Hi everyone,   New splunker here. I want to use WMI to collect windows event logs from different windows server instead of splunk forwarder. is it doable ? if yes, please provide steps how to collect logs remotely and send it to splunk ? What pull method do i need to use from splunk UI OR do i need to use Push method?

I'm trying to get our syslogs forwarded via UF to Splunk Cloud.  I've got the UF listening on port 514 and added  [udp://514] connection_host = network sourcetype = syslog to the inputs.comf file but I'm not seeing anything in search.     Is there a way to make sure UF is seeing anything on that port?  Am I missing a step?

On my Splunk Master node, I can check the status if "All Data is Searchable, Search Factor is Met, Replication Factor is Met". Is there a way to check the status using CLI? Or what's the best way to set an alert, so if there is any issue, it emails me?

What file and registry path is required for Windows Splunk Universal Forwarder? Looking to deploy Unified Write Filter (UWF) to harden kiosks/shared Windows workstations. UWF works by redirecting all non-approved file and registry write to temporary memory which is wiped out by a reboot. We need to identify the file and registry locations which Splunk Universal Forwarder (UF) requires so it can be excluded from UWF. 

My customer wants a count of calls coming into their call center during their business hours (M, Tu, Th, F: 8:00 a.m. - 4:30 p.m. and W: 9:00 a.m. - 4:30 p.m.) and a count of calls that come in outside these hours and on weekends. This is what I have for the time element of the after-hours search so far, but I am getting no results: | eval date_hour=strftime(_time, "%H") | eval date_wday = strftime(_time, "%w") | search (date_wday=1 OR date_wday=2 OR date_wday=4 OR day_wday=5 date_hour<=7 date_hour>=17.5) OR (date_wday=3 date_hour<=8 date_hour>=17.5) OR (date_wday=6 OR date_wday=7)

I've stumbled today on a strange thing. It started out with a case about user hitting quota limits. But when I dug into that deeper it turned out that the user doesn't show in the system. It's not displayed in the UI, it doesn't show in the REST output of /services/authentication/users But it is defined in etc/passwd so it can log in. And it has KOs created and assigned to it (most importantly in my case - scheduled searches). It has a role assigned in etc/passwd and it seems that that role is properly enforced (hence the quota limitations). Anyone encountered such thing? How could such user have been "lost"?

Hi everyone,   I am experiencing some issues with the ServiceNow add-on not creating incidents in ServiceNow. I was able to successfully add the ServiceNow account in Splunk and confirmed that the correct permissions have been granted to the account in ServiceNow.   When I try to create an incident for an episode in Splunk ITSI I receive the error: "Unable to run the action snow_incident. Make sure the action is configured correctly and has all required fields. See the Activity tab of the episode for more information."   I checked the Activity log and found the following errors: "Action="snow_incident" failed with the following error: None search failed for actionId=search..." "Search command "snowincidentalert" failed to return an incident ID or URL. Check the add-on configuration and input parameters."   I also ran the following search as per the Splunk documentation: eventtype=snow_ticket_error   And I see the error: "ERROR pid=1 tid=MainThread file=snow_ticket.py:_do_event:182 | Failed to connect to https://companydev.service-now.com/https://companydev.service-now.com, error=Traceback (most recent call last):..."   I'm not sure why the URL is listed twice in the error. I am able to connect and login to the URL with the account used in Splunk.   Has anyone else run into an issue like this before?   Thanks.

Is there a way to query ES investigations for artifacts?  For example, suppose that I have a current notable with a hostile foreign IP address.  I would like to query Splunk and find all previous investigations with that IP address so that analyst can review the previous investigations.

Hi Splunkers, Any Best practices for field extraction and line breaking. i want to know something like , if we all these stanzas in props nd transfroms.conf . The line Breakin nd Field extraction will take less resource and for good optimization method.  

Hi , We are facing issues in listing available splunk indexes in SplunkCloud using  splunklib.client.connect provided by splunklib library. Below is the code snippet used: service = splunklib.client.connect(host=host, token=session_token) ind_list = service.indexes.list() This code works perfectly fine in the splunk enterprise and previous splunk cloud versions but noticed this issues happening on the latest versions (8.2.2202 and above). When this code executes on the 8.2.2202 and above we notices the following debug line, which clearly shows the timeout error while fetching the indexes as below: We see this timeout error because the splunk  is not returning the index names ,since it is failing to connect to splunk cloud. ERROR 2022-10-03 05:39:22,296 CiscoCloudSecurity : API: fetch_indexes, Exception : [Errno 110] Connection timed out Traceback (most recent call last): File "/opt/splunk/etc/apps/cisco-cloud-security/bin/fetch_indexes.py", line 26, in handle ind_list = service.indexes.list() File "/opt/splunk/etc/apps/cisco-cloud-security/bin/splunklib/client.py", line 1479, in list return list(self.iter(count=count, **kwargs)) File "/opt/splunk/etc/apps/cisco-cloud-security/bin/splunklib/client.py", line 1438, in iter response = self.get(count=pagesize or count, offset=offset, **kwargs) File "/opt/splunk/etc/apps/cisco-cloud-security/bin/splunklib/client.py", line 1668, in get return super(Collection, self).get(name, owner, app, sharing, **query) File "/opt/splunk/etc/apps/cisco-cloud-security/bin/splunklib/client.py", line 766, in get **query) File "/opt/splunk/etc/apps/cisco-cloud-security/bin/splunklib/binding.py", line 290, in wrapper return request_fun(self, *args, **kwargs) File "/opt/splunk/etc/apps/cisco-cloud-security/bin/splunklib/binding.py", line 71, in new_f val = f(*args, **kwargs) File "/opt/splunk/etc/apps/cisco-cloud-security/bin/splunklib/binding.py", line 686, in get response = self.http.get(path, all_headers, **query) File "/opt/splunk/etc/apps/cisco-cloud-security/bin/splunklib/binding.py", line 1199, in get return self.request(url, { 'method': "GET", 'headers': headers }) File "/opt/splunk/etc/apps/cisco-cloud-security/bin/splunklib/binding.py", line 1259, in request response = self.handler(url, message, **kwargs) File "/opt/splunk/etc/apps/cisco-cloud-security/bin/splunklib/binding.py", line 1399, in request connection.request(method, path, body, head) File "/opt/splunk/lib/python3.7/http/client.py", line 1281, in request self._send_request(method, url, body, headers, encode_chunked) File "/opt/splunk/lib/python3.7/http/client.py", line 1327, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/opt/splunk/lib/python3.7/http/client.py", line 1276, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/opt/splunk/lib/python3.7/http/client.py", line 1036, in _send_output self.send(msg) File "/opt/splunk/lib/python3.7/http/client.py", line 976, in send self.connect() File "/opt/splunk/lib/python3.7/http/client.py", line 1443, in connect super().connect() File "/opt/splunk/lib/python3.7/http/client.py", line 948, in connect (self.host,self.port), self.timeout, self.source_address) File "/opt/splunk/lib/python3.7/socket.py", line 728, in create_connection raise err File "/opt/splunk/lib/python3.7/socket.py", line 716, in create_connection sock.connect(sa) TimeoutError: [Errno 110] Connection timed out Please let us know how we can resolve this issue on cloud . Thanks.  

Hello, I've set up a field choice called "ASSETtoken" where the user can select "value1", "value2" or "all". I would like in a Single Value element do something like count all lines in the column "columnX" in CSVValue1 or CSVValue2 or both depending on the selection. Any tip is welcome (started Splunk 2/3 days ago) Thx all !

Hi Team, I am trying to compare IP addresses but I am unable to find any logic that can do so with the below query: index=index_name sourcetype="sourcetype2" (POSTEDID!=SYSTEM AND VERIFIERID!=SYSTEM) | rename ENTRYID as Maker_User | rename POSTEDID as Checker_User | rename VERIFIERID as Verifier_User | stats values(Maker_User) as maker, values(ENTRYTIME) as maker_time, values(Checker_User) as checker, values(POSTEDTIME) as checker_time, values(Verifier_User) as verifier, values(VERIFIERTIME) as verifier_time, values(AMOUNT) as amount by TRANSACTIONID | eval USER_ID = lower(mvappend(maker,checkerverifier)) | mvexpand USER_ID | join USER_ID type=outer [ search index=index_name sourcetype="sourcetype1" | eval USERID=lower(USERID) | stats values(IP) as dev_ip by USERID] | where isnotnull(verifier) AND amount>100000 The results I get with this are as below: TRANSACTIONID Maker Maker Time Checker Checker Time Verifier Verifier Time Amount USERID IP 001 A 10:00 A 10:03 B 10:05 200000 A IP of A 001 A 10:00 A 10:03 B 10:05 200000 A IP of A 001 A 10:00 A 10:03 B 10:05 200000 B IP of B I want to have a logic that can compare the IP address of A and the IP address of B so that both IP addresses are not the same. Any assistance would be appreciated.

Hello guys ,   We`re encountering some log gaps from our proxy into Splunk periodically , so when they`re back , the usecases are not detecting anything for that previous period . How did other companies fixed that ? How is the best way to handle that , when the logs are back , with the minimum of resources ? Do we need to change the start date and end date ( of the log gaps ) manually every time it happens , and run the usecases again ? Or it`s any other more useful solution ?   Thank you!

Hi Team, Is it possible to disable ticket integration and Mail notifcation integration temporary for all alerts ? during maintenance window. I found the below path in my splunk account  Settings---> Alert Action--> serviceNow integartion --> Status(Enable/Disable) Will this help to diable temporary integration ? Please advise, Thank you