Hi @chrisitanmoleck , ad first check, verify the timezone of the forwarder. Ciao. Giuseppe ... View more

Hi @hazardoom , 7k alerts aren't upgradable, in this case, the only way, is to move them in the default folder. Ciao. Giuseppe ... View more

Hi @Zhangyy , try without dots and use quotes. Ciao. Giuseppe ... View more

Hi @rahulhari88 , my hint is from the Splunk Cluster Administration Course, probably it's ok also in your way: try it. Ciao. Giuseppe ... View more

Hi @rahulhari88 , you can use only origin and total: [general] site = site_DC [clustering] mode = manager manager_switchover_mode = auto/manual manager_uri = clustermanager:cm1,clustermanager:cm2 multisite = true available_sites = site_DC, site_DR site_replication_factor = origin:2, total:4 site_search_factor = origin:2, total:3 replication_factor = 2 pass4SymmKey = <redacted> cluster_label = abc_idxcluster [clustermanager:cm1] manager_uri = https://CM1:8089 [clustermanager:cm2] manager_uri = https://CM2:8089 Ciao. Giuseppe ... View more

Hi @Mridu27 ,  in addition to the solutions from @livehybrid  and @kiran_panchavat , you could simply change the password of this user, so the user will be active but practically disabled! Ciao. Giuseppe ... View more

Hi @hazardoom , as @livehybrid said, you cannot move savedsearches in local. My hint is to manually copy all of them, it's really difficoult to upload a custom app and then delete objects when you need! Ciao. Giuseppe ... View more

Hi @rahulhari88 , I don't like to have only on e copy od data for each seite because in tjhis way you need to access both the sites when one Indexert is down. Anyway, you have to configure in $SPLUNK_HOME/etc/system/local/server.conf of your Cluster Manager: [clustering] multisite = true mode = master available_sites = site1,site2 site_replication_factor = origin:1,total:2 site_search_factor = origin:1,total:2 pass4SymmKey = <your_password> or using CLI: /opt/splunk/bin/splunk edit cluster-config -mode master -multisite true -site site1 -available_sites = site1,site2 -site_replication_factor origin:1,total:2 -site_search_factor origin:1,total:2 -secret <your_password> Put attention to the Search Affinity: if you use this option, you reduce the traffic in your network between sites, when one site is down you must use the Search Head of the live site, otherwise you don't see all the data. Ciao. Giuseppe ... View more

Hi @Zhangyy , latitude and longitude are numbers, so you can use the greater than (>) and less than (<) operators in your searches. Ciao. Giuseppe ... View more

Hi @MrGlass , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @hk_baek , the official Splunk documentation is the best guidance! https://splunkbase.splunk.com/app/4607 Ciao. Giuseppe ... View more

Hi @MrGlass , Splunk isn't a database, so the join command must be used only when there isn't any other solution and when you have few data, instead use stats, somerhing lie this: (index=network "arp-inspection" OR "packets received") OR (index=cisco_ise sourcetype=cisco:ise:syslog User_Name="host/*") | eval NetworkDeviceName=coalece(NetworkDeviceName, Network_Device) | rename mnemonic AS Port_Status | rename src_interface AS "src_int" | stats earliest(device_time) AS device_time values(User_Name) AS User_Name values(src_ip) AS src_ip values(src_mac) AS src_mac values(message_text) AS message_text values(Location) AS Location values(Port_Status) AS Port_Status BY "NetworkDeviceName" , "src_int" | table device_time, NetworkDeviceName, User_Name, src_int, src_ip, src_mac, message_text, Location, Port_Status Ciao. Giuseppe ... View more

Hi @Hemant_h , et me understand you use case: you have around 40 DC with the Universal Forwarder. on these UFs I suppose that there are some add-ons, one of them contains outputs.conf file and it's role is to address the system to receive data forwarders by UFs. It seems that these data from UFs are forwarderd to one (or more) Heavy Forwarders that forward data to the Indexers. then you have a Deployment server that deployes the add-on contaiing outsputs.conf. Usually on the UFs is installed (deployed by the DS) also the Splunk_TA_Windows to ingest logs. is this add-on installed on the UFs? have you this add-on deployed by the DS? are you receiving logs on Splunk? which logs are you receiving: internal, Windows or both? if you have only the outputs.conf add-on, you should receive only _* logs (internal Splunk logs). Anyway, the flow is usual from the UFs to the HF or directly to IDXs. Ciao. Giuseppe ... View more

Hi @tangtangtang12 , whichAdd-On are you using to extract these information from your windows server? is you use the Splunk_TA_Window ( https://splunkbase.splunk.com/app/742 ) there's two inputs (disabled by default and to enable) that you can use: [WinHostMon://Computer] [perfmon://Memory] Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s) Ciao. Giuseppe ... View more

Hi @mshakeb , I suppose that you're ingesting logs using a Universal Forwarder. If there isn't any issue /that you can search in _internal) UF read all the wineventlogs from the Domain Controller, so if some event is missed, you should check, if it was generated in WinEventLog. Ciao. Giuseppe ... View more

Hi @mshakeb , please, don't attach your request to another one, even if on the same topic, open a new question. In this way, you'll have more choices to describe your requirements and to receive an answer. ciao. Giuseppe ... View more

Hi @shashigari , as also @livehybrid said, it isn't so clear why you are using this structure of search. In addition, you are using a macro that we don't know. Anyway, the format of time in earliest and latest is correct. Could you better describe your requirement and share your macro? Ciao. Giuseppe ... View more

Hi @tech_g706 , there isn't any 8.x version certified compatible with Windows 2008/R2 and supported by Splunk. Probably the 9.4.x version runs on Windows 2008/R2 but it isn't certified and supported by Splunk. The only that  can formally answer to your question is Splunk Support. Ciao. Giuseppe ... View more

Hi @hk_baek , Community is the right site for questions! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @hk_baek , for my knowledge, the minimum reference hardware is the normal reference for Splunk:; 12 CPUs, 12 GB RAM and 300 GB hd. Then you should tune your installation to see if this specifications are sufficient for the use that you will do. Obviously, this reference is to use DSDL without othe premium apps as ES or ITSI. You can find all the information and documentation at https://splunkbase.splunk.com/app/4607 Ciao. Giuseppe ... View more

Hi @danielbb , I don't know very well this app, but usually GUI interface is disabled on Indexers, so why to install it on Indexers? Ciao. Giuseppe ... View more

Hi @agonmu , please open a new case, even if on the same topic, otherwise its difficoult to answer you. Ciao. Giuseppe ... View more

Hi @Karthikeya , are you sure that you want to apply this extraction at index time? this means a greater job for indexers and this usually depends on the volume of indexed logs for extractions, how many logs must you index daily and in the peak period? here, you can find a comparation between the two modes and a description: https://docs.splunk.com/Documentation/Splunk/9.4.1/Indexer/Indextimeversussearchtime  Ciao. Giuseppe ... View more