Hi All, One of our new client interested to use Splunk tool to monitor their application.  To setup Splunk for their application what are the initial details we need to ask to Client to configure Splunk. Like which OS they use, How many servers, which cloud , which database, etc.. If there is any template available to get the basic required details from client kindly share with me. or what are the specific details we need to request them. Thanks in advance. 

Hi All, Currently we are using 3 Heavy Forwarder in Windows server. Due to budget problem we are planning to move all HF to Linux server.  Kindly guide and suggest how to move HF from Windows to Linux.  How to copy to already installed apps and existing settings and configuration files from windows to Linux? Thank in advance for your reply.  

Hi, I am facing an issue with the eval if condition. Please help.   index=main, source=ls.csv | eval new_field = if(error=200,"sc","cs",if(error=500,"css","ssc")) | table error new_field     Regards Suman P.

Dear All, I have created a TA to monitor a custom python script named log_parser_v1.py". Here is the configuration from /splunk/etc/apps/TA-logs/default/inputs.conf [script://./bin/log_parser_v1.py] python.version = python3.9 interval = 300 disabled = false But while running TA got failed with the error "ModuleNotFoundError: No module named 'syslog'" So I am trying to debug with splunk cmd python, and it's throwing "ModuleNotFoundError: No module named 'syslog'" error - [ss@localhost bin]$ ./splunk cmd python log_parser_v1.py Traceback (most recent call last): File "bin/log_parser_v1.py", line 7, in <module> import syslog ModuleNotFoundError: No module named 'syslog' But the same script runs fine with the command python3.9 bin/log_parser_v1.py Here are the few lines from the script with the import statement of the module "syslog" in the line 7- [ss@localhost bin]$ cat log_parser_v1.py #!/usr/bin/env python import os, sys sys.path.append('/usr/bin/python3.9') sys.path.append('/usr/lib/python3.9/site-packages') sys.path.append('/usr/lib64/python3.9/site-packages') sys.path.append(os.path.dirname(os.path.abspath(__file__))) import json, logging, syslog, datetime, argparse, shutil, zipfile, tarfile, bz2, socket, sys, errno, time, gzip, hashlib from logging.handlers import SysLogHandler, SYSLOG_TCP_PORT from syslog import LOG_USER To use python3.9. I append the python3.9 package path in script but it still is not picking the syslog module. here is the python3.9 path - [ss@localhost bin]$ whereis python python: /usr/bin/python2.7 /usr/bin/python3.6 /usr/bin/python3.6m /usr/bin/python3.9 /usr/lib/python2.7 /usr/lib/python3.6 /usr/lib/python3.9 /usr/lib64/python2.7 /usr/lib64/python3.6 /usr/lib64/python3.9 /usr/include/python3.9 /usr/include/python2.7 /usr/include/python3.6m /usr/share/man/man1/python.1.gz I also tried to import syslog package with ./splunk cmd python, but it got failed [ss@localhost bin]$ ./splunk cmd python Python 3.7.11 (default, May 25 2022, 12:23:55) [GCC 9.1.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import sys >>> import syslog Traceback (most recent call last): File "<stdin>", line 1, in <module> ModuleNotFoundError: No module named 'syslog' >>> exit() And here is imported successfully with python3.9 [ss@localhost bin]$ python3.9 Python 3.9.7 (default, Sep 13 2021, 08:18:39) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import syslog >>> exit() Guys, I am looking for your help to understand like what is missing. please help here.

Hi Community,   I have a use case where the client needs data to be stored over an extended period of time. That data powers the dashboard that uses datamodels to generate the panels. Since the client wants data to be available for at least 6 months, the idea was to create an index that has hot/warm buckets in SSD and cold buckets in slower storage. I have two different issues here: I have implemented this setup in our test environment with mixed storage for hot and cold buckets. Is there a way for me to check where my data is being stored? Since my dashboards are all powered by datamodels, I have a question regarding the storage location and method of accelerated data. If the data is accelerated, does the data model summary folder store the complete accelerated data or will it have some pointers that point to the location where the data is actually present? The main problem here is that if we have mixed storage of SSD and HDD, and since all the dashboards are powered by datamodels how much will this affect the performance of Splunk? Will the time to load the dashboard be affected by such a storage model?   Regards, Pravin

Hi, I am using the following script in Splunk query. Here i am trying having multiple values in field AdditionalData and splitting them to extract the fields and writing to separate fields. Now if there is any blank value, in any of these extract fields, i want to have the default value appear as Not Available.  Thanks in advance | eval "AddtionalData"=if(isnotnull('cip:AuditMessage.ExtraData'),'cip:AuditMessage.ExtraData',"Not Available") | rex field=AddtionalData "Legal employer name:(?<LegalEmployerName>[^,]+)" | rex field=AddtionalData "Legal entity:(?<LegalEntity>[^,]+)" | rex field=AddtionalData "Country:(?<Country>[^,]+)" | rex field=AddtionalData "Business unit:(?<BusinessUnit>[^,]+)"