Hi all,   we have just installed Wazuh app on Splunk. We see booth wazuh and splunk active but the forwarder only sends datas when restarted and after few seconds stops to send them. Does anyone knows how to solve this issue? Ty in advance, J

We are planning upgrade our clustered deployment from 8.0.5 to 8.2.1 In case we plan to migrate the KVStore engine to WiredTiger, do we have to mandatorily go through the v8.1 step as mentioned in https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/MigrateKVstore ?  Per my understanding, the steps for this method stands like this Upgrade cluster from 8.0.5 to 8.1.5  Migrate the KV store after an upgrade to Splunk Enterprise 8.1 in a clustered deployment Upgrade cluster from 8.1.5 to 8.2.1 In case we decide not to use WiredTiger for now and complete the upgrade to 8.2.1, can we migrate the KV  Store to WiredTiger at a later point of time?  To elaborate, will the following work:  Upgrade cluster from 8.0.5 to 8.2.1  At a leter time, if WiredTiger is needed, migrate the KV Store as instructed in Migrate the KV store after an upgrade to Splunk Enterprise 8.1 in a clustered deployment We do not use KV Store at all now, apart from whatever internal functions that Splunk Enterprise uses it for (no ITSI or ES as well), but want to plan ahead in case we use it in the future.  Thanks in advance!

  Hello, My client requests to ingest G Suite logs, when searching I see several APPs which do not have Splunk support. Question 1: What should I understand when an APP does not have Splunk support? Question 2: What is the best way to ingest the GSuite logs?   https://splunkbase.splunk.com/app/3793/ or https://splunkbase.splunk.com/app/4560/ or https://splunkbase.splunk.com/apps/#/search/G%20Suite/  

I'm trying to count of the number of occurrences / frequency /variations of arguments appearing for a bat file. For example, GradeReport.bat has this template: GradeReport.bat "grade criteria" "start date" "end date" course# CSV_format Example: 1) GradeReport.bat "Best grade" "07/20/2021" "07/27/2021" 135629 CSV 2) GradeReport.bat "Average grade" "" "07/27/2021" "" CSV 3) GradeReport.bat "Best grade" "" "" 225386 CSV 4) GradeReport.bat "Student grade" "07/16/2021" "" "" CSV   The query would return: First argument count: 4 Second argument count: 2 Third argument count: 2 "Best grade" = 2 "Average grade" = 1 "Student grade" = 1 etc. Thanks for the help.

My audit logs are not being sent to splunk. The inputs.conf file is configured to monitor everything under /var/log. Please see below. Any assistance would be helpful, Thanks. [monitor:///var/log] disabled=false index=linux sourcetype=linux_messages_syslog   I also tried to specify the log in the inputs.conf file as seen below. But still no luck. [monitor:///var/log/audit/audit.log] disabled=false index=linux sourcetype=linux_audit  

When trying to change the tenant contact information on Phantom in the multi-tenancy section of Product Settings , I am getting this error posted in the screenshot below when I select save. Has anybody experienced this, and how do I resolve this issue?  

Has anyone had good results when showing Dashboard Studio Dashboard in Splunk Mobile APP? I'm getting the same result as with the Simple XML dashboard. I would like to know if it's possible to show the whole dashboard with the Background image in it. Thanks.  

Hi All, I am trying to write simple & single query to alert when a process is down and alert again when the same process is up. However, it seems there is no straightforward way. used below query to get alert when process is down and it is working  perfectly. | mstats latest(_value) as RSS_Memory WHERE index=telegraf metric_name=procstat.memory_rss host=<hostname> process_name=<processname> by process_name pid However, I am seeking help in writing single query alert when a process is down and alert again when the same process is up.  Please help, struggling from many days on this. -- Thanks Sarves