Hi,   I am trying this cmd   index="wineventlog" host IN (*) EventCode=6006 OR EventCode="6005" Type=Information | transaction host startswith=6006 endswith=6005 maxevents=2 | eval duration = duration + " Sec" | table _time host duration   If the output in sec.. i need sec... if its in minutes then minutes .. if its in hours and if in days it should calculate the same.   Thanks in Advance

Hi, I need a help with a query to display the count based on a particular message. For example, "Failed project on ABC", the query basically should read and count 2 and if it's greater than 2 , should display the number I tried something like this, but not working index="Project" | stats count(eval(message like("%Failed Project on%")) | where count>2 Could someone suggest way of achieving this?   /nanoo1  

Hey guys,  I am a nebbie with Splunk, but already fell in love with it. Such a great tool!  I was tasked with storing settings of a website from Cloudflare into Splunk. Without much of a knowledge I wrote a small Python script that basically gets settings data from CF and sends it to Splunk via HEC token, on my local instance. This is one of the ways of doing it, but I'm sure there must be much slicker way.  Question is, what would you guys recommend to achieve this task? What would be the best practices?    Thanks in advance,  Vadim

Hello, Is it possible to user OR with regex? For example i have search | regex something="", and I need | regex something="" OR | regex something2="" Maybe should I change construction? Any ideas?   Thank you.

How can I show organization's banner at the top of Splunk Dashboard. In my case it is coming below the label & filters. Below is my code snippet.   <dashboard theme="light" hideChrome="true" hideExport="true"> <label>*Welcome To Lending Command Center*</label> <description>Lending Command Center is a collection of visualized data which will provide the client with details on its business at various levels of technology and operations.</description> <row> <html> <center><img src="/static/app/search/Header-black@2x-100.jpg" ></img></center> </html> </row>      

Hi, Search 1: It is used to findout the server health index=win sourcetype="xmlwineventlog" host=Prod_UI_* | eval Status=if(EventCode=41 OR EventCode=6006 OR EventCode=6008,"Down","Up") | dedup host | table Status Search 2 : It is used to findout the CPU Usage | mstats avg(_value) prestats=true WHERE metric_name="Processor.%_Processor_Time" AND "index"="winperf" AND host=Prod_UI_* span=60s | eval Timestamp=strftime(_time ,"%d/%m/%Y %H:%M:%S") | stats avg(_value) AS CPU BY host Timestamp | where CPU>=0 | eval Status="Critical",CPU=round(CPU,2),CPU=CPU+"%" | rename host as Hostname | table Timestamp Hostname CPU Status | dedup Hostname | sort - CPU Search 3 : It is used to findout the Memory Usage | mstats avg(_value) prestats=true WHERE metric_name="Memory.%_Committed_Bytes_In_Use" AND "index"="winperf" AND host=Prod_UI_* span=60s | eval Timestamp=strftime(_time ,"%d/%m/%Y %H:%M:%S") | stats avg(_value) AS Memory BY host Timestamp | where Memory>=0 | eval Status="Critical",Memory=round(Memory,2),Memory=Memory+"%" | rename host as Hostname | table Timestamp Hostname Memory Status | dedup Hostname | sort - Memory finally I need a query to know the server health and CPU and memory usage in single table. and if CPU used >75% or memory used >75% it should show that the server is Down. Like Hostname    Health    CPU    Memory Google           Down      76%      45%

Hello all, One of our home grown apps copies logs to a directory monitored by Splunk once a day around midnight. Splunk, however, will not index the events in the log if they contain a past time stamp. The lines in the log look similar to this: 12/18/2021,00:00:20,UDP,Rcv,10.132.133.29,app-measurement.com   These lines are skipped, however, if the line looks like this it will be indexed: UDP,Rcv,10.132.133.29,app-measurement.com   It appears having a date and time in the log is causing the forwarder to not forward the data.  Here's the input.conf for the Splunk app that handles the files: [monitor://C:\Logs\CustomApp] disabled = 0 index = customapp sourcetype = customappevents recursive = false blacklist = \.tmp$ crcSalt = <SOURCE>   Thanks in advance!

Hi Community Members, Anyone knows whether we can use Splunk Enterprise Security to map our correlation searches against MITRE Tactics and Techniques without installing more apps like MITRE Dashboard or Splunk Security Essentials. This mapping can help to see what security coverages we have and what requires improvements.   Many Thanks in advance.

All,   Using the universal forwarder for windows to send to my indexer.    I have installed the Splunk app for Windows on the indexer.  How does the indexer know the difference between Security, System, and Application logs?   Is that figured out automajically? Thanks, Jim

The upgrade to KVStore engine wiredTiger fails with 'Search head cluster has static captain"  This is a two node search head cluster (adding a 3rd search head is not an option at this time).    So how do I upgrade the KVStore engine to wiredTiger?