Hi @CheongKing168 , try to reinstall the old version, to understand if the issue is related to the UF version or to environment. Then open a case to Splunk Support. One additional info: which Windows version are you using? Ciao. Giuseppe ... View more

Hi @abroun, to help you I need also the second search. In few words, you have to correlate results from both the searches using stats BY common key. Ciao. Giuseppe ... View more

Hi @RanjithaN99, Indexer Cluster is managed by the Cluster Manager so you have to create the new indexes.conf in this server that deploys it to the indexers; for more infos see at https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Aboutclusters in few words, you have to create a stanza in indexes.conf with the new index using the CLI and push the configuration using GUI. For data forwarding from te SH to the Indexers, you should already have this configuration because it's a best practice to send internal logs from all the Splunk servers to Indexers. If not go in [Settings > Forwarding and Receiving > Forwarding] and configure Forwarding. Ciao. Giuseppe ... View more

Hi @purcell12491 , could you beter describe your requirement: operative systems, fields used, etc...? Ciao. Giuseppe ... View more

Hi @anandhalagaras1, regex substitution is correct. Are you sure about the sourcetype? is there any sourcetype replacement in your data? are there some other Heavy Forwarders  before the one you used for the masking? Ciao. Giuseppe ... View more

Hi @sle, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @mfonisso, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @kreddykotla , please try this  | rex "(?<your_field>[^-]+)\/[^\/]+$" that you can test at https://regex101.com/r/0yi0zt/1 Ciao. Giuseppe ... View more

Hi @mariamms , here you can find all the information you need about HEC: at first https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf (page 28) https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Data/ShareHECData https://www.youtube.com/watch?v=qROXrFGqWAU In few words, you have to creare an HEC received creating a token that must be passed to the sender. You can also have an intermediate Load Balancer for HA features, in this case, you must have the same token in all the receivers. About Console, what do you mean? HEC hasn't any console. If your're speaking of the Cluster consoles, you have to search for Cluster Master (for Indexer Cluster) and SH Deployer (for Search Head Cluster). You can find information at https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Aboutclusters and https://docs.splunk.com/Documentation/Splunk/9.2.0/DistSearch/AboutSHC At least there's also a Monitorig Console and you can find information at https://docs.splunk.com/Documentation/Splunk/9.2.0/DMC/DMCoverview  Ciao. Giuseppe ... View more

Hi @AlirezaGhanavat, at first, which user are you using to install the UF? has it the grants to install an app? have you an antivirus? Anyway, in these cases I always open a case to Splunk Support. Ciao. Giuseppe ... View more

Hi @taijusoup64, use always quotes in the eval condition: index="zeek" source="conn.log" ((id.orig_h IN `front end`) AND NOT (id.resp_h IN `backend`)) OR ((id.resp_h IN `front end`) AND NOT (id.orig_h IN `backend`)) | fields orig_bytes, resp_bytes | eval terabytes=((if(id.resp_h="192.168.0.1",resp_bytes,0))+(if(id.orig_h="192.168.0.1",orig_bytes,0)))/1024/1024/1024/1024 | stats sum (terabytes) Ciao. Giuseppe ... View more

Hi @Rahul-Sri , my solution is only for a table because you transform a number in a string. if you have to display the result in a graph, you can divide by 1000000 and indicate in the subtitle that the numbers are millions or use a logarythmic scale in the graph. Ciao. Giuseppe ... View more

Hi @hfaz , not deployment.conf but deploymentclient.conf file! In other words, check if, for error, you conigured also the HF as client. Ciao. Giuseppe ... View more

Hi @sle , if you use earliest and/or latest fields in your main search, this value override the values that you have in the Time Picker, that's not relevant. Ciao. Giuseppe ... View more

Hi @taijusoup64 , let me understand: you want to calculate bytes only when:  id.orig_h="frontend" AND id.resp_h="frontend", is this correct? in this case add the condition to the eval statement: index="zeek" source="conn.log" ((id.orig_h IN `front end`) AND NOT (id.resp_h IN `backend`)) OR ((id.resp_h IN `front end`) AND NOT (id.orig_h IN `backend`)) | fields orig_bytes, resp_bytes | eval terabytes=((if(id.resp_h="front end",resp_bytes,0))+(if(id.orig_h="front end",orig_bytes,0)))/1024/1024/1024/1024 | stats sum (terabytes) Ciao. Giuseppe why did you used all that parenthesis? Ciao. Giuseppe ... View more

Hi @gauravu_14 , in general, having a lookup containing the host to monitor list, you can use a search like this: | tstats count WHERE index=* BY host | append [ | inputlookup your_lookup.csv | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 if you are monitoring some clusters, you should have in the lookup the indication of the clusters, something like this: primary_host secondary_host host1 host1bis host2 host3 host3bis host4 and run a little different search:   | tstats count WHERE index=* BY host | lookup your_lookup.csv primary_host AS host OUTPUT secondary_host | lookup your_lookup.csv seondary_host AS host OUTPUT primary_host | append [ | inputlookup your_lookup.csv | rename primary_host AS host | eval count=0 | fields host count ] | append [ | inputlookup your_lookup.csv | rename secondary_host AS host | eval count=0 | fields host count ] | stats sum(count) AS total values(primary_host) AS primary_host values(secondary_host) AS secondary_host BY host | where total=0 AND NOT (primary_host=* secondary_host=*) About the indexes related to the not sending hosts, it's more difficoult because you don't have, in this search the information about the indexes, the only way is to store in the lookup also the information about the indexes usually used, in this case you can add this information in the stats commands: | tstats count WHERE index=* BY host | lookup your_lookup.csv primary_host AS host OUTPUT secondary_host indexes | lookup your_lookup.csv seondary_host AS host OUTPUT primary_host indexes | append [ | inputlookup your_lookup.csv | rename primary_host AS host | eval count=0 | fields host count ] | append [ | inputlookup your_lookup.csv | rename secondary_host AS host | eval count=0 | fields host count ] | stats sum(count) AS total values(primary_host) AS primary_host values(secondary_host) AS secondary_host values(indexes) AS indexes BY host | where total=0 AND NOT (primary_host=* secondary_host=*) Ciao. Giuseppe ... View more

Hi @mfonisso, what are the resources of your Splunk server? Splunk requires at least 12 CPUs and 12 GB RAM (more if you have ES or ITSI) and a disk with at least 800 IOPS. Ciao. Giuseppe ... View more

Hi @Rahul-Sri , this is another question and it's always better to open a new case, even if this is the followig step to your request, in this way you'll have surely faster and probably better answers. Anyway, the approach is to use eval not format command and round the number: | eval count=round(count/1000000,2)."M" please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉   ... View more

Hi @hfaz , when you say that enabled forwarding to the Indexers, I suppose that you're peaking of logs. Check that you don't have the deploymentclient.conf file in the HF, eventually distributed using an add-on. Ciao. Giuseppe ... View more

Hi @Roopashree, Splunk isn't Excel, so you cannot merge two cels, you could have the NOT_OK value in both the rows: <your_search> | rex 1 | rex 2 | stats count BY Status Reasons please next time add also the sample in text mode. Ciao. Giuseppe ... View more

Hi @riley_lewis, the avg function must be used in a streaming command as stats or timechart: index="mydata" | stats avg(floatnumbers) AS floatnumbers BY mymean Ciao. Giuseppe   ... View more

Hi @MVK1 , you can create your lookup using the Splunk Lookup Editor App (https://splunkbase.splunk.com/app/1724). Then you have to create your lookup definition [Settings > Lookups > Lookup Definitions > Create New Definition]; in this job put attention to the other properties, if you don't want that the lookup is case sensitive. Then you can manually populate this lookup using the Lookup Editor or schedule a search to extract the FailureMsgs and store in the lookup using the outputlookup command (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Outputlookup). Only one question: in your lookup you whould have product and Feature, but I don't see these information in the sample you shared, so, how would you have these information? Ciao. Giuseppe   ... View more

Hi @abi2023 , as @marnall said, you can create different apps and deploy to the UFs using different serverclasses. About data mascking, for my knowledge UFs enter only in the input phase, but the other phases (merge and parsing) are in the first full Splunk instance that data are passing through. In other words, in the Indexers or (when present) in the first Heavy Forwarder, but not in the UFs. If your doubt is that data are sent in clear mode, you can encrypt them between the UFs and the Indexers (or HFs), and then mask them on these other systems. Ciao. Giuseppe ... View more

Hi @satyaallaparthi , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more