Hey all! I've inherited a Splunk instance that has been running for about 8 years now. There are instances of Splunk_TA_windows all over it - most are 4.8.3, but a couple are 8.0.0 and 8.1.2. (The overall Splunk instance is running at 7.2 currently). In the process of investigation, I have discovered that our Active Directory controllers had Universal Forwarders installed on them using the GUI installer. In the process, they were set to collect Windows event logs, but no other configuration was made. As a result, a ton of logging is flowing into our "main" index. In fact, the only thing in the "inputs.conf" file is the IP address of the host. Thanks to the help and pointers of many, I've determined that this is definitely "not good" and instead I should have some filters/blacklists in place. I've gotten the controllers in question hooked up to our deployment server, so I want to push some apps to them via that. My question is: Should I deploy the entire Splunk_TA_windows app to the domain controllers? Or should I just push custom apps that contain the filtering/settings I want, and leave Splunk_TA_windows to the Heavy Forwarders, Indexers, and Search Heads we plan on using? Or should I do both? I've consulted a few other resources, such as https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-a-best-practice-to-use-the-Splunk-Add-on-for-Microsoft/td-p/427679 (Best practice to use Splunk_TA_windows) https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/AbouttheSplunkAdd-onforWindows (Deploy and use documentation) https://www.splunk.com/en_us/blog/tips-and-tricks/working-with-active-directory-on-splunk-universal-forwarders.html (working with AD on Splunk Universal Forwarders) Digging around, I'm seeing that some Windows logging is being put into the "ActiveDirectory" sourcetype already, but not from any configuration I can find applying to the system, so I assume it is just recognizing them as AD events. My biggest concern is that I want to build a "baseline" that is easy to maintain going forward. I know from my Data Admin training that deployed add-ons are evaluated in reverse-lexicographical  order (IE "Splunk_TA_Windows" has lower priority than "institution_windows_core"), so I should be able to stack things... but again, I just want to make sure I'm following what people recommend. ( May also be using this forum as a "Rubber ducky" situation. )

Hello All, I have created couple of correlation searches , ensured to select "Notable" under the Adaptive Responsive section  of these searches so that they create a notable but yet these are not visible in the Drop Down list of  Incident Review dashboard.   When i run the searches manually they haven't yet produced any events or results because a matching event hasn't yet occured but shouldn't their names be at least be visible in Incident Review if they are enabled?  Do i need to wait for the searches to produce an event and only then will they populate in IR ?      I have made sure to check the lookup file which these searches are using, is set to Global permissions.    

https://docs.splunk.com/Documentation/DashApp/0.9.0/DashApp/chartsImage When you upload an image, it is stored in the KV store. Because of this, only Enterprise admins, Cloud sc_admins, and power users can upload or delete images. If you don't have the correct role assigned to upload images, you can ask someone with the correct role to add it for you Is there some permission I can assign to users to allow them to upload images without asking an admin/power user?

After upgrading to 8.2 it seems that there are over 600 tasks to fix up in the Cluster Master. We have a Cluster Master and four indexers. Two sites with two indexers per. The Cluster master was placed into maintenance mode during the upgrade and we upgraded one site at a time while pointing the forwarders to the indexers that were not getting upgraded, and then swapped it for the upgrades.   There are 633 fixup tasks and have been there for about a day now. Manually selecting roll bucket and trying to roll the bucket by the splunk _internal call command on the indexers to roll did nothing either. What can I do to resolve this?

Hi All,   I have an application running on localhost. Its basically an API. So when I trigger a request using postman, the application connects to azure and downloads a file. Can this process be monitored by Splunk such that I can see the requests and response as logs in Splunk enterprise. Basically, I need the logs of the request and response of the application running on my localhost. Which of Splunk features supports this kind of functionality?

Hello Everyone! I am currently trying to create a dashboard to show the overall availability of a synthetic test for the current month and compare it to the previous months. I have looked in both Dash studio to do a time comparison but ran into limitations in calculating availability due to the lack of metric expressions. In a standard dashboard, we are finding no way to set widget specific time ranges for previous months. Any info/ ideas would be greatly appreciated,  

Hello everyone, I was just curious if there are any sure fire best practices for health rules pertaining to business transactions? Since I have started using AppD, I am used to using 2 standard deviations as a warning and 3 standard deviations as a critical. Of course every App is different and there are nuances.  I was just wondering if anyone had a good rule of thumb they like to use, or if current best practices are documented anywhere? Thanks

I am looking for App that can be helpful to create a full pic of the organization  (domains such as network/endpoint/email/fw ) we are collecting the data from different sources (syslog , Arcsight,apps )

I upgraded from 7.2 to 8.0 and then 8.0 to 8.2 After the upgrade to our distributed deployment, I am getting bombarded with email Health Alerts. "sum_top3_cpu_percs__max_last_3m"  is red due to the following: "Sum of 3 highest per-cpu iowaits reached red threshold of 15" "avg_cpu__max_perc_last_3m" is red due to the following: "System iowait reached red threshold of 3" "single_cpu__max_perc_last_3m" is red due to the following: "Maximum per-cpu iowait reached red threshold of 10"   I was getting them on my Indexers yesterday but this morning it seems to be our Enterprise Security SH, our Deployment Server,  and our regular Search Head.   I am unable to disable these alerts due to our Company's policy.    What can I do to either a.) resolve this cpu/iowait issue or b.) change the alert settings? I don't notice a difference in performance. I'm just curious as to what's causing this CPU usage spike? Because it seems to me - as in the example of avg cpu max percent if the CPU usage is above 3%, it is going to alert me?

Hello All, We have data coming in as part of HEC ingestion in Splunk. And I would need help to extract fields either be it search time or index time. we need line breaking and field extractions Below is the sample : INFO 2021-10-27 07:31:00,004 [[MuleRuntime].io.4090: [bcom_membermasterbatch1].schedulerjobstatusFlow.BLOCKING @7a0bb47e] d4fff913-36f7-11ec-ba0c-11010ad55507org.mule.extension.jsonlogger.JsonLogger: { "correlationId" : "e4ggf523-27h7-11ec-ba0c-33333ad55333", "message" : "no key retrived", "tracePoint" : "START", "priority" : "INFO", "elapsed" : 0, "locationInfo" : { "lineInFile" : "222", "component" : "json-logger:logger", "fileName" : "schedulerjobstatus.xml", "rootContainer" : "schedulerjobstatusFlow"

  eval _raw = msg | rex "InputAmountToCredit\"\:\"(?<PayloadAmount>[^\"]+)" | rex "Request\#\:\s*(?<ID1>\d+) with (?<Status>\w+.\w+)" | rex "CRERequestId\"\:\"(?<ID2>[^\"]+)" | eval ID=coalesce(ID1,ID2) | stats latest(Status) as Status values(PayloadAmount) as Amount by ID| stats count(list()) by Status| eval _time=relative_time(now(),"-1d@d")|  

Hi Friends, I have integrated ServiceNow to Splunk through Splunk add-On for ServiceNow, I want to input "Cases" but it is not listed in the Input tab. I can see the incident input but I don't need that. I want to input the Cases/tickets created by customers. Please help at the earliest. Thank you. @splunk  

My lookUp is a KV Store lookup.  It has three column  'is_active' , 'user', 'robot'. I have a SPL query that gives me more information about the user. And I want to enrich the lookup with additional coulmns from that SPL output. The SPL is , index=population sourcetype=bsassioan | table age, gender, email, user_name. user_name in the same field as 'user' from the lookup. I want to update my Kvstore lookup such as it should contain columns such as is_active, user, robot, age, gender, email  by matching the user_name with user field.   If the match is not found , let the field be empty and I don't want to override anything in the lookup, just addition of new columns and null/empty fileds (no overwrite) if user_name / user match is not found.

Hi All,   I am getting the below error in our SHC. Unable to initialize modular input "checkpoint_opseclea" defined in the app "Splunk_TA_checkpoint-opseclea": Introspecting scheme=checkpoint_opseclea: script running failed (exited with code 1).. Also, unable to load the Inputs and Configuration page of the app.   Splunk_TA_checkpoint-opseclea version is 4.3.1 Splunk enterprise version is 8.1.2 In the below link, splunk enterprise version 8.1.2 is not listed in the compatible version list of the app Splunk_TA_checkpoint-opseclea. https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Releasehistory This issue is not there in the knownissue. Some of the HFs also have 4.3.1 version of the app, but, there the input and configuration pages are loading. Is it because of the version compatibility or any other reason is there

Hello everyone, I have tried looking a lot for the right solution for this but I am not able to understand it right. I am very new to splunk and I am looking at trying to edit the font size and color for my initial label(at the very top) of my dashboard. I was able to change the font size and color for the individual panels I built, however I have had no luck with the editing the label. I have pasted the code below to give a better understand of what I am working with.   <form theme="dark"> <label>Trial Dashboard</label>     --->(i am trying to format the font size and color here) <description>Select the time limit</description> <fieldset submitButton="false" autoRun="true"> <input type="time" token="time_tok" searchWhenChanged="true"> <label>Time</label> <default> <earliest>-30d@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel id="trial1"> <title>Sample Pannel</title> <single> <search> <query>sample_query_in_here</query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>300s</refresh> <refreshType>delay</refreshType> </search> <option name="drilldown">none</option> <option name="height">249</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> </single> <html> <style> #trial1 .dashboard-panel h2 { font-size: 28px !important; color:#9000ff !important; font-weight: bold !important; } </style> </html> </panel> </row> </form>   2nd line from top "Trial Dashboard" is the label that I am trying to change. I hope to find a solution similar to the way I added the formats to the panels as it was easy to have it all under the same xml source code. Thank you in advance, Rookie99