hello, trying to capture DNS log traffic from an Active Directory Domain Controller. the topology is this: cloud splunk instance, heavy forwarder on my LAN and universal forwarder on the DC. i  see multiple Stream apps in the splunk store - which app goes where? There is "Splunk App for Stream" then there's "Splunk Add-on for Stream Forwarders" then there's something called "Splunk Add-on for Stream Wire Data" - can you please help?

Hi, My query:   |tstats count where index=app-clietapp host=ahnbghjk OR host=ncsjnjsnjn sourcetype=app-clientapp source=/opt/splunk/var/clientapp/application.log by PREFIX(status:) |rename status: as App_Status |where isnotnull(App_Status) |eval Sucess=if(App_Status="0" OR App_Status="", "Succ", null()) |eval Error=if(App_Status!="0", "Error", null())   output: App_Status count   Error Sucess 0 767890   Succ 6789 65 Error     But i want the output as shown below: App_Status Error Sucess 6789 65 767890   please let me know how to modify the query so that i can get the required output.

Hi Community, I am testing Splunk dashboard performance with Selenium IDE. I am able to get the desired results but the only problem I am facing is with Splunk logging out to complete the testing. Is there some point of contact who can help me with the issue or some other ideas would also work if it helps me with Splunk logout from external applications? Regards, Pravin

Hi Friends,  I am upgrading my Splunk Enterprise from 7.1 to 8.1. after upgrading Indexer search head Peer server it is not reflecting under indexer cluster group. there i can see only Master node. do i need to follow any certain steps to upgrade such clusters ?

Environment - single splunk enterprise instance (v. 8.2.6) running on a RHEL 6.1 server, receiving data from  multiple forwarders. Issue - License volume has always shown as 30GB/day, for the past few years anyway. Found out today that the last license purchased (January 2022) was for 50GB/Day, but the license page is still showing 30G/day. How do I get the correct volume showing for our licensing? I would have thought it would have been automatic, or part of the license install process.

Hi all, I have to extract sourcetype as field in Dashboard. There are multiple sourcetype like  : oracle:audit:json, oracle:audit:json11,oracle:audit:json12,sourcetype=oracle:audit:sql11,sourcetype=oracle:audit:sql12 I have written regex : rex mode=sed field=sourcetype "s/oracle:audit:(.*)\d\d/\1/g" Its working fine for all the sourcetype :  oracle:audit:json11,oracle:audit:json12,sourcetype=oracle:audit:sql11,sourcetype=oracle:audit:sql12 But when the data is coming with oracle:audit:json, its not giving the result in Dashboard. Main search query is giving result. macros definition : definition = (sourcetype=oracle:audit:json OR sourcetype=oracle:audit:json11 OR sourcetype=oracle:audit:json12 OR sourcetype=oracle:audit:sysaud OR sourcetype=oracle:audit:sysaud11 OR sourcetype=oracle:audit:sysaud12 OR sourcetype=oracle:audit:sql11 OR sourcetype=oracle:audit:sql12) I have written macros also where i have passed all the sourcetype but getting no result or partial result in dashboard for sourcetype  oracle:audit:json  

Hey, I have a Splunk Enterprise environment with servers cluster of 4 SHDs, 5 HFDs and 3 Indexers. In addition there is a number of alerts that are configured on my Search Heads, the alerts use the 'collect' command which indexes the returned events from the query to some index. For example: index=Example ... | collect index=production It's worked for some time, approximately 6 months. But now, when I try to search for events on index "production", I get 0 events. I searched for errors and bugs with the support of a Splunk specialist, but we didn't find a solution. One speculation that we had was the 'stashParsing' queue which configured on the SHDs and used by the 'collect' command. We found on the '_internal' index logs about the queue 'max_size=500KB' and 'current_size'. The 'current_size' values were 0 99.9% of the time and 494, 449, 320, 256 0.001% of the time on the last 30 days. I have tried increasing the 'max_size' of the queue I have created a file named 'server.conf' in the following location: $SPLUNK_HOME/etc/shcluster/apps/shd_base. The file content is: [stashparsing] maxsize=600MB I have distributed this to the SHDs cluster, but it did not seem to have any effect. Splunk version: 8.1.3 Linux version: Red Hat Linux Enterprise 7.8 This is an air-gapped environment so I cannot attach any logs or data.

Resourceinitializationerror: failed to validate logger args: Options "https://prd-p-88jca.splunkcloud.com:8088/services/collector/event/1.0": dial tcp 52.203.227.66:8088: connect: connection timed out : exit status 1  1. I follow this link https://www.splunk.com/en_us/blog/platform/docker-amazon-ecs-splunk-how-they-now-all-seamlessly-work-together.html    >--- for task logs  2. https://bobcares.com/blog/use-splunk-log-driver-with-ecs-task-on-fargate/     >--this one also     please give your answer to this post 

Hi, I created a Splunk app with React but when I symlinked into Splunk's application directory, I receive the expected message as follows: BUT .... even after restarting my Splunk instance, the Splunk app does not appear on my list of apps on my Splunk instance. Why would this be and how can I fix this? Many thanks.

Hiya,  I am trying to use the ITSI REST API to update entities in my splunk development. I am able to create entities and overwrite pre existing entities which have the same `_key` value.  But I want to just update an entity without overwriting/deleting any data. So say I have an entity with 2 info fields: "cpu_cores = 4" "memory = 32" and I just want to update the "cpu_cores" field to be "cpu_cores = 8" and leave the "memory" field the same, but whenever I execute the post request it overwrites the info fields and deletes the "memory" Field. Below is the Endpoint I am using and the JSON object to update the entity: Endpoint https://<my_ip>:8089/servicesNS/nobody/itsi/itoa_interface/entity/bulk_update/?is_partial_data=1 JSON Object     [ { "_key":"aa_entity_1", "title": "aa entity 1", "object_type": "entity", "description": "Just a test", "informational": { "fields": [ "cpu_cores" ], "values": [ "8" ] }, "cpu_cores": [ "8" ] } ]       This JSON creates the entity fine, and what I understand from the documentation is that the "is_partial_data=1" should mean that it will only update data and not remove any, I have looked around and tried different things with the "is_partial_data=1". I've tried putting it into the  JSON Object as "is_partial_data":true, In the endpoint I saw somewhere that the "/" shouldn't be present before the "?is_partial_data=1", but this didnt work either. Any help would be appreciated. Addtional Info: Splunk Enterprise: 9.0.3 ITSI Version: 4.13.2 Using Postman to do post request

Hi Team, I am looking for the help to send Report.  I have a scheduled report which is running every hour. can you please advise with search query. if I create new alert and  if alert trigger, scheduled report should be sent to recipients. I am aware about the CSV/ PDF attached. looking for something like to send scheduled report as result for notification if alert triggered .

Hello dear community Can you please advise me. My team is complaining that not all data comes from the HEC token from Kubernetes. I don't see any errors in _internal at this index. But I noticed something interesting in the index="_introspection" there are breaks in the data. Could this be related? And how to fix it?  

hai All, i have events like below  from how can i filter events if for ex: 6th character in C*E**M  IS M want to filter all OR 6th character is H how can i filter all those please assist C*E**M****} JAWS Process to copy the legacy Virtu ORDERDETAILSs data from IMFT to network folder C*E**M****} JAWS Process to copy the legacy Virtu Orders data from IMFT to network folder C*E**M****} box that contains the processes to load Portware EOD files to APP_ETT database C*E**M****} box that load the OMS legacy tables 1 11.111% C*E3VL****} Box that contains the jobs to download and process the ITG Placement Inbound file C*E**H****}ox that contains the processes t