Hi Team I have question that, every month EUM licenses are refreshing and i can see valid from and to are changing with info. May i know will utilized data will reflect the same like for example,. Jan -2022 i see that utilized pageview count is 400 Feb -2022 i see that utilized pageview count is 700 Mar -2022 i see that utilized pageview count is 1100 in this above scenerio, the total utilized value is 1100 pageview. so each month utilized value will remain same and new view will be added. as per my knowledge and understanding, jan month - 400 views, feb month - 300 views, and Mar month - 400 views. it will not refresh the utilized and start from scratch. Please correct me if i am wrong. thanks Jaganathan

Hello everyone! I have basic search index=main | stats list(src.port), list(dst.port) count(src.ip) as COUNT by id How can I apply mvdedup (or stats dc, don't know how better) to field dst.port only if numbers of dst ports = field COUNT?

Hello Are you okay? Can you help me, I'm trying to configure the Deployer to send the Apps to the SH's but I'm getting an error when executing the command: Command: ./splunk apply shcluster-bundle -action stage --answer-yes Error: Error in pre-deploy check, uri=?/services/shcluster/captain/kvstore-upgrade/status, status=502, error=Cannot resolve hostname Tks!

Hello, im getting this error while im trying to register a linux server client- ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the openssl verifycommand for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to true, the CA certificate and the server certificate should not have the same Common Name. Someone knows how to solve it?

Hi, I need a help in creating a daily csv export to a file from a data set for 24 hrs . I have a data set under Search & Reporting >>Datasets >>my dump report. now when i click on the my dump report it gives me report for any specific condition / time / period what ever i like and then i am able to download the same as csv file . I need help to create a daily automatic job of the same so that after every 24 hrs ( each day from 00:00:00 hrs to 23:59:00 hrs ) the report is created and saved / exported to a specific folder / disk with date_Month_year wise folder / file . Kindly help me / guide me for the same . i am trying on splunk installed on windows.

Hello. I'm trying to identify a pool of windows hosts by adding an additional field to the events they forward. I can do this by adding an inputs.conf in /Splunk_home/etc/system/local and this works. My metadata field is called uf_deployment::remote_laptop(see below). [monitor://C:\Windows\System32\winevt\Logs\Application.evtx] index = my_index disabled = 0 sourcetype = XmlWinEventLog _meta = uf_deployment::remote_laptop However, the only way I can see how to do this is by monitoring a log file and using the [monitor] tag. But this presents a problem; I don't want to forward events from a log that I'm not interested in, nor do I want to duplicate events. I'm looking for a solution that will allow me to send the _meta = uf_deployment::remote_laptop field without having to "monitor" a log file. So far I have tried [default] with no success(see below) Any help is appreciated. Thank you. [default] index = my_index disabled = 0 sourcetype = XmlWinEventLog _meta = uf_deployment::remote_laptop

All: Recently we had an issue with our Oracle environment (11.2.0.4/Oracle Cloud Infrastructure) where the following RMAN query was running and taking the highest CPU time due to blocking/deadlock issues. select status, to_char(cast(start_time as timestamp with time zone),'yyyy-MM-dd"T"HH24:mi:ss.FF3TZH:TZM'), to_char(cast(end_time as timestamp with time zone),'yyyy-MM-dd"T"HH24:mi:ss.FF3TZH:TZM'), object_type, operation from v$rman_status where recid = (select max(recid) from v$rman_status where operation = 'BACKUP' and object_type like 'DB%') or recid = (select max(recid) from v$rman_status where operation = 'BACKUP' and object_type = 'ARCHIVELOG') As part of the investigation, we found that this query is getting initiated by the Splunk module using the sqlplus and running every minute. In order to successfully run the query, currently we have applied the sql profile with a better execution plan to avoid becoming a runaway query. I would like to recommend rewriting this query as follows in the source Splunk module to avoid becoming run away query select status, to_char(cast(start_time as timestamp with time zone),'yyyy-MM-dd"T"HH24:mi:ss.FF3TZH:TZM'), to_char(cast(end_time as timestamp with time zone),'yyyy-MM-dd"T"HH24:mi:ss.FF3TZH:TZM'), object_type, operation from v$rman_status where recid = (select max(recid) from v$rman_status where operation = 'BACKUP' and object_type like 'DB%') union select status, to_char(cast(start_time as timestamp with time zone),'yyyy-MM-dd"T"HH24:mi:ss.FF3TZH:TZM'), to_char(cast(end_time as timestamp with time zone),'yyyy-MM-dd"T"HH24:mi:ss.FF3TZH:TZM'), object_type, operation from v$rman_status where recid = (select max(recid) from v$rman_status where operation = 'BACKUP' and object_type = 'ARCHIVELOG') If you have any questions/concerns, please let me know. Thank you Ramesh Vasudevan

We upgraded to Splunk Enterprise v9.0.2 yesterday and have subsequently hit an issue with an integration with our ServiceNow platform for raising Cases and Incidents. We have a custom "Alert Action" which uses the python "requests" module. (Wondering if the removal of Python2 has had an impact on our previously working script and "import requests") Anyway, we seem to be getting SSL: UNKNOWN_PROTOCOL Just asking if anyone has had something similar happen. Pulling hair out to trying to make sense of the SSL configuration settings. We're issuing a log statement before and after the request.response and it is not reaching the "after", like a silent error. Any pointers would be appreciated.

Here's the weirdest piece of error I've ever seen. When I run the following code snippet I get a syntax error: line 1, column 0. But when I change the port to anything else, the code is running. Any help? import os import splunklib.client as client from dotenv import load_dotenv def connect_to_splunk(username, password, host='splunk.my_company.biz', scheme='https' try: service = client.connect(username=username, password=password, host=host, scheme=scheme, port='443') if service: print("Splunk service created successfully") except Exception as e: print(e)

index=XX sourcetype=YY source=*/log/abc.log | dedup _time, bppm_message, bppm_nodename sortby -_indextime | rex field=bppm_operations_annotations "0x[a-z0-9]{8},(?<onepass>\w+),,(OPERATOR|OVERRIDE)_CLOSED" | rex field=bppm_operations_annotations "(OPERATOR_CLOSED:|OVERRIDE_CLOSED:|OWNERSHIP_TAKEN:)\s+(?<closed_with>(\w|\s|\-|\/|\.|\[|\])+)," | rex field=bppm_annotations "0x[a-z0-9]{8},[a-zA-Z0-9]+,(?<INC_CREATED_TSIM>.*)" | rex field=bppm_annotations "[0-9]{3}[A-Z0-9]{5},[a-zA-Z0-9]+,(?<MUTIPLE_CLOSURE_ANNOTATION>.*)" | rex field=bppm_annotations "0x[a-z0-9]{8},CME-remedy.mrl:execute AddIncidentToNotes,Incident (?<INC_CREATED_TSIM_2>(\w|\s|\-|\/|\.|\[|\])+) created by" | eval bppm_nar_close_multiple_events=if(NOT match(bppm_operations_annotations,"OVERRIDE_CLOSED") AND (NOT match(bppm_operations_annotations,"OPERATOR_CLOSED")),"yes", "no") | eval closed_with = if(isnull(closed_with) OR closed_with="Null", INC_CREATED_TSIM, closed_with) | eval closed_with = if(isnull(closed_with) OR closed_with="Null", INC_CREATED_TSIM_2, closed_with) | eval closed_with = if(isnull(closed_with) OR closed_with="Null", MUTIPLE_CLOSURE_ANNOTATION, closed_with) | fillnull value="Null" closed_with | eval time=strftime(_time,"%x-%H:%M:%S") | lookup onepasslk onepass | search bppm_ecdb_env="***" | fillnull value="Null" | stats count(bppm_message) as Total_count, count(eval(like(closed_with, "%INC%"))) as Closed-With-INC, count(eval(like(closed_with, "%CRQ%"))) as Closed-With-CRQ, count(eval(like(closed_with, "%PKE%"))) as Closed-With-PKE, count(eval(like(closed_with, "%WO%"))) as Closed-With-WO by username | sort -Total_count Abv query iam able to pull data as shown in the attached image but i want add 3 more columns Unique INC Count , Unique CRQ Count , Unique WO Count which show distinct count pls help on how to achieve this

Hello everyone I'm new to Splunk . I'm trying to setup/intergrade GitHub Cloud logs into Splunk Cloud. I have managed to get the Splunk GitHub Add-On added to the Splunk IDM. Currently , I'm awaiting for an account for GitHub created . Once , I have the account ,will proceed to setup the inputs. Anyone has done this before? Thanks & Regards Murali