login to the source server where the UF client is installed 2.Under path /splunkforwarder/bin/splunk _internal call /admin/inputstatus/TailingProcessor:FileStatus this will list all inputs on the xml file format on your screen and you are able to see all the inputs that splunk is monitoring Other option, run the step 1 and run this command ./splunk list monitor, this is also listed all the inputs that are being monitoring ... View more

The splunkd.log file have the information for the UF activity, so you can take a look on this file direct on the UF itself. It should be under /splunkforwarder/var/log/splunk. My suggestions is to use the Management Console, and you can enable it to monitor the universal forwarder tier. It is not required to index any data, because Splunk by default is already collecting this data in the _internal index. The _internal index, does not count agains the license. To enable the MC to monitor the splunk forwarders, check this document -> https://docs.splunk.com/Documentation/Splunk/7.3.2/DMC/Configureforwardermonitoring ... View more

on the splunk time picker you have the option to select the time frame. you can select date range on the time picker or Data time range Select All time, please be carefully because it will run a search to all data for that particular host. other point to consider is about the retention data, so you have to make sure the data is being stored for more than 1h for the particular host ... View more

Hi darrenfuller, I was reviewing the splunk docs and I would like to suggest the configuration below: TIME_FORMAT = %Y-%m-%dT%H:%M:%S:%3Q%:z Where : %:z is to specify hour and minute separated by a colon OR TIME_FORMAT = %Y-%m-%dT%H:%M:%S:%Q%:z %z The timezone offset from UTC, in hour and minute: +hhmm or -hhmm. For example, for 5 hours before UTC the values is -0500 which is US Eastern Standard Time. Examples: Use %z to specify hour and minute, for example -0500 Use %:z to specify hour and minute separated by a colon, for example -5:00 Use %::z to specify hour minute and second separated with colons, for example -05:00:00 Use %:::z to specify hour only, for example -05 Also comment #MAX_TIMESTAMP_LOOKAHEAD = 40, because maybe splunk is looking for the date/time on a position where this data is not found, because generally the date/time is being on the begin of the log. This is only a suggestion for troubleshooting. If it works, you can try to play with numbers to identify the right characters positions to get this data properly indexed and re-enable it again. MAX_TIMESTAMP_LOOKAHEAD = Specify how far (how many characters) into an event Splunk software should look for a timestamp. This constraint is applied starting from the location positioned by TIME_PREFIX. For example, if TIME_PREFIX positions a location 11 characters into the event, and MAX_TIMESTAMP_LOOKAHEAD is set to 10, timestamp extraction will be constrained to characters 11 through 20. If set to 0 or -1, the length constraint for timestamp recognition is effectively disabled. This can have negative performance implications which scale with the length of input lines (or with event size when LINE_BREAKER is redefined for event splitting). I hope this can assist you to fix your issue. ... View more

I forgot to mention to start splunk service after you deploy the permissions. it is important you ran the steps above with the splunk service stopped to guarantee that all the permissions will be redeployed properly. ... View more

My understanding is that you are still having permission issues. Stop splunk service, re-apply the permissions to entire recursively under splunk installation. you can use icacls windows command to deploy these permissions. this is what I usually used when I had permission issues on the Splunk windows installation https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls I believe the command is similar the one below: icacls C:\splunk_path /grant "yourmsausers" /t ... View more

it is correct, the most of add-on have to be deployed at HF and in some cases to the indexers as well. thanks for the feedback. ... View more

I would check the amount of skipped searches because it is possible that you are not getting them triggered on the schedule time and it can cause the gaps in your data. Also check how long the reports does take to be completed using the job inspector Run the report manually to check if you have the proper results, if so, it is potential you have issues with these skipped searches. Are you working with summary index? If so, check if the reports are completed successfully or being triggered on the scheduled time. Use the Management Console to check the report schedule here is link to the document https://docs.splunk.com/Documentation/Splunk/7.3.2/DMC/Scheduleractivity If you are not able to identify the issue, open a case at Splunk support and upload the Splunk diag files for analysis. ... View more

I checked the splunk documents and it is mention that sparkline command can be used with stat and chart commands. Although eventstats is a variation of stat, I would try to use stats or chart on this line | stats sparkline(avg(alert_count)) as Trend by servername Here is the document I found -> https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/CommonStatsFunctions#Support_for_related_commands ... View more

If you want to remove splunk agent from your server 1 - If you configured the universal forwarder to start on boot, remove it from your boot scripts before you uninstall. ./splunk disable boot-start 2 - Stop the forwarder /splunk stop check this document for further information https://docs.splunk.com/Documentation/Forwarder/7.3.2/Forwarder/Uninstalltheuniversalforwarder#Prerequisites_to_uninstalling_the_universal_forwarder Plus this process, you can blacklist the servers you want to remove on the deployment server accessing the server_class they were setup to. So you can guarantee if someone start the splunk service, splunk will not receive new data. ... View more

thanks for the feedback ... View more

Which Splunk version you are running to? Did you check the app compatibility version? these are the version this app support: Splunk Versions: 7.2, 7.1, 7.0, 6.6, 6.5, 6.4, 6.3 run a search on internal index to find errors index=_internal sourcetype = ta_okta_identity_cloud_for_splunk_okta_identity_cloud* tag=error OR index=_internal ERROR (pid="") (metric="") | table pid,_time,_raw | sort -_time OR there is other option to get the log files from cli Check errors at /opt/splunk/var/log/splunk/ta_okta_identity_cloud_for_splunk_okta_identity_cloud.log, this is the log for this app. also check for errors on /opt/splunk/var/log/splunk/splunkd.log I suggest to remove the app, restart Splunk service and reinstall the app again. I deployed this app on Splunk Enterprise Version: 7.2.5.1 at Linux and Version: 7.3.2 at Macbook and no issues with spinning ... View more

1 - For alert, you have to visit the Alert form for the particular app the alert is setup for or you can go to menu Settings/Search, Report and Alerts for further information about alerts check this doc -> https://docs.splunk.com/Documentation/SplunkCloud/7.2.7/Alert/Definescheduledalerts for dashboard check this document -> https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchTutorial/Createnewdashboard#View_and_edit_dashboard_panels 2 - check this link -> https://docs.splunk.com/Documentation/Splunk/7.3.2/Report/Schedulereports ... View more

you can do: staylocal = ...apps\appsname\filename.csv because splunk will check for the entire path when you type the ... ... View more

you have to check if this data was send to other index into splunk. Please troubleshoot the issue, check the internal index to identify which error messages you are getting. Read the procedure and what the videos at youtube to better assist you. I dont have the procedure for windows pc, I do have the macbook, but I believe the installation process should be the same. ... View more

I did not realize this questions is already answered. I took sometime to refresh my browser. ... View more

check if this what you are looking for. I am extracting the individual fields after the common information(/abc_d/efg_h/) | rex field=raw"\/abc_d\/efg_h\/(?P\w[a-zA-Z].)\/(?P\d.)\/(?P\w[a-zA-Z_]*)" https://regex101.com/r/AhowHG/2 ... View more

contact your Splunk Partner Sales Engineer and discuss the customers requirements. ... View more

check this blog -> https://www.splunk.com/blog/2014/07/22/what-are-splunk-apps-and-add-ons.html ... View more

check this document https://docs.splunk.com/Documentation/Splunk/7.3.2/Capacity/Accommodatemanysimultaneoussearches ... View more

you have to have admin role to run this, go to menu settings/All configurations on the top of screen at the right corner, please hit the button "Reassign Knowledge Objects" a new screen will show up with the objects and you have to select them to reassign to other owner ... View more