1. I have installed universal forwarder and have a Splunk cloud account. 2. On the laptop in universal forwarder, i downloaded the file and execute the command:  /opt/splunkforwarder/bin/splunk install app /tmp/splunkclouduf.spl. 3. I restart the splunk process.   No data went in, may I know why?   Note: I am trying to forward the Windows event log which is the same host where i installed the Splunk universal forwarder

After creating a dashboard having 6 panels, all the jobs are getting queued. Also the search lag health status is yellow.  Search Lag Root Cause(s): The percentage of non high priority searches lagged (50%) over the last 24 hours is very high and exceeded the yellow thresholds (40%) on this Splunk instance. Total Searches that were part of this percentage=2. Total lagged Searches=1 Please help me to resolve these issues.

I have event data from the search result in format as shown in the image, now I want to extract the following fields with their corresponding values excluding the remaining fields or data from the event data/string: id = b0ad6627-a6e1-4f5e-92f4-9c2deaa1ff2a_1cd4b06f83caac09 start_date_time = 1638433382 (value always required) end_date_time = null or 1638433491  (if value not present) current = <value> (only if the field exist) (6 in the example) total = <value> (6 in the example) status_type = COMPLETED bot_uri = repository:///Automation%20Anywhere/Bots/Test%20A2019/AALogTestBot I tried using <search query> | rex field=_raw "(?msi)(?<ev_field>\{.+\}$)" | spath input=ev_field  to extract all the fields in the Event data, but did not change the search results. Any suggestion or help highly appreciated I am newbie to Splunk... TIA   12/2/21 7:24:52.106 PM   2021-Dec-02 Thu 19:24:52.106 INFO [pool-12-thread-1] - com.automationanywhere.nodemanager.service.impl.NodeMessagingServiceImpl - {} - writeSuccess(NodeMessagingServiceImpl.java:395) - Message eventData { id: "b0ad6627-a6e1-4f5e-92f4-9c2deaa1ff2a_1cd4b06f83caac09" bot_execution { start_date_time { seconds: 1638433382 nanos: 210329300 } end_date_time { seconds: 1638433491 nanos: 993822800 } progress { current: 6 total: 6 percentage: 100 } status_type: COMPLETED bot_uri: "repository:///Automation%20Anywhere/Bots/Test%20A2019/AALogTestBot?fileId=1098948&workspace=PRIVATE" }} sent to CR successfully.  

Hello all,   I am trying to extract a field from the below event and the extraction is missing the last part of the field. Please help in getting this extracted. Event: 117691777,00004105,00000000,5064,"20211202100006","20211202100006",4,-1,-1,"SYSTEM","","IPSC002",94882466,"MS932","Server-I ジョブ(Server:/IZ_SSYS_DB/DAILY/MP7/MP_D41/物流ルートテーブルデータ送信:@20H7984)を開始します(host: Host, JOBID: 229589)","Information","tdi01","/HITACHI/JP1/AJS2","JOB","AJSROOT1:/IZ_SSYS_DB/DAILY/MP7/MP_D41/物流ルートテーブルデータ送信","JOBNET","Server:/IZ_SSYS_DB/DAILY/MP7","Server:/IZ_SSYS_DB/DAILY/MP7/MP_D41/物流ルートテーブルデータ送信","START","20211202100006","","",16,"A0","Server:/IZ_SSYS_DB/DAILY","A1","MP7","A2","MP_D41/物流ルートテーブルデータ送信","A3","@20H7984","ACTION_VERSION","0600","B0","n","B1","2","B2","tdi01","B3","IPSC002","C0","IPSC202","C1","","C6","r","H2","188677","H3","pj","H4","q","PLATFORM","NT",   Extraction used: (?:[^,]+,){14}(?<alert_description>[^,]+),   However the same extraction is working on the below event as expected. 117727680,00004103,00000000,5064,"20211202172828","20211202172828",4,-1,-1,"SYSTEM","","IPSC002",94918000,"MS932","Server-I ジョブネット(Server:/HTHACHU/IJH03/IJH03:@20I8438)が正常終了しました","Information","tdi01","/HITACHI/JP1/AJS2","JOBNET","AJSROOT1:/HTHACHU/IJH03/IJH03","JOBNET","AJSROOT1:/HTHACHU/IJH03/IJH03","AJSROOT1:/HTHACHU/IJH03/IJH03","END","20211202172827","20211202172828","",10,"A0","AJSROOT1:/HTHACHU/IJH03","A1","IJH03","A3","@20I8438","ACTION_VERSION","0600","B0","n","B1","0","B3","IPSC002","H2","853876","H3","n","PLATFORM","NT", Please help extract the highlighted field.

Hello Everyone, This is a general question that I haven't found an answer to yet. I am aware of how a license violation is carried out.(https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Aboutlicenseviolations#:~:text=What%20is%20a%20license%20warning,clock%20on%20the%20license%20master.) In a training course it was mentioned that license warnings are reported to Splunk, is that correct? What I would like to know is the following: Does Splunk receives anything? Does Splunk receives messages at license warnings or violations? Does Splunk receives messages, when a license pool goes in warning or violation? What does Splunk receives? Data Volume? License ID Thank you all for you help.

Hi I retrieve the fields of a dropdown list from an CSV file It works but the probleme I have is that randomnly I have the message "filling on going" which last and as a consequence I am unable to update the dashboards panels because each panels are referenced to this dropdown list there is 1300 lines in my csv file What is the problem please? <input type="dropdown" token="site" searchWhenChanged="true"> <label>Site</label> <fieldForLabel>site</fieldForLabel> <fieldForValue>site</fieldForValue> <search> <query>| inputlookup site.csv</query> </search> <choice value="*">*</choice> <default>*</default> <initialValue>*</initialValue> </input>   

Hello, I have some issues extracting fields from the following raw event. I should be getting following fileds from this event. Any help will be highly appreciated. Thank you! Field Names: TIMESTAMP, USERTYPE, USERID, SYSTEM, EVENTTYPE, EVENTID, SRCADDR, SESSIONID, TAXPERIOD, RETURNCODE, TAXFILERTIN, VARDATA Sample Event: {"log":"\u001b[0m\u001b[0m05:14:09,516 INFO  [stdout] (default task-4193) 2021-12-02 05:14:09,516 INFO  [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n","stream":"stdout","time":"2021-12-02T05:14:09.517228451Z"}