Splunk installation does not work on one server and below are logs, could you pls point to right direction, where to look at and why this is failing. We have already tried clean boot/Install, Removed AV and any third party security softwares to see that helps or not but it does not. Reboot system multiple times but no luck, Removed Encryption no luck, we are running out of ideas, if you could help, that would be great!     MSI (s) (4C:E4) [09:35:45:084]: Executing op: FileCopy(SourceName=ssmotatu.con|web.conf,SourceCabKey=filFFD0A48B92D564AD2586EEDC3AF570B4,DestName=web.conf,Attributes=512,FileSize=83,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=493118281,HashPart2=-1532812437,HashPart3=-875473769,HashPart4=68786463,,) MSI (s) (4C:E4) [09:35:45:085]: File: C:\Program Files\BMW_SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\web.conf; To be installed; Won't patch; No existing file MSI (s) (4C:E4) [09:35:45:085]: Source for file 'filFFD0A48B92D564AD2586EEDC3AF570B4' is compressed MSI (s) (4C:E4) [09:35:45:086]: Executing op: CacheSizeFlush(,) MSI (s) (4C:E4) [09:35:45:086]: Executing op: ActionStart(Name=RollbackRegmonDrv,,) MSI (s) (4C:E4) [09:35:45:092]: Executing op: CustomActionSchedule(Action=RollbackRegmonDrv,ActionType=3329,Source=BinaryData,Target=UninstallRegmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=) MSI (s) (4C:E4) [09:35:45:097]: Executing op: ActionStart(Name=InstallRegmonDrv,,) MSI (s) (4C:E4) [09:35:45:098]: Executing op: CustomActionSchedule(Action=InstallRegmonDrv,ActionType=3073,Source=BinaryData,Target=InstallRegmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;LEGACYDRV=1;FailCA=) MSI (s) (4C:F4) [09:35:45:103]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAC28.tmp, Entrypoint: InstallRegmonDrvCA MSI (s) (4C:58) [09:35:45:104]: Generating random cookie. MSI (s) (4C:58) [09:35:45:107]: Created Custom Action Server with PID 11196 (0x2BBC). MSI (s) (4C:08) [09:35:45:127]: Running as a service. MSI (s) (4C:08) [09:35:45:130]: Hello, I'm your 64bit Elevated Non-remapped custom action server. InstallRegmonDrv: Warning: Invalid property ignored: FailCA=. MSI (s) (4C:E4) [09:35:45:234]: Executing op: ActionStart(Name=RollbackNetmonDrv,,) InstallRegmonDrv: Info: Driver inf file: C:\Program Files\BMW_SplunkUniversalForwarder\bin\splunkdrv.inf. MSI (s) (4C:E4) [09:35:45:235]: Executing op: CustomActionSchedule(Action=RollbackNetmonDrv,ActionType=3329,Source=BinaryData,Target=UninstallNetmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=) MSI (s) (4C:E4) [09:35:45:241]: Executing op: ActionStart(Name=InstallNetmonDrv,,) MSI (s) (4C:E4) [09:35:45:242]: Executing op: CustomActionSchedule(Action=InstallNetmonDrv,ActionType=3073,Source=BinaryData,Target=InstallNetmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;LEGACYDRV=1;FailCA=) MSI (s) (4C:30) [09:35:45:248]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIACB6.tmp, Entrypoint: InstallNetmonDrvCA InstallNetmonDrv: Warning: Invalid property ignored: FailCA=. MSI (s) (4C:E4) [09:35:45:346]: Executing op: ActionStart(Name=RollbackNohandleDrv,,) InstallNetmonDrv: Info: Driver inf file: C:\Program Files\BMW_SplunkUniversalForwarder\bin\splknetdrv.inf. MSI (s) (4C:E4) [09:35:45:347]: Executing op: CustomActionSchedule(Action=RollbackNohandleDrv,ActionType=3329,Source=BinaryData,Target=UninstallNohandleDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=) MSI (s) (4C:E4) [09:35:45:352]: Executing op: ActionStart(Name=InstallNohandleDrv,,) MSI (s) (4C:E4) [09:35:45:353]: Executing op: CustomActionSchedule(Action=InstallNohandleDrv,ActionType=3073,Source=BinaryData,Target=InstallNohandleDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;LEGACYDRV=1;FailCA=) MSI (s) (4C:D8) [09:35:45:359]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAD24.tmp, Entrypoint: InstallNohandleDrvCA InstallNohandleDrv: Warning: Invalid property ignored: FailCA=. MSI (s) (4C:E4) [09:35:45:456]: Executing op: ActionStart(Name=SavePasswordRules,,) InstallNohandleDrv: Info: Driver inf file: C:\Program Files\BMW_SplunkUniversalForwarder\bin\SplunkMonitorNoHandleDrv.inf. MSI (s) (4C:E4) [09:35:45:458]: Executing op: CustomActionSchedule(Action=SavePasswordRules,ActionType=3073,Source=BinaryData,Target=SavePasswordRulesCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;MinPasswordLowercaseLen=0;MinPasswordUppercaseLen=0;MinPasswordDigitLen=0;MinPasswordSpecialCharLen=0;MinPasswordLen=8;FailCA=) MSI (s) (4C:2C) [09:35:45:463]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAD93.tmp, Entrypoint: SavePasswordRulesCA MSI (s) (4C:E4) [09:35:45:485]: Executing op: ActionStart(Name=CreateFtr,,) SavePasswordRules: Warning: Invalid property ignored: FailCA=. MSI (s) (4C:E4) [09:35:45:486]: Executing op: CustomActionSchedule(Action=CreateFtr,ActionType=3073,Source=BinaryData,Target=CreateFtrCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=) MSI (s) (4C:9C) [09:35:45:492]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIADB3.tmp, Entrypoint: CreateFtrCA MSI (s) (4C:E4) [09:35:45:514]: Executing op: ActionStart(Name=FirstTimeRun,,) CreateFtr: Warning: Invalid property ignored: FailCA=. MSI (s) (4C:E4) [09:35:45:515]: Executing op: CustomActionSchedule(Action=FirstTimeRun,ActionType=3073,Source=BinaryData,Target=FirstTimeRunCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=) MSI (s) (4C:08) [09:35:45:521]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIADD3.tmp, Entrypoint: FirstTimeRunCA FirstTimeRun: Warning: Invalid property ignored: FailCA=. FirstTimeRun: Info: Properties: splunkHome: C:\Program Files\BMW_SplunkUniversalForwarder. FirstTimeRun: Info: Execute first time run. FirstTimeRun: Info: Enter. Args: "C:\Program Files\BMW_SplunkUniversalForwarder\bin\splunk.exe", _internal first-time-run --answer-yes --no-prompt FirstTimeRun: Info: Execute string: cmd.exe /c ""C:\Program Files\BMW_SplunkUniversalForwarder\bin\splunk.exe" _internal first-time-run --answer-yes --no-prompt >> "C:\Users\axy4933\AppData\Local\Temp\splunk.log" 2>&1" FirstTimeRun: Info: WaitForSingleObject returned : 0x0 FirstTimeRun: Info: Exit code for process : 0xc0000409 FirstTimeRun: Info: Leave. FirstTimeRun: Error: ExecCmd failed: 0xc0000409. FirstTimeRun: Error 0x80004005: Cannot execute first time run. CustomAction FirstTimeRun returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) MSI (s) (4C:E4) [09:35:45:886]: Note: 1: 2265 2: 3: -2147287035 MSI (s) (4C:E4) [09:35:45:886]: User policy value 'DisableRollback' is 0 MSI (s) (4C:E4) [09:35:45:886]: Machine policy value 'DisableRollback' is 0 Action ended 09:35:45: InstallFinalize. Return value 3.

Hi All,   In Splunk is it possible to join two joint queries.   I have queries like  1) index=_inter sourcetype=project  | dedup project  server |  eval Pro=project | eval source1 ="Y"  | table source1 Pro | join Pro type=outer | [search sourcetype =SA  pronames=* |  dedup  pronames | eval Pro=pronames  ]  | table Pro  which will generate output pro pro1 pro2 pro3 @and I have one query similar one, but changing sourcetype in join. ,index=_inter sourcetype=project  | dedup project  server |  eval Pro=project | eval source1 ="Y"  | table source1 Pro | join Pro type=outer | [search sourcetype =SC  pronames=* |  dedup  pronames | eval Pro=pronames  ]  | table Pro pro pro1 pro2 pro3 Both I'm using for generating alerts, two alerts. now I want to send only one alert by merging both queries,  is it possible. so i can send alerts in a single mail. like below   pro       pros pro1   pro1 pro2   pro2 pro3   pro3              

Hi , One of our user is getting following error message "Waiting for queued job to start", I increased the the disk space quota but still user is getting same error message. Please help me on this. Regards, Rahul Gupta

Hello, I've below configuration for one index. maxTotalDataSizeMB = 333400 maxDataSize = auto_high_volume homePath = volume:hotwarm_cold/authentication/db coldPath = volume:hotwarm_cold/authentication/colddb thawedPath = /splunk/data2/authentication/thaweddb coldToFrozenDir = /splunk/data2/authentication/frozendb tstatsHomePath = volume:hotwarm_cold/authentication/datamodel_summary homePath.maxDataSizeMB = 116700 coldPath.maxDataSizeMB = 216700 maxWarmDBCount = 4294967295 frozenTimePeriodInSecs = 2592000 repFactor = auto   Current log volume for this index is 3GB/day. Due to change in requirements, the log volume will increase to ~15GB/day and log retention period will change to 60 days. Could you tell how maxTotalDataSizeMB, homePath.maxDataSizeMB, coldPath.maxDataSizeMB and maxWarmDBCount will be calculated and how the calculation changes with data volume and retention period?

I have the following event from GCP pubsub: {     attributes: {    }    data: {       insertId: dbp95qcbup      logName: organizations/xxxxxxx/logs/cloudaudit.googleapis.com%2Fdata_access      protoPayload: { [+]      }      receiveTimestamp: 2021-08-02T05:52:58.861079027Z      resource: { [+]      }      severity: NOTICE      timestamp: 2021-08-02T04:01:48.076823Z    }    publish_time: 1627883579.307 }   Is there any way to use a forwarder to only send the contents of data{} to Splunk? I essentially want to strip off the outer parts of the JSON attributes{}, publishtime and have the event sent as the contents of the data{} field:" { "insertId": "dbp95qcbup", "logName": "organizations/xxxxxxx/logs/cloudaudit.googleapis.com%2Fdata_access", "protoPayload": {}, "receiveTimestamp": "2021-08-02T05:52:58.861079027Z", "resource": {}, "severity": "NOTICE", "timestamp": "2021-08-02T04:01:48.076823Z" }

Hello, So i am trying to create an alert based on logs from 2 different indexes. Basically what im trying to alert on is if a zip file/zip files from 1 index makes it to a 2nd different index, if it does not, i want it to alert. I have the following splunk query that combines both indexes but it's not completely accurate because when i run the indexes separately, im getting the zip files in question to appear in both indexes when in reality, i was expecting the zip files to appear in index 1 and not in index 2. Splunk query combining both indexes     index=index_1 OR index=index_2 sourcetype="index_1_logs" OR sourcetype="index_2_logs" "ftp.com" OR "External command has been executed" "*.zip" | eval results = if(match(index_1_zipfile_field,index_2_zipfile_field), "file made it through", "file did not make it through") | table results index_1_zipfile_field index_2_zipfile_field | search index_1_zipfile_field=* | dedup index_1_zipfile_field     Results show as shown below showing no results under index_2_zipfile_field giving the illusion that the zip files never made it through to index 2: results index_1_zipfile_field index_2_zipfile_field file did not make it through fgfbf-fgfgfg-wewsd-dfsf.zip   file did not make it through ghghh-rtrtr-trtrt-weqe.zip     ...but when i check index 2 and look up the results from the table above, i see the zip file made it through so i am unsure what im doing wrong here     index=index_2 sourcetype=index_2_logs "ftp.com" "*fgfbf-fgfgfg-wewsd-dfsf.zip*" | table index_2_zipfield_field | dedup index_2_zipfield_field     results: index_2_zipfield_field fgfbf-fgfgfg-wewsd-dfsf.zip ghghh-rtrtr-trtrt-weqe.zip   Hopefully i made sense. 

I would like to display a table and have the ability to give the data a category via an input field. So each row would have its own input field for the user to enter a value into it. For example the data could be something like this where the category column is the input field. I want to put the brand of the car in the category field and save it to a lookup table.  |Car|Category| |Prius | Toyota| |Mustang | Ford |

I could've sworn a month ago, these two worked fine together: https://splunkbase.splunk.com/app/3757/ https://splunkbase.splunk.com/app/4882/ For instance, the App's AAD User's section doesn't load. It's because fields like user_id and department don't exist. Now I've checked and user_id doesn't exist: https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#properties It also seems it's using no parameters, so it will pull in the default implementation (that doesn't include the department field). input_module_MS_AAD_user.py, Line 37 needs to be modified to add the $select parameter. The AAD Users section is just one of many that seem empty/don't work.

Hi Splunkers,   I am having the below issue could you please help me to solve the issue. Here is my event 08-02-2021 20:46:39.852 +0000 WARN DateParserVerbose - Accepted time (Mon Aug 2 20:10:36 2021) is suspiciously far away from the previous event's time (Tue Aug 3 00:18:26 2021), but still accepted because it was extracted by the same pattern. TIME 8/2/21 10:35:55.489 AM EVENT 08-02-2021 10:35:55.489 -0400 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Mon Aug 2 10:35:53 2021). Here is my props.conf  [azure:prod] DATETIME_CONFIG = CURRENT TRUNCATE = 10000 MAX_TIMESTAMP_LOOKAHEAD = 128

Hi Splunkers. Could anyone give me some info on what kind of attacks I can work on based on Linux and Windows logs. I've already working on brute force attacks but my team wants me to work on other possible attacks as well. Please share some knowledge. TIA.

Whenever I try to open Splunk from a masked URL (a URL that points to a URL but shows the first URL in the browser search bar) it says "To protect your security, xxxxxxxxxxxx.com will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window." is there any way I can allow this to happen?