I have 5 separate endpoints for our Okta environment that I'm pulling into Splunk. The data is all event driven so if I'm trying to map user, group and application data together and the groups or applications were created over a year ago, it won't find the data unless I move the search window back, causing long searches. What I would like to do is  create lookup tables for each of those endpoints so I only have to run one long query, one time for those endpoints, and then append any group, application and user that is create each data on a saved search. Is this the right strategy and could someone help me with how you would do that? I did see a few articles on appending data to table but it didn't seem to meet my needs for this scenario. Thanks, Joel

Hello everyone. First of all, this was working fine using images 8.x. Here is my compose for 8.2:     version: '3.6' services: splunkuf82: tty: true image: splunk/universalforwarder:8.2 hostname: universalforwarder82 container_name: universalforwarder82 environment: SPLUNK_START_ARGS: "--accept-license --answer-yes --no-prompt" SPLUNK_USER: root SPLUNK_GROUP: root SPLUNK_PASSWORD: "adminadmin"     Here are some commands to check if it is running:     jpla@rd:~/pd/rd/docker/rundeck/rd.universalforwarder82$ docker compose down jpla@rd:~/pd/rd/docker/rundeck/rd.universalforwarder82$ docker compose up -d [+] Running 2/2 ⠿ Network rduniversalforwarder82_default Created 0.1s ⠿ Container universalforwarder82 Started 0.4s jpla@rd:~/pd/rd/docker/rundeck/rd.universalforwarder82$ docker exec -it universalforwarder82 bash [ansible@universalforwarder82 splunkforwarder]$ cd bin [ansible@universalforwarder82 bin]$ sudo ./splunk status splunkd is running (PID: 1125). splunk helpers are running (PIDs: 1126).     Here is my compose for 9.0.3:     version: '3.6' services: splunkuf903: tty: true image: splunk/universalforwarder:9.0.3 hostname: universalforwarder903 container_name: universalforwarder903 environment: SPLUNK_START_ARGS: "--accept-license --answer-yes --no-prompt" SPLUNK_USER: root SPLUNK_GROUP: root SPLUNK_PASSWORD: "adminadmin"     Here are the same commands to check if it is running:     jpla@rd:~/pd/rd/docker/rundeck/rd.universalforwarder903$ docker compose down jpla@rd:~/pd/rd/docker/rundeck/rd.universalforwarder903$ docker compose up -d [+] Running 2/2 ⠿ Network rduniversalforwarder903_default Created 0.1s ⠿ Container universalforwarder903 Started 0.5s jpla@rd:~/pd/rd/docker/rundeck/rd.universalforwarder903$ docker exec -it universalforwarder903 bash [ansible@universalforwarder903 splunkforwarder]$ cd bin [ansible@universalforwarder903 bin]$ sudo ./splunk status Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R root /opt/splunkforwarder" Error calling execve(): No such file or directory Error launching command: No such file or directory execvp: No such file or directory Do you agree with this license? [y/n]: y This appears to be an upgrade of Splunk. --------------------------------------------------------------------------------) Splunk has detected an older version of Splunk installed on this machine. To finish upgrading to the new version, Splunk's installer will automatically update and alter your current configuration files. Deprecated configuration files will be renamed with a .deprecated extension. You can choose to preview the changes that will be made to your configuration files before proceeding with the migration and upgrade: If you want to migrate and upgrade without previewing the changes that will be made to your existing configuration files, choose 'y'. If you want to see what changes will be made before you proceed with the upgrade, choose 'n'. Perform migration and upgrade without previewing configuration changes? [y/n] y -- Migration information is being logged to '/opt/splunkforwarder/var/log/splunk/migration.log.2023-01-31.23-16-18' -- Migrating to: VERSION=9.0.3 BUILD=dd0128b1f8cd PRODUCT=splunk PLATFORM=Linux-x86_64 Error calling execve(): No such file or directory Error launching command: Invalid argument ^C [ansible@universalforwarder903 bin]$ sudo ./splunk status Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R root /opt/splunkforwarder" Error calling execve(): No such file or directory Error launching command: No such file or directory execvp: No such file or directory Do you agree with this license? [y/n]:     As you can see in 9.0.3 it asks for license again, and again after saying yes the first time. This behaviour is running on Docker version 20.10.23, also happening on Minikube version: v1.29.0.- on Linuxmint 21.1.- I added tty: true per this recommendation, but it didn't work for me. Could anybody please confirm the issue? Thanks!

I'm fairly new to Splunk and I am having some trouble setting up a data input from my universal forwarder. I've currently got it configured to pull windows event files from a specific folder on the machine that are moved to it manually. However it is only pulling seemingly random files, but 99% aren't getting indexed. I've tried specifying the file type to see if that was in issue, with no luck. I've also tried adding crcSalt = <string> to the input.conf file, no luck there either. Trying to see if I'm missing something as I've gone through many other posts for similar issues to no avail. Any ideas are greatly appreciated. 

So I have a vSphere environment.  our indexer machines are running rhel 8.7 and I installed splunk enterprise on all them. We named them indx01, indx02 and indx03 real creative yep but with some googling we turning off distributed searching and disabled firewall just to be sure we initially had a success in adding peers to the index cluster master, but they were throwing an error that said unable to connect to the cluster master and so on the replication factor blah blah. So then we disabled indexer clustering on all of them and now I can't get any of them to be added. Distributed search turned off check firewall disabled   check on the same domain and dns  check I am attaching a image of a warning but I don't know what if anything it has to do with the problem

Dear Splunkers, I would like to inform you that, I am very curious to learn splunk admin, can anyone refer me good YouTube channel or any other online institute moreover If possible please provide me list of topics available in splunk admin course Would be appropriate your kind support Thanks in advance..

I have installed my first splunk enterprise on a linux server and installed forwarders on windows workstations using the ports as instructed. Firewall is off and selinux off. The forwarders are calling in. Now perhaps I am missing something in that in splunk, I select search and enter * (or index=anything, there is a long list) and the error is; The transform ca_pam_login_auth_action_success is invalid. Its regex has no capturing groups, but its FORMAT has capturing group references. I tried another search, and saw another error; Error in "litsearch" command: Your splunk license expired (the license is new) or you have exceeded your license limit too many times. Renew your splunk license by visiting www.splunk/com/store or calling 866-GET-SPLUNK. The search job failed due to an error. You may be able to view the job in the job inspector. All I want is to understand why FORMAT has capturing group references, but the regex does not and to turn my paperweight into a thriving reporting tool. Can anyone help? Thank you!  

I feel like there's a simple solution to this that I just can't remember. I have a field named Domain that has 13 values and I want to combine ones that are similar into single field values. This is how it currently looks: Domain:                                                                           Count: BC                                                                                      1 WIC                                                                                    3 WIC, BC                                                                            2 WIC, UPnet                                                                    3 WIC, DWnet                                                                   5 WIC, DWnet, BC                                                           6 WIC, DWnet, UPnet                                                    1 WIC/UPnet                                                                    3 WIC/DWnet                                                                   2 UPnet                                                                              5 UPnet, SG                                                                       6 DWnet                                                                              1 DW                                                                                     1 I want to merge the values "WIC, UPnet" and "WIC/UPnet" to "WIC,UPnet" | "WIC, DWnet" and WIC/DWnet" to "WIC, DWnet" | "DWnet" and "DW" to "DWnet" New results should read: Domain:                                                                           Count: BC                                                                                      1 WIC                                                                                    3 WIC, BC                                                                            2 WIC, UPnet                                                                    6 WIC, DWnet                                                                   7 WIC, DWnet, BC                                                           6 WIC, DWnet, UPnet                                                    1 UPnet                                                                              5 UPnet, SG                                                                       6 DWnet                                                                              2

Hi, Need a search query to find the either if  first_find and last_find values matches with the current date should raise an alert .   first_find last_find fields are in  2020-04-30T13:18:13.000Z 2023-01-15T14:12:18.000Z format need this in  2020-04-30 format  2. Instead of receiving all the alerts we require, if today's date matches the first _find or the last_find, raise an alert *todays date will change every day do not bound that with actual todays date* note : last_find  , first_find are multi valued fields.. Thanks...

Hello everyone,    I have a question with base search in Splunk Dashboard Studio.  I used this option to made my parent search and my chain search :  For example, I create this search, which used the base search : SI_bs_nb_de_pc However, I have a problem with thoses errors:  * Can you help me please ? An other quetsion, how to use multiple base search in a same search ? I didn't find an issue to do this in Dashboard Studio  I need your help , thank you so much 

Configured the script based app for the databases which brings the data as follows. As mentioned below.  When I am running the script at UF corrected expeced output. But when I push an application containg the same script it is fetching me different output. Expected data after running the script in the UF is as below.  Date, datname="sql", age="00:00:00" Output we are receiving at splunk SH is like below.  Date, datname="datname", age="age" The script is kept in the location -> /opt/splunkforwarder/etc/apps/appname/bin - scripts  and /opt/splunkforwarder/etc/apps/appname/local - inputs.conf For troubleshooting I have followed below steps.  Removed and Pushed the app again Tried restarting the UF Can any one know or faced similar issue. Please help me on this. 

Hi! im trying to detect multiple user access from the same source (same mobile device). Im feeding splunk with logs from a mobile app like this: 09:50:14,524 INFO [XXXXXXXXXXXX] (default task-XXXXXX) [ authTipoPassword=X, authDato=XXXXX, authTipoDato=X, nroDocEmpresa=X, tipoDocEmpresa=X, authCodCanal=XXX, authIP=XXX.XXX.XXX.XXX, esDealer=X, dispositivoID=XXXXXXXXXX, dispositivoOS=XXXXX ] im using the following search search XXXX |  stats dc(authDato) as count,values(authDato) as AuthDato by dispositivoID dispositivoOS authIP | where count > 1 | sort - count  and get almost all the info i wanted (like two different users - authDato - from same deviceID (dispositivoID), but i would like to enrich the data with the last time of ocurrence for the event. Is there a way to include this information?  Thanks in advance.

Hi Friends, We are using Splunk cloud 9.0.  I want to ingest Azure SQL Managed Instance data into Splunk. Could you please suggest which add-on I need to use to integrate Azure SQL managed instance data into Splunk?  If possible share some references how to setup that add-on.  In our environment we are using below components: Universal Forwarder, heavy forwarder, Deployment server , Search head, IDM, Indexer, Cluster Master.  Could you please confirm where we need to install add-on ? HF or SH or IDM. Regards, Jagadeesh