Hi, I want to copy some logs in one index to another index with the same host information. I use collect command to do this process. But when i copy, i see that all host information is the same and write search head ip address. So I cant search by looking host information. How can I do it? Can you help me?  Thanks. Best Regards

  We have a powershell script which collects all the data/information from all Domain controllers, the data/information is mainly about services (start/stop). The script executes every 2 hours and csv file is mailed to one group. We want to integrate that powershell script in splunk to create a dashboard so the monitoring team can monitor. All our DC's have splunk installed So lookin for some documentation or link which can be helpful to start the dashboard or any different way to integrate into splunk

We have configured zScaler logs to send logs to a syslog server, where rsyslog intercepts the feed and writes it to a file. HF is deployed to forward logs from file to Indexers. The setup works fine. However, rsyslog upon receiving the logs does some funny things such as    2021-09-1704:12:27 reason=Allowed event_id=7008750744672403548 pr 2021-09-17T14:12:52.976915+10:00 10.24.12.5 otocol=HTTP_PROXY action=Allowed transactionsize=130 responsesize=65 requestsize=65 urlcategory=Corporate Marketing serverip=52.13.15.12 clienttranstime=0 requestmethod=CONNECTrefererURL="None" useragent=Unknown product=NSS location= As you can see the feed is broken in to two lines (log length is not causing the break) Is there an rsyslog config I can use to remediate this issue The zScaler format we have used is below %d{yy}-%02d{mth}-%02d{dd}%02d{hh}:%02d{mm}:%02d{ss}\treason=%s{reason}\tevent_id=%d{recordid}\tprotocol=%s{proto}\taction=%s{action}\ttransactionsize=%d{totalsize}\tresponsesize=%d{respsize}\trequestsize=%d{reqsize}\turlcategory=%s{urlcat}\tserverip=%s{sip}\tclienttranstime=%d{ctime}\trequestmethod=%s{reqmethod}\trefererURL="%s{ereferer}"\tuseragent=%s{ua}\tproduct=NSS\tlocation=%s{location}\tClientIP=%s{cip}\tstatus=%s{respcode}\tuser=%s{login}\turl="%s{eurl}"\tvendor=Zscaler\thostname=%s{ehost}\tclientpublicIP=%s{cintip}\tthreatcategory=%s{malwarecat}\tthreatname=%s{threatname}\tfiletype=%s{filetype}\tappname=%s{appname}\tpagerisk=%d{riskscore}\tdepartment=%s{dept}\turlsupercategory=%s{urlsupercat}\tappclass=%s{appclass}\tdlpengine=%s{dlpeng}\turlclass=%s{urlclass}\tthreatclass=%s{malwareclass}\tdlpdictionaries=%s{dlpdict}\tfileclass=%s{fileclass}\tbwthrottle=%s{bwthrottle}\tservertranstime=%d{stime}\tmd5=%s{bamd5}\tcontenttype=%s{contenttype}\ttrafficredirectmethod=%s{trafficredirectmethod}\trulelabel=%s{rulelabel}\truletype=%s{ruletype}\tmobappname=%s{mobappname}\tmobappcat=%s{mobappcat}\tmobdevtype=%s{mobdevtype}\tbwclassname=%s{bwclassname}\tbwrulename=%s{bwrulename}\tthrottlereqsize=%d{throttlereqsize}\tthrottlerespsize=%d{throttlerespsize}\tdeviceappversion=%s{deviceappversion}\tdevicemodel=%s{devicemodel}\tdevicemodel=%s{devicemodel}\tdevicename=%s{devicename}\tdevicename=%s{devicename}\tdeviceostype=%s{deviceostype}\tdeviceostype=%s{deviceostype}\tdeviceosversion=%s{deviceosversion}\tdeviceplatform=%s{deviceplatform}\tclientsslcipher=%s{clientsslcipher}\tclientsslsessreuse=%s{clientsslsessreuse}\tclienttlsversion=%s{clienttlsversion}\tserversslsessreuse=%s{serversslsessreuse}\tservertranstime=%d{stime}\tsrvcertchainvalpass=%s{srvcertchainvalpass}\tsrvcertvalidationtype=%s{srvcertvalidationtype}\tsrvcertvalidityperiod=%s{srvcertvalidityperiod}\tsrvocspresult=%s{srvocspresult}\tsrvsslcipher=%s{srvsslcipher}\tsrvtlsversion=%s{srvtlsversion}\tsrvwildcardcert=%s{srvwildcardcert}\tserversslsessreuse="%s{serversslsessreuse}"\tdlpidentifier="%d{dlpidentifier}"\tdlpmd5="%s{dlpmd5}"\tepochtime="%d{epochtime}"\tfilename="%s{filename}"\tfilesubtype="%s{filesubtype}"\tmodule="%s{module}"\tproductversion="%s{productversion}"\treqdatasize="%d{reqdatasize}"\treqhdrsize="%d{reqhdrsize}"\trespdatasize="%d{respdatasize}"\tresphdrsize="%d{resphdrsize}"\trespsize="%d{respsize}"\trespversion="%s{respversion}"\ttz="%s{tz}"\n   Thanks

I am new to Splunk Cloud but familiar with Splunk Enterprise. Just created an app from scratch manually on Splunk Cloud but I couldn't find a way to add a custom logo to the app. On Splunk Enterprise, I'd do this by adding the logo of specific resolutions  into the static directory of the app [$SPLUNK_HOME/etc/apps/appname/static/] . How do I achieve the same on Splunk Cloud? I obviously won't have SSH access to do that on splunk cloud instance so looking for an option on the Splunk Cloud UI to add a custom logo for my app, if there is any.

I created an accelerated search that is set for 7 days retention, runs every 30 minutes and searches 30 minutes back when it runs. I set it up in my dashboard to be used as a base search like so:   <search id="reportBase" ref="Accelerated report base"> <earliest>$set_time.earliest$</earliest> <latest>$set_time.latest$</latest> </search>   I then attempt to use it and modify the results with tokens like so:   <search base="reportBase"> <query>| search type IN ($types$) AND account IN ($accounts$) | stats count by hostname | sort -count </query>   The new search modifications with tokens works. However, no matter what I do, the time picker does not work. I only ever get back the last 30 minutes of data. I thought the 7 day retention meant I could get back any amount of time up to 7 days back quickly, not just the last 30 minutes. I tried to work around this by running this but the same thing happens:   | loadjob savedsearch="MyUser:search:Accelerated report base"   Then, I tried to use it in normal search and the time picker there also does nothing. It still only shows the last 30 minutes of data.   Am I missing something or can I not use accelerated reporting with a time picker?

I want  to view splunk dashboard  and receive splunk alert  on mobile device. my splunk enterprise instance (version 8.2.4) address is `http://192.168.1.100:8000`. now, I hava download `splunk mobile` app installed my Andriod device. but it let me enter the address ending in 'splunkcloud.com',  it is only support splunk cloud ?  any one kwon how to login my splunk enterprise on splunk mobile? and is ther a  tutorial? thank you for anyone !    

Hi all, I'm changing a field name in my index, so I'm trying to set up a field alias so both the old field name and new field name can be used in queries. This is for backward compatibility reasons, since a lot of existing dashboards/reports (many I do not own) refer to this field. So I set up the field alias, and I find that the field alias works for a normal search (non-tstats), but does not work for tstats.  Does that mean field aliases do not work for tstats at all?

As the title suggests, I am looking for an efficient way to consolidate multiple standalone Search Heads into single Search Head. How can I ensure all the required search artifacts get appropriately merged into single search head ?

I'm a  newbie on splunk, trying the basic thing but didn't find any solution. Reaching out if I get the direction/solution. I have the search results with userid using the query. Lookup file(master_users) has all users with column name userid.  I want tonly those userids which are in lookup but not in my search result.  Tried multiple options but didn't find the right solution. 

I were able to send my application log to splunk via HTTP event using the splunk java logging library. But somehow the message doesn't look like what appears on my console. Did this happen because the console appender contains an encoder tag? If yes, is there a way for us to specify that inside of the splunk appender? I want splunk to display event exactly like what on my console.  I manually send an event to the index to create the view of what I want it to look like. This's the body content of my rest call to achieve the result in picture 1.  {"sourcetype": "httpevent", "index": "customeindex", "host": "optional-field", "event": "2021-09-15 17:07:58.483 [main] INFO  org.springframework.boot.autoconfigure.logging.ConditionEvaluationReportLoggingListener.logMessage - Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.\r\n"}   what i want it to look like But the below is what I got. All the information like logger, severity, threat and time are already included in the message so I don't want my app to send all that to splunk in the event.  the current data     <?xml version="1.0" encoding="UTF-8"?> <configuration> <include resource="org/springframework/boot/logging/logback/defaults.xml" /> <property name="defaultPattern" value="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger.%M - %msg%n"/> <property name="LogFilePath" value="${LogFilePath:-.}"/> <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender"> <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> <pattern>${defaultPattern}</pattern> </encoder> </appender> <Appender name="splunkAppender" class="com.splunk.logging.HttpEventCollectorLogbackAppender"> <url>https://random:8088</url> <token>132</token> <index>randomindex</index> <disableCertificateValidation>true</disableCertificateValidation> <host>${hostname}</host> <source>orchestrator</source> <sourcetype>json</sourcetype> <layout class="ch.qos.logback.classic.PatternLayout"> <pattern>${defaultPattern}</pattern> </layout> </Appender> <springProfile name="!local"> <root level="info"> <appender-ref ref="CONSOLE" /> <appender-ref ref="splunkAppender" /> </root> </springProfile> <springProfile name="local"> <root level="info"> <appender-ref ref="CONSOLE" /> <appender-ref ref="APPLICATION" /> </root> </springProfile> </configuration>      

I'm in the process of implementing Splunk ES.  We are using the Splunk_TA_windows and use the generate_windows_update_logs.ps1script to generated update log files.  However, that file looks useless in populating the Update data model used in ES.  Is there another script that will produce suitable output from Windows OS to populate the Update data model that can be used by ES?    

HI Splunkers, I am using Splunk tables inbuilt color coding to highlight a cell based on certain condition. The problem which I am facing is when the color coding condition meets, the total cell is highlighted (background of the cell). But i want to highlight only the value not the complete background of the cell.  I know we should be able to do it using JS, but is there any other easy way to achieve it? I want to get the output as represented in correctnumber column  not the number column. (I have used dev tools on the front end to change the background color for correctnumber column). Thanks in Advance.  

Hello, If a free profile is already set up and created with the software download option, can you switch it to cloud based? I'm running into downloading and uploading errors with the current profile and need to switch to cloud base.

Hi team,   I have one requirement to prepare a query to get a value from json and do chart count around it. For this I have added multiple chart count queries using appendcols, but it is very slow.  Also I need the timestamp.  log is like as below:  Success: 1 failed: 2 Total: 3 index=<<>> |search app="app1" |rex "Total: (?<TCount>[^\"]*)" |eval TCount=rtrim(TCount,"\\") |chart count(TCount) over TCount |appendcols [search |rex "Success: (?<S_Count>[^\"]*)"|eval S_Count=rtrim(S_Count,"\\") |chart count(S_Count) over S_Count] |appendcols [search |rex "failed: (?<FCount>[^\"]*)"|eval F_Count=rtrim(FCount,"\\") |chart count(FCount) over FCount] Can anyone help me on this to make it run faster.    Thanks in Advance.