Hi Splunkers, I have a doubt about Slunk data forwarding to third part systems. I know that this task can be performed with forwarders; what I'm not able to understand is if it can be performed after data are arrived to Splunk and has been ingested, parsed and aggregated. let me explain better: in a usual scenario, we know that Forwarder are something that stay before a Splunk environment, so it is something similar to: Data sources -> Forwarders (on DS or on intermediate) -> Splunk environment (SH +Indexer) With Forwarder I can achieve this scenario: Data sources -> Forwarders (on DS or on intermediate) -> Splunk environment (SH +Indexer)                                                                                                                  -> Other systems So, I can forward data before they arrive to SH + Indexer. But what about if I need to perform this task: Data sources -> Forwarders (on DS or on intermediate) -> Splunk environment (SH +Indexer) -> parsing, aggregation and filtering -> Forwarding to third part system Is it possible? The requirement is that data must have completed all Splunk lifecycle: they arrive raw/only partially manipulated from Mulesoft, then must be parsed, filtered and aggregated and after this sent back to Mulesoft that forward them to final systems. Is this something that I can achieve with Splunk?  

Hi , I want to change the date format and find difference in days from current day . Date format i  have now is , Timestamp 10/31/2022 1:28:20 PM index=s sourcetype=Resources|fillnull | eval Timestamp=strftime(strptime('Timestamp',"%m/%d/%Y"),"%Y-%m-%d") | eval diff=now()-Timestamp|table Name _time Timestamp diff Here i am not getting the diff field populated with difference in number of days.It shows as blank .The date format i expect is %Y-%m-%d for timestamp  column. Please help me to achieve this .  

Hello Community, I'm currently trying to configure the Splunk Add-on for Microsoft Azure. The Addon is installed on the Heavy Forwarder in my Environment and my goal is to forward the Data from the API to an Index in the Indexer Cluster.  The Problem I'm having is that the configuration of the App only accepts Indexes that are visible locally on the machine. Since Indexes, that are configured through the _cluster, don't show up in the local index list, I am not able to choose it. If I write the index into the config anyway the App outputs the Status=false and doesn't pull from the API. My Question now is:  How can I make the Index from the Cluster visible on the Heavy Forwarder so I can select it in the Script? Or if there is any other way to forward the Data from the App that I have missed? Any advice or hints to documentation I might have missed are appreciated! 

We have MFA logs being sent to one of our indexes and the field I'm looking at is as follows:   message: MFA challenge issued for account 1234556. Email is example@example.com   I want to be able to count the number of times "MFA challenge issued" occurs in the logs. I'm trying to use the rex command but it's just so confusing at the moment Any help would be great!

Hi I dont understand the goal of the summary range in accelerated search what is the difference with the report range For example if i run my report on the last 30 days and I put 7 days in the summary range what it means exactly? Rgds      

Hi everyone,   I'm struggling with SplunkDB connect and HEC. I have a monoinstance splunk that has all roles. I have multiple UF and use deployment server with HEC. I'm currently trying to use SplunkDB connect on that instance to read some DB data and write it in an index and I keep having the error message : "Unsupported or unrecognized SSL message". I checked the port (8088), seems fine. SSL is enabled on HEC and splunkd. (default parameters)   I wonder if it is possible that splunk db connect uses HEC entry on localhost:8088 if I have deported the HEC entry on the UFs with "useDeploymentServer". Could it explain the ssl error ? I tried to use dbx_settings.conf but it does not seems to use my second entry :     [hec] maxRetryWhenHecUnavailable = 3 hecUris = localhost:8088,splunk-hec.qualgend:8088     Logs sample :     127.0.0.1 - - [03/nov./2022:15:30:08 +0000] "GET /api/taskserver HTTP/1.1" 200 414 "-" "python-requests/2.25.0" 2 2022-11-03 16:30:00.286 +0100 [Scheduled-Job-Executor-4] DEBUG c.s.d.s.dbinput.recordreader.DbInputRecordReader - action=closing_db_reader task=rising_mcipe_qualif 2022-11-03 16:30:00.286 +0100 INFO c.s.dbx.server.task.listeners.JobMetricsListener - action=collect_job_metrics connection=mcipe_qualif jdbc_url=null db_read_time=0 hec_record_process_time=3 format_hec_success_count=69 status=FAILED input_name=rising_mcipe_qualif batch_size=1000 error_threshold=N/A is_jmx_monitoring=false start_time=2022-11-03_04:30:00 end_time=2022-11-03_04:30:00 duration=21 read_count=69 write_count=0 error_count=0 2022-11-03 16:30:00.285 +0100 [Scheduled-Job-Executor-4] INFO org.easybatch.core.job.BatchJob - Job 'rising_mcipe_qualif' finished with status: FAILED 2022-11-03 16:30:00.285 +0100 [Scheduled-Job-Executor-4] ERROR org.easybatch.core.job.BatchJob - Unable to write records javax.net.ssl.SSLException: Unsupported or unrecognized SSL message at java.base/sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(SSLSocketInputRecord.java:451) at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:175) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) Afficher toutes les 35 lignes 2022-11-03 16:30:00.285 +0100 [Scheduled-Job-Executor-4] ERROR c.s.d.s.dbinput.recordwriter.CheckpointUpdater - action=skip_checkpoint_update_batch_writing_failed javax.net.ssl.SSLException: Unsupported or unrecognized SSL message at java.base/sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(SSLSocketInputRecord.java:451) at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:175) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) Afficher toutes les 35 lignes 2022-11-03 16:30:00.285 +0100 [Scheduled-Job-Executor-4] ERROR c.s.d.s.task.listeners.RecordWriterMetricsListener - action=unable_to_write_batch javax.net.ssl.SSLException: Unsupported or unrecognized SSL message at java.base/sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(SSLSocketInputRecord.java:451) at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:175) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) Afficher toutes les 35 lignes 2022-11-03 16:30:00.279 +0100 [Scheduled-Job-Executor-4] INFO c.s.d.s.dbinput.recordwriter.HttpEventCollector - action=writing_events_via_http_event_collector record_count=69 2022-11-03 16:30:00.279 +0100 [Scheduled-Job-Executor-4] INFO c.s.d.s.dbinput.recordwriter.HttpEventCollector - action=writing_events_via_http_event_collector 2022-11-03 16:30:00.279 +0100 [Scheduled-Job-Executor-4] INFO c.s.dbx.server.dbinput.recordwriter.HecEventWriter - action=write_records batch_size=69       Do you have any idea what I did wrong ? Any clue would be greatly appreciated ! Thanks in advance, Ema

Hi, i got the below query, and alert should get triggered only when data is not avaiable from any one of the host_ips i gave the time range as 24 hrs to now and alert condition = o and corn expression */30 * * * * i am getting mail for every 30 mins, even if data is available. index=advcf request=* host IN(abgc, efgh, jhty, hjyu,kjnb) | eval event_ct=1 | append [| makeresults | eval host="abgc, efgh, jhty, hjyu, kjnb" | rex field=host mode=sed "s/\s+//g" | eval host=split(host,",") | mvexpand host | eval event_ct=0 ] | stats sum(event_ct) AS event_ct BY host | where event_ct=0