Hello, I'm trying to setup Splunk in a lab environment. I've got one windows client which I want to send logs over to my Splunk server via a UF. I am managing the endpoint's splunk config via a deployment server. This works fine, the client checks in, my apps get pushed to it, all fine. For windows logs, I'm using the Splunk TA for Windows (https://splunkbase.splunk.com/app/742/#/overview) with an inputs.conf as below   [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 renderXml=true evt_resolve_ad_obj = 1 index = windows [WinEventLog://System] disabled = 0 renderXml=true evt_resolve_ad_obj = 1 index = windows [WinEventLog://Application] disabled = 0 renderXml=true evt_resolve_ad_obj = 1 index = windows     The app gets deployed correctly and I see the above inputs.conf in the %SPLUNK_HOME%/apps/Splunk_TA_windows/local/inputs.conf. However, in Splunk, I don't seem to be getting all the logs. In fact, I'm only getting event id 6xxx logs and very few (43 events/15mins)   I can't figure out why all the logs aren't coming in but only a few irrelevant ones. Any help will be much appreciated. Thank you!

Hi, I get the exactly same count for avg and peak, any issue with my query?   index=a sourcetype=ab earliest=-30d latest=now | bucket _time span=1mon | stats count by _time | eval date_month=strftime(_time, "%b") | eval date_day=strftime(_time, "%a") | stats avg(count) as AverageCountPerDay max(count) AS Peak_Per_Month by date_month, date_day   date_month date_day AverageCountPerDay Peak_Per_Month Aug Sun 82037650 82037650 Jul Thu 4621995 4621995

Hey all, I am in the process of migrating from a Windows Heavy Forwarder to a Linux Heavy Forwarder for Splunk Cloud. Part of this exercise involves migrating the Splunk DB Connect App from the Windows HF Box to the new Red Hat 8.4 HF box. Quick Details: Splunk DBConnect 3.6.0 DBConnect App Host Red Hat Linux 8.4 ga OpenJDK(Coretto) 11.0.2 LTS MS SQL Server Windows Server 2016 Standard (1607) MS SQL 2014 (12.0.4522.0) Registry is modified to allow TLS 1.1 and 1.2 under Schannel (via IISCrypto Tool) Registry is also modified to allow strong SChannel .Net configuration. This was mentioned to be necessary for SQL Server 2019, but I figured it might apply to 2014 as well (https://learn.mediasite.com/course/enabling-tls-1-2/lessons/sql-server-configuration/) I basically duplicated the configuration from the original Windows Server that ran DBConnect App. I brought over the same connection information as well as the same identity information. I've validated that the identity information is correct. I am getting the following error:     Database connection server.domain.com is invalid. The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints".     This seems to imply that there is some sort of certificate negotiation error. I have browsed through the DBConnect documentation but nothing inside there seems to help. I noticed a few different keystores around the db connect app and I tried messing with a few of them, but without luck. Currently in the "keystore" folder, I have loaded a domain PKI cut/issued cert/key pair and the domain PKI CA chain. None of those seem to make any difference. My basic connection string looks like the following in the edit url box:     jdbc:sqlserver://server.domain.com:1433;databaseName=Splunk;selectMethod=cursor;encrypt=true     I've tried various differentiations of this as well like:     jdbc:sqlserver://server.domain.com:1433;databaseName=Splunk;selectMethod=cursor;encrypt=true;trustStore=/opt/splunk/etc/apps/splunk_app_db_connect/keystore/default.jks;trustStorePassword=password     I wasn't sure how to configure the JRE installation path and I also wasn't too positive on where it was located in the Red Hat 8.4 instance. I did some tracking and I think it's loaded here:     /usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64/     I mainly did that because it appears like JAVA_HOME wasn't set in the OS. I could have set it but I figured it would take out any potentially issues if I just pointed it directly at the folder. I haven't had much luck. I loaded up wireshark and confirmed I could see the connection and I do see the inbound 1433 connection from the heavy forwarder. I do see the active connection being made, but because it's over 1433 Wireshark isn't showing any TLS negotiation. I am not sure if that's an issue or not. I am not sure where else to go from here. Does anyone have any thoughts?

hi  i  have obtained a table like this code                       status                             count 1                        27 aug 2021success                45 1                     27 aug  2021 failure                   0   i  want  a format  like  this   code   27  aug 2021 success         27 aug 2021 failure 1             45                                                  0

i have data something like this input:   firstname=value1,lastname=value2,email=value3,address=value4.. etc firstname=value11,lastname=value12,email=value13,address=value14.. etc firstname=value12,lastname=value13,email=value14,address=value15.. etc   output:   firstname lastname email address value1 value2, value3, value4 value11 value12, value13, value14 value12 value13, value14, value15   i want to extract this data into a table with keys as column headers. Please note these keys are dynamic and it can have any names. i tried      search | extract pairdelim="," kvdelim="="   but not sure how to put them into a table format. any inputs?

I have two logfiles, logfile1.log and logfile2.log. I have created their own field extractions for both of them. Here is an example line for both logs: logfile1.log: file1time, epoch, file1ID, name, flag, stat1, stat2, stat3 logfile2.log: lastruntime, file2ID, epoch What I need to do is compare logfiles each against the ID's, ensure that they're the same, and output the "name" field in the search that has logfile2.log as it's source. There's probably a very easy way to do this, but I can't think of it. Any help would be greatly appreciated. Thanks!