each phase first at starting and now at the inital sync. Any help/inputs appreciated @rbal_splunk  Thank you

Hi team,    I need to fetch the 'InterfaceName' from the below payload.  I built a regular expression but it is not working as expression. Can someone please verify this and correct me where I am wrong.  "xmlns:bw":"http://www.tibco.com" "ns:InterfaceName":"MIAP-COVGBA", "ns:CorrelationID":"f84nvkdwe-4ij43kj" I created one regex expression like - | rex field=_raw "ns:InterfaceName\W+(?<AppId>\w+)" |stats count by AppId.   From the above expression I am getting only double quotes ("), but unable to fetch data.    Thanks in advance.   yours, ...    

I am building a new Splunk environment, and due to the number of clients we have, we are building a simple distributed environment that consists of 1 Heavy Forwarder, universal forwarders all pointing to the Heavy Forwarder, and 1 indexer. I would like the heavy forwarder to only forward certain events on to the indexer. Based upon my research (Route and Filter Data ) I have built the below configurations. outputs.conf [tcpout] indexAndForward = 1 [tcpout:indexerGroup] server = <ip address>:9997 props.conf [default] TRANSFORMS-allNull = setnull [WinEventLog:Security] TRANSFORMS-WinEventLog=setNull,SendToUserAccountIndex,SendToGroupAccountIndex transforms.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [SendToUserAccountIndex] REGEX = ^EventCode=(4720|4722|4725|4738) DEST_KEY = _TCP_ROUTING FORMAT = indexerGroup [SendToGroupAccountIndex] REGEX = ^EventCode=(4727|4730|4728) DEST_KEY = _TCP_ROUTING FORMAT = indexerGroup   Unfortunately, even though the specified events are showing in my Windows Event Logs, and the universal forwarder is forwarding the events properly, the events are not showing in the locally indexed items of forwarded items. It is also not showing on the destination server. If I remove the default stanza from props.conf every event populates, including those events that do not meet the criteria listed above. Based upon this, I believe there is an issue with my source types.  My environment is Splunk Enterprise Version 8.0.3 and and installed on Windows Server 2016. 

Hello all, One of the certificates associated with our universal forwarders is due to expire this week. While we have renewed the certificate, we are yet to push it on all universal forwarders. My question is: if we are unable to push new certificate by weekend will the universal forwarders stop logging the data and sharing it with indexes? Thank you

hi as you can see in my xml, I use an eval command in order to define an health status this eval command is linked to a token time now I would like to correlate the rule of my eval command with the time token For example, if I choose the "last 7 days" in my time token, the hang has to be > 5 and the crash > 2 But if i choose the "last 30 days" in my time token, the hang has to be > 1 and the crash > 4 how to do this please?   <form theme="dark"> <search id="bib"> <query> index=toto ((sourcetype="hang") OR ( sourcetype="titi") OR (sourcetype="tutu" web_app_duration_avg_ms &gt; 7000)) </query> <earliest>$date.earliest$</earliest> <latest>$date.latest$</latest> </search> <input type="time" token="date" searchWhenChanged="true"> <label>Période</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <single> <search base="bib"> <query>| stats count(hang_process_name) as hang, count(crash_process_name) as crash by site | eval sante=if((hang&gt;5) AND (crash&gt;2), "Etat de santé dégradé","Etat de santé acceptable") </query> </search>    

Hi, I have a bunch of alerts in my savedsearches.conf. I would like to configure the alert action "Add to triggered alerts" (as is offered when you add the alert using the ui). I am doing this programmatically. After restarting splunk, the alerts do not show up as alerts, but rather as reports (in the reports tab). Is this intended behaviour by splunk or am I missing out on something? An example alert can be found below     [generic-alert-name] alert.expires = 120d alert.severity = 2 alert.suppress = 0 alert.track = 1 counttype = number of events cron_schedule = * * * * * description = dispatch.earliest_time = rt-30d dispatch.latest_time = rt-0d display.general.type = statistics display.page.search.tab = statistics enablesched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = my_app request.ui_dispatch_view = my_app search = eventtype = "some-eventtype" | stats count by id | search count >= 4711      

Hi, I am trying to calculate the duration of a call from the bellow search however it is appearing blank, the format is  01/01/2015 13:26:29.64321574:   index=test sourcetype=test | eval created=strptime(starttime,"%Y-%m-%dT%H:%M:%S.%3N") | eval last_time=strptime(endtime,"%Y-%m-%dT%H:%M:%S.%3N") | eval diff=(last_time-created) | eval diff = round(diff/60/60/24) | table diff     Any help would be greatly appreciated.   Thanks

Supposed if i have huge data off employees Like name department and status (login /logout ) One person can login and logout many times in One day.  I need to find out last logout time for each employee 

hi, i am using the below query to list the bootup time and downtime based on event code.. but if the bootuptime shows 3 different days in a month, the calculation for downtime is same for all the three days.. index="wineventlog" host IN (abc) (EventCode=6005) Type=Information | eval BootUptime = strftime(_time, "%Y-%d-%m %H:%M:%S") | table host, BootUptime | fields _time, host, BootUptime | join type=left host[| search index="wineventlog" host IN (abc) EventCode=6006 OR EventCode="6005" Type=Information | transaction host startswith=6006 endswith=6005 maxevents=2 | eval duration=tostring(duration,"duration") | eval time_taken = replace(duration,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3sec") | rename time_taken AS Downtime] | table _time host BootUptime Downtime eg: host    bootuptime                                        downtime abc      2022-15-01 08:15:40                      00h 02min 51sec abc      2022-20-01 03:58:22                      00h 02min 51sec abc      2022-15-01 04:34:53                       00h 02min 51sec correct answer for downtime is  2.85min, 2.8min & 3.1666666666666665min How to correct it? Thanks in advance