Hi There,  I am probably making this more confusing for myself than it needs to be, but its a simple concept.  Here is the scenario. If an invite is emailed and no confirmation is received within 1 day from email being sent then it is "In Progress" otherwise its a failure.  Please help formulate, basically if no confirmation is received within 1 day its in progress. I would like to keep my times all in epoch. Thank You in advance  | makeresults | eval email_sent=1637978619.056000 | eval time_passed_no_confirmation=86400 | eval confirmation_remains_null="null"

  I have 2 independent queries run on 2 different index that give me a list of requestIds. I want to filter/not include the requestIds of the second query in my search. I am trying to use the following query to do so but its not filtering the results from second query. What am i doing wrong here    index="index1" <query1> | rename requestId AS Result | table Result | search NOT [search index="index2" <query2>| rename RequestId AS Result| table Result]

We have an application, that sends all its log-messages to Splunk (so far so good), and an alert configured to fire, whenever a message with severity above INFO-level is logged. This works Ok most of the time, except when the application restarts there are multiple such warnings and errors logged by some of its threads. We don't care for these, because the main thread has already announced, that it is shutting down. How can I phrase the search underlying our alert to exclude any log-entries made after the "I am shutting down" and before the "I started up" ones? To clarify: we want Splunk to receive all the log-entries, we just don't want the alert to be triggered by those, that are emitted during the program restart...

I believe there is a latent bug in the aws_config_cli.py script for the AWS Add-on. The function list is from the latest version (5.2.0)     def list(self): names = None if self.params.names: names = self.params.names.split(',') results = self.config_mgr.list( self.endpoint, self.params.hostname, names) items = [] for result in results: item = copy.deepcopy(result['content']) item['name'] = result['name'] items.append(item) print json.dumps(items, indent=2)     Notice the print command.  In Python 3, print is a function and thus requires braces.  For Python3, I believe the code should actually be print (json.dumps(items, indent=2)) Additionally,in compose_cli_args for resource, desc in resources.iteritems(): should be for resource, desc in resources.items():    

Hi, I am trying to filter the events using LOGIN keyword and drop remaining events. I am trying with the below configuration and it is not working. Any suggestions please? props.conf [test_sourcetype] TRANSFORMS-sample = test_authlog,setnull_test   transforms.conf [test_authlog] REGEX = (LOGIN) DEST_KEY = queue FORMAT = indexQueue   [setnull_test] REGEX = (?!LOGIN) DEST_KEY = queue FORMAT = nullQueue

Hi SMEs,   I am trying to write regex to parse/map CEF format fields as below. so that all corresponding fieldname can capture values, i am not able to capture values having spaces in between. Seeking suggestion. Attached snap shot for ref. regex101 c[n|s]\dlabel\=(\w+).*?c[n|s]\d\=([\.a-zA-Z0-9_-]+)   CEF:0|vendor|product|1.1|1234|PolicyAssetUpdated|1|cn1label=EventUserId cn1=-3 cs1label=EventUserDisplayName cs1=Automated System cs2label=EventUserDomainName cs2= cn2label=AssetId cn2=20888 cs3label=AssetName cs3=ABCDPQRS.domain.com cn3label=DirectoryId cn3=856 cs4label=DirectoryName cs4=Active Directory cs5label=DomainName cs5=domain.com

Hello,  I am creating a query for my proxy data. The idea is to show all categories that I want in multiple single value charts. And for any categories that return 0, they will still be represented by a 0. my current query is  index="siem-cyber-proxy" action=blocked category=gambling OR category=malware  | eval isEvent=if(searchmatch("category"),1,0) | stats count as myCount sum(isEvent) AS isEvent | eval result=if(isEvent>0, isEvent, myCount) | table result   This current query adds results from both categories together rather than split into individual charts. I need to find out how to split the results so it creates multiple charts. Or do i need to run the query for each individual category? Hopefully this makes sense. Thank you

Have upgraded a few 100 FWs (UF & HF) to Splunk 8.2.3. Looking for a bench marking checks to make sure they are fully functional. We have a large clustered (Indexers / SHs), with ES. Any SPLs for bench marking instances upgraded, on ES & FWs are appreciated. Thank u & stay safe. 

Hi I am getting  KV Store process terminated abnormally (exit code 14, status exited with code 14). See mongod.log and splunkd.log for details.   I have stopped splunk and moved mongod folder and started it again  I am getting now  2021-12-01T13:55:55.528Z W CONTROL [main] net.ssl.sslCipherConfig is deprecated. It will be removed in a future release. 2021-12-01T13:55:55.545Z F NETWORK [main] The provided SSL certificate is expired or not yet valid. 2021-12-01T13:55:55.545Z F - [main] Fatal Assertion 28652 at src/mongo/util/net/ssl_manager.cpp 1120 2021-12-01T13:55:55.545Z F - [main] ***aborting after fassert() failure and I want to regenerate server.pem   just to confirm this is the right command  $SPLUNK_HOME/bin/splunk createssl what are the risks   ?  

I'm new to this! Our custom app stopped working on Splunk Cloud and was told by support to change an xml file below from app.html to search.html because of a Cloud change. However, when I go to reupload the same app, I get the error that app validation failed: App does not support search head cluster environments. It passes all the vetting just gives that error at the end. What could it possibly be looking for? Again, new to this so can't find the answer in google..   <?xml version="1.0"?> <view template="pages/search.html" type="html" isDashboard="False"> <label>Search</label> </view>  

The certificate configuration tutorials have unfortunately left me with some lingering questions.  Premise: They have taught me that in order to set up a 3rd-party-signed certificate for a Splunk Enterprise server, I must: 1.create privatekey 2.create CSR, using the aforementioned private key 3.sent CSR to the CA authority of the current company 4.receive a multitude of certificates: a server cert, a CA root cert, and perhaps CA intermediate certs. 5.I can choose to combine the CAroot and CAintermediate certs to create a CAbundle.pem which i can reference to in any CAcert fields. (example: sslRootCaPath field in server.conf ) 6. I need to combine the server cert, private key, and CAbundle to create a complete Splunk Enterprise signed certificate. (to be used by fields like for example inputs.conf:serverCert, or outputs.conf:sslCertPath ) So far so good. This procedure allows me to set up SSL connections between Splunk Enterprise instances. I have two scenarios where this setup probably do not work, and I would like to know how I cán make them work:  1) I want to deploy 100 forwarders remotely and set them so that they send their data to an indexer or heavy forwarder through SSL. Problem: The process of getting a 3rd party signed certificate for each and every forwarder is arduous and I don't believe it can be done remotely effectively.  My thoughts: Can I use (part of) the certification of the data receiver (IDX/HF)  as a public key which I can then send to all forwarders? Clearly I can not use the concatenated certificate described in premise_step6, because it contains a private key.  Could I maybe use the signed servercert part that I received from the 3rd party, pre-concatenation ?  A splunk data receiver does not necessarily have to validate the certification of a date sender, so I don't see why each universal forwarder should be equiped with its own certificate. There has to be a way to have only them check whether the indexer has valid certification somehow. 2) Say I want to connect another application (like the Infoblox Splunk Connector) to a Splunk data receiver while using SSL. My thoughts: I expect that sending the CAbundle (premise_step5) should be enough, so that the application side can create its own certificate and perhaps combine it with the CAroot somehow.. but I guess my question is the same as before; I cannot send the concatenated .pem from premise_step6. What is the best way to set up an SSL connection to another application?  Thanks in advance.

I have 3 servers (2 of them have 4x600GB hdd and one has 6x600GBHDD and 2x800GB SSD). I want to build small splunk architecture 10GB/day with : - 3 Indexers in cluster - 1 deployment, licensing , master cluster indexer - 1 searchead What is my best option to build this architecture? I was thinking to make server cluster using Proxmox and then deploy each of those machines in virtual environment, but I do not have NAS as different device, and to get best availability from server clustering I need to make those VMs as light as possible.