Hi @Gregski11 , I don't know your infrastructure, but a Windows DS can be used without issues if you have to manage only Windows servers, if you want to manage Linux servers, using a Windows DS you lose the grants configurations so you cannot use scripts inputs. Anyway, all the Splunk servers should directly send their logs to the Indexers (also DS) and you can do this by GUI in [Settings > Forwarding and Receiving > Forwarding], setting up the destination Indexers. If you are using to deploy an outputs.conf to your managed servers, you can use it (uploading) without making a manual configuration (I prefer this solution, than manually manage!). You don't need to access conf files if you send clear text logs, if you are using a certificate (even if Splunk auto generated)), you need to manually modify a conf file. About how to configure inputs, I don't like to use the Settings > Inputs feature, because you need to manually manage it, it's better to use the same Splunk_TA_Windows that you deployed to the Windows Servers, and you can manually upload it, without accessing the CMD environment. Ciao. Giuseppe ... View more

Hi @Iris_Pi , as I said, you probably have two timestamps for each event, so you could use _time (you probably associated one of the two rimestamps to this field), or you could take the first one for each event using mvdedup. Ciao. Giuseppe ... View more

Hi @Iris_Pi , probably you have more than one timestamp in each event, what if you count the stats using a different field (e.g. _time)? Ciao. Giuseppe ... View more

Hi @LizAndy123 , let me understand: you want to find the first 10 projectIDs by Speed and the list of project of them, is it correct? if this is your requirement, you can use stats: <your_search> | stats sum(Speed) AS Speed values(Project) AS Project BY ProjectID | sort -Speed | head 10  this search runs if you have more Projects for each ProjectID. If instead you want the most ten Projects BY Speed, you can use top: <your_search> | top 10 sum(Speed) AS Speed BY Project Ciao. Giuseppe ... View more

Hi @dikaaditsa , which index did you configured in your input, that you're using in search? did you installed the Fortinat Fortigate Add-On for Splunk (https://splunkbase.splunk.com/app/2846) to have a correct parsing? At least, it isn't a best practice to use Splunk to receive syslogs. The best approach is to configure a syslog receiver (e.g. rsyslog or syslog-ng) that writes logs on disk and then use Splunk to read these files. In this way, your syslog input will be active even if Splunk is down and in addition gives less overload on the system avoiding queues. Does your distributed search (you have one SH and one IDX) correctly run? in other words, are other searches correctly executed? Ciao. Giuseppe ... View more

Hi @hazem , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @hazem , ok, not it's clear. Anyway,  let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @spisiakmi , ok, is the solution ok for you? let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @Iris_Pi , the first solution requires that you always have both fwname and interface fields. Ciao. Giuseppe ... View more

Hi @spisiakmi , let me understand: do you want to put in an input both the att1 and att3 tokens or do you want to pass all the att1 and att3 values of the lookup? in the first case, you have at first to create in a dashboard a dropdown using a search like the following: | inputlookup lookup.csv | eval token=att1.",".att3 | dedup token | sort token | table token passing by value the token to te following search. Then run this search (in the same dashboard) index=myindex [ | makeresults | rex field=$token$ "^(?<att1>[^,]+),(?<att3>.*)" | eval earliest=strptime(att3, "%d.%m.%Y") | fields att1 att3 ] | ... Ciao. Giuseppe ... View more

Hi @rsAU , let me understand: you want to count the users that accessed the system more than one time, is this correct? You can use a simple search: <your_search> | stats count by user_id | where count>1 Ciao. Giuseppe ... View more

Hi @tungpx , let me understand: you have a Splunk instance accessible without login (also by API)? is it maybe a free Splunk instance? in this case the only solution is to buy a license. Could you better describe your situation? Ciao. Giuseppe   ... View more

Hi @Cleanhearty , I suppose that you already ingested the csv file in a lookup or in an index. If in a lookup you can define what you mean with "gender that performed the most fraudulent activities and in what category", I suppose that you mean most fraudolent by amount, so you could try something like this: | inputlookup fraud_report.csv | stats max(amount) AS amount BY gender category | sort -amount | head 10 in this way, you have the top 10 categories by gender that have the greatest amount. My hint is also to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial) to learn how to run similar searches. Ciao. Giuseppe ... View more

Hi @hrawat_splunk , open soon a case to Splunk Support. Ciao. Giuseppe ... View more

Hi @hazem , adding a bit to @PickleRick information: you can configure rsyslog (or syslog-ng) server on your UFs: you don't need to install it because it's already installe, you have only to configure it to understand where tp write logs. for more infos see at https://www.rsyslog.com/guides/ or https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s1-basic_configuration_of_rsyslog  on the LB, you need only to configure the receiving port and the destination port and addresses. Some LBs need also to configure a way to check if the destinations are alive, but this configuration depends on your LB and it's indipendent by Splunk or rsyslog receiver. Ciao. Giuseppe ... View more

Hi @Somesh , to send logs from Universal Forwarders to Indexers, you don't need to use a Load Balancer because Splunk has its own method to auto load balance data from UFs to IDXs. You have only to indicate in outputs.conf (on UFs) the autoloadbalance group and the destination Indexers. It's a different thing for syslogs: you need a Load Balancer to distribute load between receivers and manage fail over. One thing, if possible don't use Indexers to receive syslogs, but use two (or more) UFs with an rsyslog (or syslog-ng) receiver, in this way you separate input phase by parsing, merging, tipying and indexing phases. Ciao. Giuseppe ... View more

Hi @Prashant , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @dhiraj , let me understand: if you have both the events (message and REQ=INI), running the first two items of my search, you should have two types of events (check this in the interesting fields). So the following stats command, should give you type_count=2 (if both present) and type_count=1 if there's only one. If you have both the strings to search ("Error occurred during message exchange" and "REQ=INI") in two different events (as in your screenshots), you should have both the types; if not, check the strings to search and the eval condition. Ciao. Giuseppe ... View more

Hi @dhiraj , are you sure that the REQ field is already extracted? otherwise you ha to search a different condition: index=your_index ("Error occurred during message exchange" OR "REQ=INI") earliest=-420s | eval type=if(searchmatch("REQ=INI"),"INI","Message") | stats dc(type) AS type_count values(type) As type | where type_count=1 AND type="Message" Ciao. Giuseppe ... View more

Hi @fahimeh , are you using xml or classif format? if xml, try using the classic format adding renderXML=0 to the inputs.conf. Ciao. Giuseppe ... View more

Hi @dhiraj , you have to change only the time period (7 minutes), then the search shoudl be correct: index=your_index ("Error occurred during message exchange" OR REQ="INI") earliest=-420s | eval type=if(REQ="INI","INI","Message") | stats dc(type) AS type_count values(type) As type | where type_count=1 AND type="Message" using this search you select only events with your two conditions and using the eval and the stats you identify the presence of one or both the conditions. In your use case you want to fire the alert if there's the error message but there isn't the REQ=INI condition, the other conditions are excluded. Ciao. Giuseppe ... View more