DBConnect supports a rising-column , which is a field that is incremented in some manner after each row is added to the DB. DBConnect then makes sure that each time it runs, it grabs all the rows > the last value of that column, and then remembers the last value again for next time. https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/Createandmanagedatabaseinputs#Choose_input_type If that doesn't work for you, you can always get the _indextime of the events, and discard any events with an index time less than the last time the query ran. ... View more

index=inventory equipment = KV800-* ... View more

UFs should be able to send to the Splunk Cloud indexers on port TCP 9997. There are pro's and con's with using a gateway server, but that requires a better understanding of your environment. The Splunk endpoints communicate with the Deployment Server on port 8089. You shouldn't need a Cluster Master for your Cloud configuration. You can install a HF or UF on the syslog server. HF would allow you to filter/discard event messages that you don't want to send to the cloud, where as the UF lacks that ability. Best practice would be to create a new app that contains the appropriate inputs.conf. This can be pushed to the UFs via the Deployment Server. It will be encrypted ... View more

Do you have local firewalls blocking TCP 1024. Are you sure you are sending data to the right port? ... View more

Do you have a host or server associated with the offline and online states? What you could do is write the state of any offline hosts out to a file ( |outputcsv or |outputlookup ). If a host already exists in the file, don't raise an alert about it. Remove the host from the file once you see a corresponding online message ... View more

index=inventory equipment = KV800 would be sufficient ... View more

Yes, if the session_id is unique to a user's session, you can use transaction or stats with a by session_id clause. | transaction session_id OR | stats values(user_id) by session_id ... View more

|eventstats latest(_time) as latest_time by id | table _time, id, latest_time | where _time = latest_time OR |eventstats latest(_time) as latest_time by id | table _time, id, latest_time | eval is_latest_event=if( _time = latest_time,1,0) ... View more

The Splunk add-on for Active Directory contains knowledge objects to help extract information from the events you are collecting. It does not collect the events themselves, necessarily. I would recommend you install it to ensure that the fields that are being extracted are consistent, which may be useful if you deploy other Splunk apps. ... View more

I think you have the id and _time around the wrong way. Try |eventstats latest(_time) as latest_time by by | table id, latest_time ... View more

If you have data in an index such as weblogs, you would do a search such as index=weblogs sourcetype=access_combined OR sourcetype=iis | eval full_path=uri_domain.uri_path| stats values(full_path) by user ... View more

Using Splunk's Role Based Access controls, you can limit a user to only a few indexes that contain the data they contain. That is considered the best approach for separating data. https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/Addandeditroles#Add_or_edit_a_role In this way, you would have a separate role for each tenant, and each tenant's data would go into a separate index. If the data is all in a single index, you may be able to use search time filters, but this is less preferred. https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/Addandeditroles#Search_filter_format ... View more

Are you referring to Splunk URLs? For example, https://localhost:8000/en-US/app/search/search and https://localhost:8000/en-US/app/search/search?q=search%20index%3D*&sid=1552910209.54&display.page.search.mode=verbose&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now If so, you can run a query such as index=_internal sourcetype=splunk_web_access | stats count by uri ... View more

You can use DB Connect ( https://splunkbase.splunk.com/app/2686/ ) to access an MS Access Database through ODBC/JDBC. Refer to the comment posted at https://answers.splunk.com/answers/74161/dbx-connection-to-microsoft-access.html ... View more

You can either use AD/SAML integration, where by Splunk user accounts are managed by the team managing AD/SAML, or you can use local Splunk accounts on the search head. At some point, you need to trust the AD admins. If the Splunk Admin feels that the AD team can't be trusted, then they would be able to disable SAML/AD access and only rely on local accounts. Splunk's _internal logging would track all user activity regardless. ... View more

You are looking to do a chart overlay, as described at https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchTutorial/Chartoverlays ... View more

Something like the following would count the number of unique hostnames ( dc = distinct count) that the Admin has logged into. index=wineventlog Logon user=Administrator earliest=-65m@m | stats dc(hostname), values(hostname) You may also want to look at the Security Essentials app, https://splunkbase.splunk.com/app/3435/ , which hassome examples of such searches and use-cases. ... View more

No, that's probably not the best approach. Indexing the metadata in Splunk is what I would suggest. ... View more

To clarify, do you want to use 2 deployment servers for your client? If so, the deployment servers must be kept exactly the same, in terms of apps and configuration. Then you would need to place these behind a CNAME or common DNS entry that resolves to both of your dpeloyment servers, and configure your client to communicate with this. In addition, you will need to set crossServerChecksum = true in both serverclass.conf What is your use-case for needing this? Or are you looking to send event data to 2 separate Splunk deployments? That is a different questions all together ... View more