We have several analysts in multiple locations that are working from the same Incident Review channel.  After someone takes it, how do I stop multiple analysts grabbing the same event?     Thanks in advance-

Hi all. I have a folder with about 200 evtx files. The following command works for 1 file. How can I process/convert all of the evtx files to csv at once? Thanks. Get-WinEvent -Path C:\somewhere\foo.evtx | Export-CSV C:\somewhere\foo.csv  

We see that the following log lines are always split into multiple events. I've tried multiple variations of LINE_BREAKER,  BREAK_ONLY_BEFORE and  MUST_NOT_BREAK_AFTER  but nothing worked. Does anyone know how I could go about this?  -------------------------------------------------- FlowFile Properties Key: 'entryDate' Value: 'Wed Jan 04 16:14:58 UTC 2023' Key: 'lineageStartDate' Value: 'Wed Jan 04 16:14:58 UTC 2023' Key: 'fileSize' Value: '180' FlowFile Attribute Map Content --------------------------------------------------  

Hi, I want to create a line chart that contains value come from an index to see the data trend. Something like this:     |timechart span=10min avg(value) by id        Knowing that I have:    - An index, I have id and their events (values corresponding)    - A lookup csv which contains the id, address. I want to do a filter the search by province (group by address). Knowing that a province will have several id. So, I create a dropdown in which I find all the province  --> done ---> Next,  I have to use the dropdown token to apply to the search but I have no info of the province in the index. And the id are displayed as below, which prevent me from using append the province to each id: _time id1 id2 id3   Thanks for your help!

I am deploying the Splunk Windows TA to my UFs.  My test case if UF 8.2.9 and Splunk_TA_windows 8.5.  When I create inputs that have both renderXml=true and evt_resolve_ad_obj = 1, I am not receiving the SID translations. However, it works sending back standard events instead of XML. Is evt_resolve_ad_obj not supported with renderXml? The documentation makes no mention of this. The "WinEventLog://Security" input has these settings applied, but the AD search results are not coming back for that input either. I found nothing in the splunk.log showing any errors. Here is an example I tried to build outside of the Security events. Again, the evt_resolve_ad_obj works if I remove renderXml=true:     [WinEventLog://Microsoft-Windows-PushNotification-Platform/Operational] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 index = win renderXml=true    

Good day all, I am having some issues after upgrading from Splunk Enterprise version 9.0.0 to 9.0.3. When log in to the deployment server and go to forwarder management, none of my data sources were listed and page was all blank white with nothing on there. I ensured the deployment server was enabled, checked firewalls which were ok, restarted Splunk and ensured Splunk was running which it was. No I am unable to log into the deployment server at all and gives the following errors and messages below: Failed to contact license manager: reason='Unable to connect to license manager=https://hostname:8089 Error connecting: Connection refused'

guys and gals let me start off by saying that my Search Game is weak, lol In version 9.0.0 on a Winderz platform I was in Settings \ Monitoring Console \ Forwarders: Deployment and under the Status and Configuration section I clicked the Sherlock Holmes round glass thingie to Open in Search, so far so good, I then made a few tiny mods to the Search, and got the results I needed  then I clicked on Save As \ New Dashboard and this is where things get interesting, after saving my Dashboard I can't find it, it went into some black hole I guess? now I aint totally dumb so I booked marked that page first, but that is the only way I can get back to my Dashboard, so where did it get saved? I did see in the address bar that it's under the App https://MyClusterMaster.MyDomain.net:8000/en-US/app/splunk_monitoring_console/version_900_servers

I have created a search based on dynamic inputs which then get put into a visualization bar chart.  I am attempting to use a drilldown token to click on the bar chart and then a panel will appear showing log events for that particular day.  Below is code I am using but cannot get the events to show up: <form version="1.1"> <label>Dynamic Splunk Dashboard MSAPIGW</label> <fieldset submitButton="false"> <input type="radio" token="indexName"> <label>Index</label> <choice value="master_application_non-prod">NonProd</choice> <choice value="master_application_prod">Prod</choice> <search> <query/> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="clusterName" searchWhenChanged="true"> <label>Cluster</label> <fieldForLabel>cluster_name</fieldForLabel> <fieldForValue>cluster_name</fieldForValue> <search> <query>index=$indexName$ cluster_name=* | dedup cluster_name | table cluster_name | sort cluster_name</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <choice value="*">All</choice> <default>*</default> </input> <input type="dropdown" token="mySourceType" searchWhenChanged="true"> <label>SourceType</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> <search> <query>index=$indexName$ cluster_name=$clusterName$ sourcetype=* | dedup sourcetype | table sourcetype | sort sourcetype</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="labelApp" searchWhenChanged="true"> <label>Application</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>label_app</fieldForLabel> <fieldForValue>label_app</fieldForValue> <search> <query>index=$indexName$ cluster_name=$clusterName$ sourcetype=$mySourceType$ label_app=* | dedup label_app | table label_app | sort label_app</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="text" token="errorSearch"> <label>ErrorSearch</label> </input> <input type="time" token="searchTime"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <chart> <search> <query>index=$indexName$ cluster_name=$clusterName$ sourcetype=$mySourceType$ label_app=$labelApp$ $errorSearch$ | stats count as hourcount by hour | bin hour as day span=1d | eval day=strftime(day, "%Y-%m-%d %a") | eval hour=strftime(hour, "%H:%M") | chart sum(hourcount) as count by day hour</query> <earliest>$searchTime.earliest$</earliest> <latest>$searchTime.latest$</latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <drilldown> <eval token="drilldown_attribute">$click.value$</eval> </drilldown> </chart> </panel> </row> <row depends="$drilldown_attribute$"> <panel> <event> <search> <query>index=$indexName$ cluster_name=$clusterName$ sourcetype=$mySourceType$ label_app=$labelApp$ $errorSearch$</query> <earliest>$searchTime.earliest$</earliest> <latest>$searchTime.latest$</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row> <row> <panel> <title>THESE ARE MY TOKEN VALUES</title> <html> <h2>Index = $indexName$</h2> <h2>Cluster = $clusterName$</h2> <h2>SourceType = $mySourceType$</h2> <h2>Application = $labelApp$</h2> <h2>ErrorSearch = $errorSearch$</h2> <h2>Time = $searchTime$</h2> <h2>drilldown_attribute = $click.value$</h2> </html> </panel> </row> </form> I have gone through numerous Splunk documents and other various websites looking for solution but have yet to be able to get anything to work.  Any help is appreciated.

Hai All, from the below search  how to convert secs to HH:MM format  age fields is getting time in secs   index=_internal source=*metrics.log group=tcpin_connections earliest=-2d@d | eval Host=coalesce(hostname, sourceHost) | eval age = (now() - _time ) | stats min(age) as age, max(_time) as LastTime by Host | convert ctime(LastTime) as "Last Active On" | eval Status= case(age < 1800,"Running",age > 1800,"DOWN") | rename age as Age | sort Status | table Host, Status, Age,"Last Active On"

Hi,   I have a query that outputs a table with the following 3 fields: Latitude, Longitude, Count   How can I turn this query into a JSON format so that I can use it with React?   Many thanks, Patrick

Hi All, Good day, we have installed forwarders in multiple windows servers. any splunk search to know the memory usage of all servers or high usage greater than 80%  and also what process taking high usage.   Thanks \

Hi All,  I am trying to tabulate the error ratio based on the following scenarios from the unique log event but further using the regex to split the error code causing the total events to be filtered out causing the overall hits to be incorrect while % calculation as the initial no of unique events is not getting preserved with eventstats  sample log event is in json format as below and multiple errorcodes in same log event which needs a error wise split log:<<field1>>,<<field2>>,<<field3>>,error=60KOANEWLH=500.EBS.SYSTEM.100:67MPW4X79FOJ=500.IMS.SERVEROUT.100:3534U6ZIZY39=500.EBS.SERVERIN.100;404.IMS.SERVEROUT.105:3M8TEWEKVIJK=500.IVS.XXXXX.100;404.IMS.XXXX.105:2ILTH9G0UMG1=500.IMS.XXXXXXXX.100:0UAQL48U2KWF=500.EBS.XXXXXXX.100;404.IMS.XXXXXXXXX.105, missingFulfillmentItems,<<field4>>,<<field5>>,<<field6>> i would like to get each error code % mainly (500.XX.XXXX.100 count/total hits)  below is the splunk search filter been used but not getting totalevents, please correct me if there is anything missed,,could someone please assist with an alternate option to compute the error trend..Thanks in advance index=<indexname> "Search String" "Type"=prod  | eventstats sum(index) as total_hits | rex field="log.log" ", error=*(?<errorMap2>.+), missingFulfillmentItems" | eval errors0=replace(errorMap2, "=", ";") | eval errors1=split(errors0,":") | rex field=errors1 "(?<errorCodes>.*)" | mvexpand errorCodes | eval errorCodes1=split(errorCodes, ";") | mvexpand errorCodes1 | where like(errorCodes1,"%500.IMS.%") | stats count by errorCodes1,total_hits Note: each log event is unique and has multiple error codes with in the event or no error codes in the event if its success

Hi, I have been trying security lake for a few days, after dealing with lots of errors and all i was finally able to activate security lake in my account, but further, I wanted to ingest that data into Splunk, I refer to the following official document to connect my AWS to Splunk, https://github.com/splunk/splunk-add-on-for-amazon-security-lake/blob/main/Splunk%20Add-on%20for%20Amazon%20Security%20Lake.pdf it may seem for me that AWS account is connected, but there is some permission issue regarding SQS, when I am trying to configure input I am getting error for Access denied to listqueues. I checked for permissions, but it is already being given for the role. Requesting you please help me with that as this security lake is completely new in AWS, and there are not many resources available to look for. i am attaching screenshot of error in Splunk  

Hi, We have deployed splunk on-prem components, heavy forwarder, syslog-ng and deployment server.  Configured it correctly, we think, we can install the universal forwarder on an endpoint and see the endpoint in the on-prem console.   Now to get his information flowing out to splunk cloud, we have to go via a proxy server as it is the only way out of the environment. We've configured the servers, and proxy, to allow it to communicate with the yum repositories, so we know it can get out and connect. The issue we are now having is we don't seem able to get the data flowing out to the cloud, I've followed the below article, correctly I believe: https://docs.splunk.com/Documentation/Splunk/9.0.2/Forwarding/ConfigureaforwardertouseaSOCKSproxy This config should be on the heavy forwarder, is that correct? The proxy server is configured correctly we also believe, but that could also be wrong. Anyone have any ideas/pointers/advice on why this doesn't work and how we resolve it?