Hi, I have configured Splunk heavy forwarder in 2 machines. I want to send logs from one machine to another and expect the receiver to store all the received logs in an index called "receivedlogs".   This is the video I followed to configure Splunk: https://www.youtube.com/watch?v=S4ekkH5mv3E&t=454s&ab_channel=Splunk%26MachineLearning Thank you.

Good day Team, I have a application which contains 5 servers. Each server is having different path. But the end is to read error.log and wrapper.log /log/apple/production/A1/error.log /log/ball/production/A2/error.log .. Here I can use regex like this in monitor stanza -- /log/*/prodcution/*/error.log But the problem is each server is having many folders for that *. I dont want all folders. Need only few.  Say the first star. I want only apple or ball or cat. If it is any other name in any server I can ignore Similarly take the second star. I want only A1 or A2  or A3. I can ignore B1 or C1 or so.    So is it possible to write like that using any regex either in inputs itself or using props?

Hi , does anyone have any experience with Parsing Version 6 schema of Umbrella logs the release notes from the addon https://splunkbase.splunk.com/app/3926/ talks only of version5 1.0.5: Adds support for logging format version 5 + Firewall Logs   the change in Umbrella seems for my environment to be only from Version4 -> version6 and "Schema upgrades are one way; you will not be able to revert this upgrade." Its scary you cant revert   Anyone moved to version6 and did they make changes in the local/{props,transforms} ?  

| datamodel "Change_Analysis" "Account_Management" search | where 'All_Changes.tag'="delete" AND 'All_Changes.user'!="*$*" | stats values(All_Changes.result) as "signature",values(All_Changes.src) as "src",values(All_Changes.dest) as "dest", values(All_Changes.user) as "users", DC(All_Changes.user) as user_count by "All_Changes.Account_Management.src_user" | rename "All_Changes.Account_Management.src_user" as "src_user","All_Changes.user" as "user"   I am using this query to monitor  for Account Deleted-  But all the time I am getting this alert triggered for the computer account ending with $ symbol  Ex:  XYZLAPTOP$ , ABCLAPTOP$  etc I have added the search  where 'All_Changes.tag'="delete" AND 'All_Changes.user'!="*$*"" How can I exclude this $ symbol account from the report? Can any one please help      

Hi, We are using Splunk cloud 8.2 and mainly utilizing for Splunk SIEM solution.  Currently we have many scheduled alerts, searches and reports. In the recent days we could see 21% of the searches were skipped and job execution time also increased.  From yesterday, we are unable to see output results for any of the jobs, but we are getting the search result when we execute adhoc search. We are also able to see below Errors and warnings in our console. The percentage of non high priority searches skipped (74%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk instance. Total Searches that were part of this percentage=7056. Total skipped Searches=5271 The instance is approaching the maximum number of historical searches that can be run concurrently. The number of extremely lagged searches (1) over the last hour exceeded the red threshold (1) on this Splunk instance Could you please share some solution to implement in this case.     

I have multiple concurrent saved searches(around 6). All searches have outputlookup command which is writing to separate kvstore. Searches are taking too much time to execute the outputlookup command. It is working fine if outputlookup is removed. Any suggestion on this? I know there is limit on number of rows to written for the outputlookup command. But, as all searches are within that limit wondering if there is limit on number of concurrent outputlookup command. Is there any such thing? Is it like one search outputlookup will wait for other output lookup to complete? If so, any solution for that?

I need to auto-refresh my dashboard every 30secounds. I am trying to set up a refresh for a form that was created. the below is it correct?   This hasn't been working for me. Am I missing something or is this not the correct placement for this? If it matters, I am using Splunk cloud 8.2 <form version="1.1" theme="dark" refresh="30"> <label>Health Dashboard - 24 Hours</label> <fieldset submitButton="false" autoRun="true"> <input type="time" token="timetoken" searchWhenChanged="true"> <label>Select Time Range</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Servers_Memory_Usage</title> <chart> <search>

Hello champions, I run the below 1,2,3 queries on the given datasets to find out which users ran the enable command on which host at what time: 1. index= networking user* enable* host* Oct 15 08:17:45 brg-c-1.com.au 8279: Oct 15 2021 08:17:44.820 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:John logged command:!exec: enable Oct 15 08:17:35 brg-c-1.com.au 8278: Oct 15 2021 08:17:34.082 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:lili logged command:!exec: enable failed Sep 15 23:29:55 gsw-r-4.com.au 466: Sep 15 23:29:54.009: %PARSER-5-CFGLOG_LOGGEDCMD: User:Khan logged command:!exec: enable Aug 12 15:18:37 edc-r-4.com.au 02: Aug 12 15:18:36.472: %PARSER-5-CFGLOG_LOGGEDCMD: User:Khan logged command:!exec: enable Aug 11 03:31:05 ctc-s.com.au 134: Aug 10 17:31:04.859: %PARSER-5-CFGLOG_LOGGEDCMD: User:cijs logged command:!exec: enable Jan 29 11:30:58 brg-c-1.com.au 2082: Jan 29 2021 11:30:57.141 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:chick logged command:!exec: enable failed 2. index=linux_logs host=edc-03-tacacs enable* Oct 26 12:56:13 egc-03-ts tc_plus[149]: enable query for 'kim' tty86 from 202.168.5.22 accepted Oct 26 11:33:44 egc-03-ts tc_plus[259]: enable query for 'kim' tty86 from 202.168.5.22 accepted Oct 21 11:35:59 egc-03-ts tc_plus[285]: enable query for 'John' tty86 from 202.168.5.23 accepted Oct 21 11:35:53 egc-03-ts tc_plus[282]: enable query for 'Han' tty86 from 202.168.5.23 rejected 3. index=linux_logs host=gsw-03-tacacs enable* Sep 30 13:35:53 gdw-02-ts tc_plus[143]: 192.168.2.21 James tty1 192.168.6.56 stop task_id=55161 timezone=AEST service=shell start_time=1632972953 priv-lvl=0 cmd=enable Sep 29 12:38:17 gdw-02-ts tc_plus[319]: 192.168.2.24 linda tty1 192.168.5.3 stop task_id=15729 timezone=AEST service=shell start_time=1632883097 priv-lvl=0 cmd=enable Sep 15 22:23:23 gdw-02-ts tc_plus[1649]: 192.168.4.2 Brown tty322 192.168.46.1 stop task_id=2574 timezone=AEST service=shell start_time=1631708603 priv-lvl=0 cmd=enable Sep 9 14:58:32 gdw-02-ts tc_plus[2030]: 192.168.2.29 Gordan tty1 192.168.26.3 stop task_id=14329 timezone=AEST service=shell start_time=1631163512 priv-lvl=0 cmd=enable I tried hard but could not find a query to merge all these data (indexes and hosts) to find out who ran enable command successfully at what time on which host. And get those results to a table look like |table date host user command(enable) status(success) Could anyone please help me ? Thank you in advance.

Hello, So this is my first time trying to consolidate logs and use the data extraction and I am a little lost. I have the following payload below and I would like to extract the following fields from the "line" field in the json payload. An example payload would be   {"line":"2021/10/25 18:49:52.982|DEBUG|GoogleHomeController|Recieved a request for broadcast: {\"Message\":\"Ring Ring Ring Niko and Xander, someone is at your front door and rung the doorbell!\",\"ExecuteTime\":\"0001-01-01T00:00:00\"}","source":"stdout","tag":"b5fcd8b8b5a4"}   Time - "2021/10/25 18:49:52.982" Level - "DEBUG" Controller - "GoogleHomeController" Message - "Recieved a request for broadcast..." It all follows the format "{TIME}|{LEVEL}|{CONTROLLER}|{MESSAGE}" basically the fields seperated by pipe characters. I have all the information there formatted using NLog in my code, but how do I extract the fields that are within a field out that way I can search based on the Time (from the log msg), Log Level, Controller, and Message? How would I go about pulling this information out? I tried going through the field extraction, but it only seems to let me do it at the highlest level, IE the line, source, and tag fields, not the fields within.  

I have a JSON-based log file for which every line is a valid JSON document. When searching it like this: source="/path/to/json/logfile" message.path="/ws/ws_metrics/page_hidden/" | table message.params.page_hide_metrics I get entries with the JSON I expect, like this:  {"connections":[{"connection_num":1,"initialized":"2021-10-25T20:46:45.318Z","ready_state":1,"connected_duration_seconds":32.296,"ready_state_times":[null,0.512,null,null]}],"tab_session_id":"604931x|concept|1635194804","first_connection_index":0,"percent_uptime":0.9843940502316508,"duration_seconds":32.296,"page_duration_seconds":32.808}   However, when I try to use an example like example #1 given for json_extract in the splunk docs,  source="/path/to/json/logfile" message.path="/ws/ws_metrics/page_hidden/" | eval ph_metrics = json_extract(message.params.page_hide_metrics) | table ph_metrics I don't get any results. Why?

I recently created a Splunk trial to test the Splunk + Okta integration. I have installed the Okta Identity Cloud Add-on for Splunk app but I'm unable to configure it. When I select the Configuration tab within the app, the Okta Accounts tab gets stuck on "loading". Below are the steps I have taken thus far. Did I miss something?  + Find More Apps Searched for Okta Located Okta Identity Cloud Add-on for Splunk Clicked Install Provided Splunk Credentials, Checked the "I have read..." and Selected Login and Install Clicked Open the App Select the Configuration Tab Stuck on "Loading" These steps were attempted in Chrome and Safari browsers. Reference Documentation: chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/viewer.html?pdfurl=https%3A%2F%2Fraw.githubusercontent.com%2Fmbegan%2FOkta-Identity-Cloud-for-Splunk%2Fmaster%2FREADME%2FOkta%2520Identity%2520Cloud%2520Add-on%2520for%2520Splunk.pdf&clen=1363755&chunk=true