Hello Masters, I've the index index="xxx_generic_app_audit_prd" sourcetype="xxx:designeng:syslog" host="15.250.99.*" OR host="15.246.49.*" "*/testshare/APP1/OUT/*" AND "BANP3*" | search "Subsystem: XCOM" AND "Event Number: 01" Log is coming as below: Dec 5 14:30:43 Web ViewPoint Enterprise: Owner: XCOM Subsystem: XCOM Event Number: 01 Generation TIme: 2022-12-05 14:30:41 Text: XCOM: File Receive ended REQ 086694, Remote LU 10.38.46.122, File $PRD10.FILE01.C221205C Remotefile /testshare/APP1/OUT/C221205C 341797 bytes, 3336 records in 234564 microsec Event Type: Normal Process: \BANP3.$X2LD Content Standard: Subject: Custom Text: Source: WVPE Passvalue: 0 Node Name: \BANP3 host = 15.246.49.129 index = xxx_generic_app_audit_prd source = /syslogdata/dns/test.internal.xxx/logs/2022-12-05/hp/15.246.49.129/2022-12-05-14_user.log sourcetype = xxx:designeng:syslog Where as once the input file is received, the application job should process this file and complete. The log for completed job as follows. index="xxx_generic_app_audit_prd" sourcetype="xxx:designeng:syslog" host="15.250.44.*" OR host="15.246.44.*" "BANP3*" | search "Subsystem: 800" AND "Event Number: 42" Dec 5 15:00:14 Web ViewPoint Enterprise: Owner: DELUXE Subsystem: 800 Event Number: 42 Generation TIme: 2022-12-05 15:00:13 Text: CBM042 Batch finished, Chg=B221205C, Recs=3336, Errs=0 Event Type: Normal Process: \BANP3.$X3F1 Content Standard: Subject: Custom Text: Source: WVPE Passvalue: 0 Node Name: \BANP3 host = 15.246.44.129index = xxx_generic_app_audit_prd source = /syslogdata/dns/test.internal.xxx/logs/2022-12-05/hp/15.246.49.129/2022-12-05-14_user.log sourcetype = xxx:designeng:syslog My requirement is to marry both these logs and create a alert only when input file is received, where as no log for output file. Could you please assist

Hello everyone In the Investigation view, in the Workbench section, I want to add a different artifact type than the ones that appear (asset, identity, file, url), I would like an artifact type: Device, and another type: Index. Where to add custom artifact types to use in the workbench?

Currently using splunkes' managed lookup table called hosts. There's a field too called hostname within the file. I'm trying to create a search where if results under "query" field matches anything under hostname, then alert or show results. here's what I have so far.. index=opendns [ | inputlookup hosts | search hostname | table hostname query]

using: Splunk Add-on for Microsoft Window 8.5.0 We have created report listing users that a part of specific groups using this logic | inputlookup AD_Obj_User | lookup AD_Obj_Group member AS dn we noticed users disappearing from these reports when u user was moved to another ou. This is what we see happening when we move a user to another group: 1: in the AD_Obj_User lookup the dn changes to cn=username, ou=NewGroup, ...... 2: in the AD_Obj_Group lookup in the member files the user dn does not change, but still looks like cn=username, ou=NewGroup, ...... Because the dn of the user and the dn in the member field are now different the user disappears from the report. As part of our debugging Efford we tried updating another property of the group (description) an after this also the member field in AD_Obj_Group is updated, and the user is back up the report again. This looks like a bug to me, but maybe I'm missing something. Is anyone able to solve this mystery?

Hello I would like AWS cloudtrail logs "Host" field to be the Account ID per each log (we have multiple AWS accounts). The current value is "$decideOnStartup". We are using SQS-based S3 to read a bucket containing CloudTrail from several accounts. Is there any way to do it? Thank you

I have a dashboard where I want to get the following features: 1. Drill down option i mentioned to "Link to search" but when i am clicking on the graph it is the search page is opening in same tab, but i want to open that in another tab. 2. I have another panel where the bar graph is showing by hosts, so i want to show up different colors for each host, how can i do this. 3. i want to display the values on the graph, it is displaying but it is overlapping, how can make them display clearly.

I've been tasked with improve existing/create new splunk dashboards using reactjs. I'm following https://splunkui.splunk.com/Create/Overview but have a major restriction that is giving me a headache...The restriction is that I cannot use npm/yarn/npx cmd. The team managing splunk's aws resources will not allow me to run those commands and therefore the entire app must be self contained almost like a lambda layer. I tried zipping the staging folder and creating new app with it, but that has failed. So how can I go about resolving this?