When running the following search for a 24hr period it is always being auto-finalized due to disk usage limit of 100MB. index="app_ABC123" source="/var/abc/appgroup123/logs/app123/stat.log" | stats count as TotalEvents by TxId | sort TotalEvents desc | where TotalEvents > 100 Is there any way for me to optimize the search so that it doesn't hit the limit?

I am trying to consume AppDynamics api from .net console application using Restshare. Please help me with the way to use it better as with Rest share I am getting errors. And I am unable map the request format of Appdynamic and Restshare. Many thanks in Advance. Regards, Sunitha

Hi I'm using the Splunk Add-On for Salesforce in Splunk Cloud and checking for any errors raised by the add-on by using this query index=_internal sourcetype=sfdc:object:log "stanza_name=xxx" And for every index run, this error is generated about the cce_plugin_sfdc. Anyone having similar issues? file=plugin.py, func_name=import_plugin_file, code_line_no=63 | [stanza_name=xxx] Module cce_plugin_sfdc aleady exists and it won't be reload, please rename your plugin module if it is required.  

Hi! We´re looking into deploying Splunk in Azure, and I wonder if anyone has good suggestions to do long term (3 years) cold bucket storage in Azure. We dont need frozen storage. We want to use Premium SSD for hot/warm, but managed disks for cold storage becomes really expensive. Can we use for instance Azure File storage, Blob storage or Data Lake for this purpose? SmartStore in AWS or GCP is no option for us. Thanks!

I am trying to apply ML to predict the RAG status for payments based on volumes and processing time using historical data (90 days ). Which approach will be better to implement volume based thresholds and processing time to predict if my current in progress volumes is fine or needs to be alerted

Hey team,   we have integrated Splunk in our app, and we are using it for the last few days. And we wanted to know that does Splunk use GetMetricsData API from AWS CloudWatch service? Since we integrated Splunk we are getting high cost in Cloudwatch, and we wanted to know the reason for it. Please let us know if Splunk is using such service for it. Thanks

Hi I have 4 huge log file that ingest into the Splunk File1 File2 File3 File4   Now i want to know when i search specific string that only exist in the file1, what will be happen? What happens in the search process, for example if i exclude file2,3,4, does it effect in my search performance? Or Splunk automatically ignore them because they have not contain that string.   Any idea?   Thanks

Team, I'm newbie in writing Splunk queries. Could you please provide me guidance how to design a SPL for below use case. Here are sample logs: AIRFLOW_CTX_DAG_OWNER=Prathibha AIRFLOW_CTX_DAG_ID=M_OPI_NPPV_NPPES AIRFLOW_CTX_TASK_ID=NPPES_INSERT AIRFLOW_CTX_EXECUTION_DATE=2021-12-08T18:57:24.419709+00:00 AIRFLOW_CTX_DAG_RUN_ID=manual__2021-12-08T18:57:24.419709+00:00 [2021-12-08 19:12:59,923] {{cursor.py:696}} INFO - query: [INSERT OVERWRITE INTO IDRC_OPI_DEV.CMS_BDM_OPI_NPPES_DEV.OH_IN_PRVDR_NPPES SELEC...] [2021-12-08 19:13:13,514] {{cursor.py:720}} INFO - query execution done [2021-12-08 19:13:13,570] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,570] {{snowflake.py:277}} INFO - Rows affected: 1 [2021-12-08 19:13:13,592] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,592] {{snowflake.py:278}} INFO - Snowflake query id: 01a0d120-0000-12da-0000-0024028474a6 [2021-12-08 19:13:13,612] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,612] {{snowflake.py:277}} INFO - Rows affected: 7019070 [2021-12-08 19:13:13,632] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,632] {{snowflake.py:278}} INFO - Snowflake query id: 01a0d120-0000-12ce-0000-002402848486 [2021-12-08 19:13:13,811] {{taskinstance.py:1192}} INFO - Marking task as SUCCESS. dag_id=M_OPI_NPPV_NPPES, task_id=NPPES_INSERT, execution_date=20211208T185724, start_date=20211208T191256, end_date=20211208T191313 [2021-12-08 19:13:13,868] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,867] {{local_task_job.py:146}} INFO - Task exited with return code Expected output in tabular form: DAG_ID                                      TASK_ID                       STATUS                      ROWS_EFFECTED M_OPI_NPPV_NPPES         NPPES_INSERT         SUCCESS                  1,7019070 Thanks, Sumit

ERROR OBSERVED TASK [splunk_universal_forwarder : Setup global HEC] *************************** task path: /opt/ansible/roles/splunk_common/tasks/set_as_hec_receiver.yml:4 fatal: [localhost]: FAILED! => { "cache_control": "private", "changed": false, "connection": "Close", "content_length": "130", "content_type": "text/xml; charset=UTF-8", "date": "Tue, 07 Dec 2021 09:34:20 GMT", "elapsed": 0, "redirected": false, "server": "Splunkd", "status": 401, "url": "https://127.0.0.1:8089/services/data/inputs/http/http", "vary": "Cookie, Authorization", "www_authenticate": "Basic realm=\"/splunk\"", "x_content_type_options": "nosniff", "x_frame_options": "SAMEORIGIN" } MSG: Status code was 401 and not [200]: HTTP Error 401: Unauthorized How I'm adding universal forwarder to my deployment in K8s - name: splunk-forwarder image: splunk/universalforwarder:8.2 env: - name: SPLUNK_START_ARGS value: "--accept-license" - name: ANSIBLE_EXTRA_FLAGS value: "-vv" - name: SPLUNK_CMD value: 'install app /tmp/splunk-creds/splunkclouduf.spl, add monitor /app/logs' - name: SPLUNK_PASSWORD valueFrom: secretKeyRef: name: mia-env-secret key: SPLUNK_UF_PASSWORD resources: {} volumeMounts: - name: splunk-uf-creds-spl mountPath: tmp/splunk-creds - name: logs mountPath: /app/logs There aren't many examples of how to use docker universalforwarder out there, any help or reference to how to containerized version of UF is appreciated.

Hi I'm using this add-on on SplunkCloud to index custom Salesforce objects and using the LastModifiedDate as the query criteria. When I look at the Salesforce queries in  the _internal logs, I see Splunk is periodically skipping over some rows For instance, Splunk will send this query to get the next batch of records to index SELECT .. WHERE LastModifiedDate > 2021-11-25T10:10:51.000+0000 ORDER BY LastModifiedDate ASC LIMIT 1000   The FIRST ROW in the result has the LastModifiedDate of 2021-11-26T0910:04.000Z - which I would expect Splunk to use in it's next indexing round. However,  the next entry in the _internal logs sends a different dateTime effectively missing data logged between 9:10:04 and 09:15:33 SELECT ... WHERE LastModifiedDate=2021-11-26T09:15:33.000+0000   I'm making an assumption this is how the Add-On works as I can't find any documentation that explains it. Has anyone had this issue and more importantly, found a fix? I query the _internal logs using this search index=_internal sourcetype=sfdc:object:log "stanza_name=<my stanza>"   Thanks!  

Hi all, I'm new to the back-end configuration of Splunk and I've recently taken over a Splunk instance and I've been tasked with tidying it up a bit. The first thing I noticed is that there is a lot of noise coming in from event ID 5156. So I would like to blacklist this particular ID from coming in. As my knowledge is somewhat limited to this, the environment has one Heavy Forwarder, and 3 indexers clustered together. When I try to read the configuration of the Universal Forwarder on the Domain Controller there is no outputs.conf in the C:\Program Files\SplunkUniversalForwarder\etc\system\local directory, so I don't know with assurance where the events are being sent. We have the Splunk Add-on for Microsoft Windows enabled on the HF, indexers and search head. However, I have only made changes to the inputs.conf located in /opt/splunk/etc/apps/splunk_ta_win/local on the HF. I've added the following line: blacklist3 = EventCode="5156" Message="Object Type:(?!\s*groupPolicyContainer)" as blacklist1 and blacklist2 were already present and I couldn't return a search for these events (Meaning they're being filtered), I also restarted the Splunk service. I've just run a search for the past few hours and I'm still seeing 5156 come through. Am I doing anything wrong, or do I need to perhaps make the config changes on the Indexers as well? Currently the config for security index looks like this: [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist3 = EventCode="5156" Message="Object Type:(?!\s*groupPolicyContainer)" renderXml=true The other thing that has me confused, is the 5156 events being returned are coming from "XmlWinEventLog:Security" and not "WinEventLog:Security", does Splunk automatically add Xml to the front of the index name is renderXml=true, or was that configured prior? I can't see any Xml event stanzas in this file. If anyone can direct me on what i'm doing wrong, that would be great. All the Splunk instances I'm referring to are on CentOS, and they're all running 7.3.0. Upgrading to 8 is in the pipeline. Am I looking in the completely wrong area? IE Outside of the app name? At this point intime I still cannot determine the configuration on the Universal Forwarders and we're there being sent as the outputs.conf doesn't exist.

How does someone get approval from Splunk to reproduce Splunk intellectual property in training content. The use case is -- create a demonstration video that demonstrates integrating Splunk DB Connect with another software product. The video would display  the Splunk logo, trademarks, and its UI.