I am trying to extract the name of log output but struggling with how to. I have this query <query>index=dap ("user login Time") </query> That I have a log that outputs log: [2m2021-11-19-t18:27:42.996z [22m [34m auth [39m [32minfo user login time, Justin [ ... stream: stdout time:  2021-11-19-t18:2742.99648142z   I want to output only the time and username: Time:                                         user: 2021-11-19-t18:27:42.     Time, Justin

I have a Splunk deployment which is monitoring a fair number of network devices. One in particular is having an issue the past few weeks wherein Splunk will show well over a thousand events with the same _time down to the millisecond, and then the host will have no events show in Splunk until we reset the service. Some sample data following the query to gather it below. I have redacted device info from _raw beyond the device's event_id and device_time host=*redacted* | eval indextime = strftime(_indextime, "%Y-%m=%d %H:%M:%S:%N") | eval latency = _indextime - _time | sort device_time | table _time, indextime, latency, _raw ID _time indextime latency _raw 1 2021-11-18 17:02:03.000 2021-11-18 17:02:03.000 0 235463: 236034: Nov 18 2021 17:01:42.197: <other data> 2 2021-11-18 17:01:57.236 2021-11-18 17:04:07.000 129.764 235465: 236036: Nov 18 2021 17:02:14.200: <other data> ...         147 2021-11-18 17:01:57.236 2021-11-18 17:22:40.000 1242.764 235607: 236178: Nov 18 2021 17:22:39.196: <other data> 148 2021-11-18 17:22:39.199 2021-11-18 17:24:51.000 131.801 235609: 236180: Nov 18 2021 Nov 18 2021 17:22:40.008: <other data> 149 2021-11-18 17:22:39.199 2021-11-18 17:24:51.000 131.801 235610: 236181: Nov 18 2021 Nov 18 2021 17:22:40.226: <other data> 150  2021-11-18 17:22:39.199 2021-11-18 17:24:51.000 131.801 235611: 236182: Nov 18 2021 Nov 18 2021 17:22:41.099: <other data> 151  2021-11-18 17:22:39.199 2021-11-18 17:24:51.000 131.801 235612: 236183: Nov 18 2021 Nov 18 2021 17:22:54.084: <other data> 152  2021-11-18 17:22:39.199 2021-11-18 17:24:53.000 133.801 235613: 236184: Nov 18 2021 Nov 18 2021 17:23:15.428: <other data> ...         160  2021-11-18 17:22:39.199 2021-11-18 17:24:53.000 133.801 235621: 236192: Nov 18 2021 Nov 18 2021 17:23:26.087: <other data> 161  2021-11-18 17:22:39.199 2021-11-18 17:24:56.000 136.801 235622: 236193: Nov 18 2021 Nov 18 2021 17:23:26.087: <other data> ...         1329 2021-11-18 17:22:39.199 2021-11-18 21:29:24.000 14804.801 236781: 237364: Nov 18 2021 21:29:23.516: <other data>   Everything is working prior to ID 1, and after 1329 we have no data for about an hour or so until we reset Splunk. From ID 2 through ID 147, you can see the _time value is exactly the same, while the indextime continues to increment more or less appropriately with the device_time given in _raw IDs 148-152 show events with the same _time and _indextime values despite properly incrementing device_time from _raw IDs 152-160 show the same Then through to the end of the sample data, there are 1,173   events that get _time = 2021-11-18 17:22:39.199 with an average time between _indextime and device_time of 16.115s   From what I can see, it looks like the host is sending perfectly fine data to Splunk which is correctly indexing the events (_indextime) while assigning an incorrect event time (_time). Looking around here and trying to figure out what might be going wrong, I thought there might be an issue with some time settings somewhere. We have Splunk and the host in question set to the same timezone, and the host uses NTP to maintain a synchronized clock. Checking NTP, we haven't seen any issues surrounding these events.   We are quite open to any ideas here.

_time: 2021-11-19T11:34:02.000+0000 date_hour: 11 date_mday: 19 date_wday: friday   date_year: 2021 date_zone: -300 raw log snippet [19/Nov/2021:11:34:02 -0500] 2021-11-19T11:34:02.000+0000 indicates UTC. Does this indicate timezone? 

Our networking team is looking to determine Log Rates for different systems reporting in Splunk. How can we determine how often a log is created for an individual system and determine the average size of these logs? Thank you!  

Hi - I can not down down load app from Splunk base from server.  Could you please let me know how to down load app on to my laptop from Splunk base . One I down load I want to move it to search head server(not accessible from outside) and install on it   Thank you

Hi Splunkers,   My team is tackling an ingestion issue where we are seeing an overworked HF and I wanted to get the community's best practice on this type of problem.   My team is bringing in Crowdstrike FDR logs via Crowdstrike add-on (Python Script API query) on our heavy forwarder. If we were to not filter, it would bring in 20+TB a day of logs, so we filter pretty heavily. Currently, our approach is to send everything to nullQueue and then pick events via Regex and send them to the indexQueue. We are seeing typingQueue blocks on this heavy forwarder which makes me think the approach may not be the best route. I think that the regex being performed in the pipeline may be overworking the HF. Any advice would be great! Our props for the sourcetype:   [CrowdStrike:Replicator:Data:JSON] INDEXED_EXTRACTIONS = JSON MAX_TIMESTAMP_LOOKAHEAD = 1024 TIME_FORMAT = %s%3N TZ=UTC TIME_PREFIX=\"timestamp\":\" LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false BREAK_ONLY_BEFORE_DATE = false TRUNCATE = 150000 TRANSFORMS-setcsfdr= csfdr_log_setnull,csfdr_log_setparsing,csfdr_log_setfilter,csfdr_log_setfilter2   TRANSFORMS:   [csfdr_log_setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [csfdr_log_setparsing] REGEX = (?:"event_simpleName":".*Written"|"event_simpleName":"DnsRequest"|"event_simpleName":"NetworkConnectIP4"|"event_simpleName":"OciContainerInfo"|"event_simpleName":"ProcessRollup2"|"event_simpleName":"UserLogon.*"|"event_simpleName":"RemovableMediaVolumeMounted"|"event_simpleName":"FsVolumeUnmounted"|"event_simpleName":"FsVolumeMounted"|"event_simpleName":"SyntheticProcessRollup2"|"event_simpleName":"DmpFileWritten"|"event_simpleName":"OsVersionInfo") DEST_KEY = queue FORMAT = indexQueue [csfdr_log_setfilter] REGEX = (?:("ParentBaseFileName":("TPython\.exe"|"TANIUMCLIENT\.EXE"|"[Tt]anium[Cc]lient\.exe"|"[Tt]anium[Ee]xec[Ww]rapper\.exe"|"[Tt]anium[Cc]lient"|"[Ss]plunkd\.exe"))|("CommandLine":"\/bin(\/bash|\/sh)\s\/opt\/[Tt]anium\/[Tt]anium[Cc]lient)|("CommandLine":".*[Tt][Pp]ython\.exe\\")|("CommandLine":".*[Tt]anium.*")|("GrandParentBaseFileName":"[Tt]anium[Cc]lient\.exe")) DEST_KEY = queue FORMAT = nullQueue [csfdr_log_setfilter2] REGEX = (?:([Tt][Aa][Nn][Ii][Uu][Mm])) DEST_KEY = queue FORMAT = nullQueue ########NLSN

On Heavy Forwarder - deployed Rubrik Add-on as per the instruction provided in quick start guide. I am having an issue during the configuration >> Account tab, page does not load. I see a spinning wheel and message is "loading".  Also, "Add" button is missing.  Splunkd.log message :  ERROR AdminManagerExternal - unexpected error "<class 'splunkaucclib.rest_handler.error.RestError''>" from python handler" "Rest Error [500]: Internal Server Error -- Traceback (most recent call)

Hello, We have a chart in the dashboard, where the x-axis is the time. We defined a drilldown, where the $ts$ token should transmit the timestamp when the line chart is clicked. The point is, that we need the $ts$ to be the unix format of the local time for the user and what comes is always the UTC. How would I transform the $ts$ token to represent the local time of the user and be in the unix timestamp form? Kind Regards, Kamil

Hello. I need help solving this. I have the UF installed on RHEL Server 7.9. Underneath that server is a RHEL 7.9 machine. This machine does not have the UF installed, is not connected to the domain. Is only connected to the Server through the NIC. All of the machines logs are forwarded to the Server through rsyslog. Then the Server with the UF installed, forwards both machines logs to the Splunk server. Everything works great. Both of these machines have ClamAV installed. I need to be able to see the machines clamav defs in the Splunk dashboard. How can I do that?

Hello @alacercogitatus  Google Workspace for Splunk addon throws an error Installed Add ons "Google Workspace for Splunk" configured google workspace account, able to see the users list in splunk, "Admin SDK Reports Ingest" configuration throws below error for service "login" and "user_account" error_message="invalid literal for int() with base 10: '1636719173.276311'" error_type="&lt;class 'ValueError'&gt;" error_arguments="invalid literal for int() with base 10: '1636719173.276311'" error_filename="google_client.py" error_line_number="863" input_guid="840262-6716-ff73-e5c-c0816800774" input_name="Account"

I am getting success percentage from the query as 97.00% and my requirement is to add an alert when success percentage is below 95.00% i am getting success % from below query please suggest the query to add an alert when successrate is 95.00% in one hour span

Hello community, My client has experienced a severe issue on a Search Head Cluster on past days due to the scheduler behavior. We had a scheduled search to long to run between to schedules that was having concurrent jobs running (although its concurrency_limit =1). After a while, the scheduler started a burst of deferred (up ot 26k defer by minute for ~600 unitary savedsearches). The particulary strange behavior reside for me in the concurrency_limit set on deferred schedules during the burst: 408 instead of usual 1. (408 corresponds to the maximum search concurrency of the SHC (4 SH x102)) The burst terminated by itself after a while. We experienced several other burst in lower proportion, the big episodes have disapeared after the correction of the scheduled search previously mentionned. Do you guys have any idea about the reason of the concurrency _limit change on the fly ? (no change performed by human) The graph of deferred events by concurrency _limit - concurrency _limit=408 is on an overlay to see the global behavior with other values. index="_internal" AND sourcetype=scheduler AND host=<MySHMaster> status="continued" earliest=-72h | timechart span=1min count by concurrency_limit Regards,