Hi All, I'm trying to on-board logs which are related to litigation hold from our exchange servers. So far we've added the add-on: "TA-Exchange-Mailbox".   Which other add-on should we configure? What monitor stanza should be enabled?   Thanks in advance! 

From the logs, I need to get the count of events from the below msg field value which matches factType=COMMERCIAL and has filters.  secondly,   extract the filter type used, like in the example below id and extract the string sorts={"sortOrders":[{"key":"id","order":"DESC"}]}.  Using the Splunk query with basic wildcard does not work efficiently. Could you please assist cf_space_name=prod msg="*/facts?factType=COMMERCIAL&sourceSystem=ADMIN&sourceOwner=ABC&filters=*"   msg: abc.asia - [2021-08-23T00:27:08.152+0000] "GET /facts?factType=COMMERCIAL&sourceSystem=ADMIN&sourceOwner=ABC&filters=%257B%2522stringMatchFilters%2522:%255B%257B%2522key%2522:%2522BFEESCE((json_data-%253E%253E'isNotSearchable')::boolean,%2520false)%2522,%2522value%2522:%2522false%2522,%2522operator%2522:%2522EQ%2522%257D%255D,%2522multiStringMatchFilters%2522:%255B%257B%2522key%2522:%2522json_data-%253E%253E'id'%2522,%2522values%2522:%255B%25224970111%2522%255D%257D%255D,%2522containmentFilters%2522:%255B%255D,%2522nestedMultiStringMatchFilter%2522:%255B%255D,%2522nestedStringMatchFilters%2522:%255B%255D%257D&sorts=%257B%2522sortOrders%2522:%255B%257B%2522key%2522:%2522id%2522,%2522order%2522:%2522DESC%2522%257D%255D%257D&pagination=null Thanks in advance.

Hi, I need help in searching field value from the first search to another search with deferent sourcetype and combine both search fields in one table. but the issue is filed name is the same in both sourcetype but the values are different. example: Sourcetype 1 has filed name "user" with value "ABCD" sourcetype 2 has filed name "user" with value "xxx\\ABCD" I tried with below query but not getting the output sourcetype=sourcetype1 | eval User="*".User | table User | join User [search sourcetype=sourcetype2 | fields User HostName HostIP FileName Timestamp Message] | table User Email HostName HostIP FileName  Message

Hello, I wanted to request help with how configuring  correctly SSL between Universal -> Indexer. I tried following this procedure: https://docs.splunk.com/Documentation/Splunk/8.2.1/Security/Howtoself-signcertificates And I ended with two public certificates: myServerCertificate.pem myServerPrivateKey.key myCACertificate.pem Afterwards I prepared the certificate in the following order: https://docs.splunk.com/Documentation/Splunk/8.2.1/Security/HowtoprepareyoursignedcertificatesforSplunk cat myServerCertificate.pem myServerPrivateKey.key myCACertificate.pem > myNewServerCertificate.pem This resulted with a signed server certificate with a chain of the authority. I am struggling with understating what exactly goes where and in case I understand it, how do I add one more cert to another server?.. My mind says, Indexer has to have the private key -> (Not sure whether the authorities key, or the server key or the chain). And what the forwarder needs to have is -> only public key. (Not sure what) Summary of what I have running the whole commands: myCAPrivateKey.key myCACertificate.csr myCACertificate.pem myServerPrivateKey.key myServerCertificate.csr myServerCertificate.pem myNewServerCertificate.pem Appreciate your help.

I logged in and switched to the free version.  The search error I am receiving: Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK.   Licensing shows : Free license group     Messages: Any idea to clear or reset to make work? 

Hi all, I am looking to check if there has been a event within the last 3 hrs for three different categories.  If an event has been detected in the last 3 hours, I would like a status column that says "Registry In Sync", otherwise the status column should read "Out of Sync".  Something like the following:   Type _time Status A 2021-08-10 09:27:07 Out of Sync B 2021-08-23 01:24:56 Registry is in Sync C 2021-08-19 23:25:28 Out of Sync   The important this is that it is categorised by the Type field.  I appreciate any and all help!

I am trying to add a dashboard to the action dropdown when you are in incident review under specific notables. How do I do this? I cannot seem to find ANY document on how to do it and would appreciate a link to it or an explanation of how...

        Hi, I have this set up: Splunk enterprise with stream enabled set up on a VM Splunk forwarder on my windows machine which works for now without SSL   I want to implement the ability to read the https also. But I'm not sure what to do when reading https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/EnableSSLforStreamForwarder   Has anyone here set up ssl on stream on windows machines (not servers) and how did you do it?

Dear All, I am new to splunk, I want to extract data from one of the log file and like to create the dashboard visualization. I've tried using the material and Splunk doesn't recognize the data. Your kickstart will give me boost and confidence. I have copied the small part of the log which i am trying to extract data. I would like to have a visualization of Type : LOC, Channel, offset level. I need all data of TXT   Printed on Aug 18, 2021 5:37:46 035: Aug 17, 2021 6:45:33 TYPE: LOC [+46.2 degC] -0.3200 ddm [ 90 Hz pred] 90Hz: 35.15 %mod 150Hz: 3.15 %mod Channel: 110.50 MHz -4.84 KHz offset level: -61.0 dBm 030: Aug 17, 2021 6:44:48 TYPE: LOC [+46.2 degC] -0.2915 ddm [ 90 Hz pred] 90Hz: 33.82 %mod 150Hz: 4.67 %mod Channel: 110.50 MHz -4.83 KHz offset level: -56.2 dBm 022: Aug 17, 2021 6:42:52 TYPE: LOC [+46.2 degC] -0.3360 ddm [ 90 Hz pred] 90Hz: 36.02 %mod 150Hz: 2.42 %mod Channel: 110.50 MHz -4.83 KHz offset level: -68.2 dBm 

When editing searches in ITSI, control-e expands macros and control-z undoes the last change.  I know this only by being told.  Where is documentation on these, and whatever other hotkeys are defined for this editor?