Hi @lucacaldiero , only for source and host, you can use the asterisk in the props.conf, e.g.: [host::nyc*] ... or [source::/var/log/*] ... not for sourcetype that must be exactly declared. Ciao. Giuseppe ... View more

Hi @lucacaldiero , see at https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Routing_and_filtering_capabilities_of_forwarders It depends on which data you want to forward: if you wan to duplicate data (with double license consuprion!), you can simply configure your outputs.conf following the instructions in the above page; if you want to select which data to dend to each group, see at https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding Ciao. Giuseppe ... View more

Hi at all, At first, as @ITWhisperer said, try to optimize your search. In addition, you could use a summary index (https://docs.splunk.com/Documentation/Splunk/9.4.0/Knowledge/Aboutsummaryindexing) or an accelerated custom Data Model (https://docs.splunk.com/Documentation/Splunk/9.4.2/Knowledge/Acceleratedatamodels) containing the data you need. I had a similar situation some years ago: a dashboard used by many people with 12 searches in Real Time, some of them with sobsearches: this dashboard was killing the system. I solved scheduling 12 reports every 5 minutes and displaying the results of these reports in the dashboard: in this way the 12 reports were executed only one time every 5 minutes instead in real time for each user, for more infos see at https://docs.splunk.com/Documentation/Splunk/9.4.1/Knowledge/Manageacceleratedsearchsummaries . In addition you could accelerate these reports if possible (there are some limitations to report accelerations: https://docs.splunk.com/Documentation/Splunk/9.4.2/Report/Acceleratereports Ciao. Giuseppe   ... View more

Hi @Nrsch , if you open a case to Splunk Support, they answer that UBA must be installed by Splunk PS to be certified. For my experience I hint to check the versions of the operative system, checking all the installed packets: I had a Red Hat 8.8 installation where some pachets were in 8.9 and we received many installation errors. Ciao. Giuseppe ... View more

Hiv @mchoudhary , your question is too vague: which kind of logs are you speaking for (windows, Linux, Splunk, etc...), what is the technology you are using? have you already ingested these logs in Splunk or must you ingest them? Ciao. Giuseppe ... View more

Hi, @dm1 , I will try, if I will be able to find it! Ciao. Giuseppe ... View more

Hi @spisiakmi , please try this: | makeresults | eval tmp_1=1 | eval tmp_2="" | eval tmp_3=3 | eval tmp="" | foreach tmp_* [| eval tmp = tmp ."|".if(isnotnull(<<FIELD>>),<<FIELD>>,"")] | eval tmp=substr(tmp, 2) | rex field=tmp mode=sed "s/\|+/|/g" | table tmp Ciao. Giuseppe   ... View more

Hi @umd06 , did you tried to crete two inputs? one for all logs but not EventCode=5156 (blacklisting this EventCode), assigning only _SYSLOG_ROUTING one only for EventCode=5156 log (whitelisting this EventCode) , assigning both _SYSLOG_ROUTING and _TCP_ROUTING Ciao. Giuseppe  ... View more

Hi @CharlieJ-BGS , I never tried but I think that isn't permitted. Ciao. Giuseppe ... View more

Hi @SailPoint_IDPlu , I don't think so! Add it to Splunk ideas http://ideas.splunk.com/ Ciao. Giuseppe ... View more

Hi @trazomtg , as the others already said, in Splunk, you can correlate events from the same or different data sources, even if etherogenous or different. The rule to create a correlation search, is to identify the correlation key, in other words the fields to use to correlate the different events. We could help you, but it's mandatory to have more details about the data flows to correlate. as an exmple, you could correlate access logs to a windows server with an entrance badge, so if in windows the login is recognized by user and EventCode=4624 and e.g. in the entrance badge the user field is username and the action is action="access", you could create a search like the following: (index=wineventlog EventCode=4624) OR (index=entrance_badge action="access") | user=coalesce(user,username) | stats earliest(eval(if(index=wineventlog,_time,""))) AS wineventlog_time earliest(eval(if(index=entrance_badge,_time,""))) AS entrance_badge_time dc(index) AS index_count BY user | eval wineventlog_time=strftime(wineventlog_time,"%Y-%m-%d %H:%M:%S"), entrance_badge_time=strftime(entrance_badge_time,"%Y-%m-%d %H:%M:%S") In this way, you can check that a user is present in the office when accessed a server. Ciao. Giuseppe ... View more

Hi @spisiakmi , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @spm807 , you can use CASE, as described at https://docs.splunk.com/Documentation/Splunk/9.4.2/SearchReference/ConditionalFunctions#case.28.26lt.3Bcondition.26gt.3B.2C.26lt.3Bvalue.26gt.3B.2C....29 Ciao. Giuseppe ... View more

Hi @spisiakmi , this is always the problem analyzing a transaction. The only way is to define a larger period and eventually restrict the starting events. Ciao. Giuseppe ... View more

Hi @RobK700000 , if they are many, you could use a lookup containing the indexes exception list, | tstats count where index=* by index | append [ |rest /services/data/indexes | dedup title | fields title ```Discard internal indexes``` | search title!="_*" OR NOT [ | inputlookup indexes_exception_list.csv | fields title ] | rename title AS index | eval count=0 ] ```Merge results, keeping the copy with a non-zero, if present``` | stats max(count) AS count BY index | where count==0 otherwise (if they are few), you could add them to the subsearch: | tstats count where index=* by index | append [ |rest /services/data/indexes | dedup title | fields title ```Discard internal indexes``` | search title!="_*" OR NOT index IN (index1, index2, index3) | rename title AS index | eval count=0 ] ```Merge results, keeping the copy with a non-zero, if present``` | stats max(count) AS count BY index | where count==0  Ciao. Giuseppe ... View more

Hi @sarge338 , yes, it's poossible to have one value for each column, but could you share your search? otherwise it's difficoult to give a correct answer! in general, you could display only one of the values in the timestamp column ore rename one of the fields, but I need your search to help you. Ciao. Giuseppe ... View more

Hi @Joe_Hartzel , if the answer solves your requirement, please add some Karma Point to all the Contributors, otherwise, open a new question describing your requirement. Ciao. Giuseppe ... View more

Hi @StephenD1 , in addition to the perfect answer of @kiran_panchavat , I whould add only one information: forwarders continue to work also without a running Deplyment Server, so you don't need to cluster it, you could eventually use the VM-Ware solution described by Kiran, but it isn't mandatory. Ciao. Giuseppe ... View more

Hi @LIS , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @LIS , I usually put it both on UFs and Indexers, and Search Heads. Ciao. Giuseppe ... View more

Hi @splunk_admin , as @PickleRick said, don't put conf files in system/local, but always in ad add-on to deploy using the Deployment Server. then you can filter logs in two ways: on the system where logs are ingested blacklisting the logs in input, on the first full Splunk instance (in other words o the first HF) where data are passing through, using the system you shared that's described at http://docs.splunk.com/Documentation/Splunk/9.0.5/Forwarding/Routeandfilterdatad Then, are you sure that the sourcetupe you used in the props.conf is correct? check in the input what's the sourcetype associated because maybe there's a sourcetype transformation. Which add-on are you using? Ciao. Giuseppe ... View more

Hi @lauMarot , This app is locatend on the Search Heads, but probably inputs are in differents systems and in different apps called add-ons. Ciao. Giuseppe ... View more

Hi @LIS , some pasring activities are done on the Forwarders and some others are done on the first full Splunk instance that data are passing through, in your case Indexers. Put the props.conf on the UFs and on Indexersa, and, if you have, on Search Heads. Ciao. Giuseppe ... View more

Hi @LIS , where did you locate the props.conf file? you must put it on the UF and on the first full Splunk instance. Ciao. Giuseppe ... View more

Hi @lauMarot , are you speaking of a Universal Forwarder or of a full Splunk instance? if you are speaking of a Universal Forwarder, there isn't any GUI that you can use for inputs or other configurations, the only ways are conf files (better) or commands. The best approach is to use conf files in an add-on (custom or by Splunkbase) deployed using a Deployment Server, for more details see at https://docs.splunk.com/Documentation/Splunk/9.4.2/Updating/Aboutdeploymentserver if you are speaking of a full Splunk instance, you can go at [Settings > inputs] and choose the kind of input you want to modify. Ciao. Giuseppe ... View more