In the environment I took the screenshot is a HWF layer, therefore I got three levels. There used to be an example in the docs using weblogs showing the how people browser the web page using a multilayer sankey graph .... haven't found it yet though 😕 cheers, MuS ... View more

Here is an example: ... View more

Did you look at the sankey ? I just added an image to the answer how it looks 😉 ... View more

Hi dbcase, That will not work, instead you will need to change the search so that for example you only get events from the receiving part and use the connecting client information from those events - if that makes sense? Take a look at this run everywhere search to show the data flow in Splunk: index=_internal sourcetype=splunkd group=tcpin_connections component=metrics host=* | fields host hostname kb fwdType | eval hostname=if(fwdType="uf", "uf", hostname), from=hostname, to=host | stats sum(kb) AS KBs by from to This will show a nice multilevel sankey and you can use it to understand how it can be done 😉 hope this helps ... cheers, MuS ... View more

Hi nick405060, the message says: Connection refused: no further information. and further more: Verify the connection properties. Make sure that an instance of SQL Server is running on the host and accepting TCP/IP connections at the port. Make sure that TCP connections to the port are not blocked by a firewall. So, the first thing to test here is if you can connect from the Splunk instance to your DB server on the configured port? and btw: that is not related to the error, but maybe consider an upgrade of the DBconnect app later. 1.2 is end of life Hope this helps ... cheers, MuS ... View more

Try this: ... | rex "ESS1 - \[(?<thatfield>[^\]]+)" this will create a field called thatfield with the value 2813 based on your provided example. cheers, MuS ... View more

Hi enmanu, Indeed it is a permission problem, but not one you're thinking of 😉 The problem is most likely caused by a mismatching pass4SymmKey and is described in the docs here http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges#Set_a_security_key_on_the_deployer If you're 100% sure the keys match, read this answer which provides a lot of information about troubleshooting a SHC https://answers.splunk.com/answers/242905/shc-troubleshooting-configurations-under-search-he.html Hope this helps ... cheers, MuS ... View more

How about this? .... | search version="10" version="12" version="13" ... View more

Hi splunkannm, if you have a large amount of data to index once, put it into $SPLUNK_HOME/var/spool/splunk/ this is a sinkhole directory. Anything you put in there will be indexed, and once indexed it will be deleted by Splunk. The events will be available in index=main or whatever you did setup as the default index. More details in the docs here http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorFilesandDirectories#Why_use_upload_or_batch.3F If you need to specify a different index or sourcetype, simply create another sinkhole directory using inputs.conf and the [batch://...] stanza http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#BATCH_.28.22Upload_a_file.22_in_Splunk_Web.29: Hope this helps ... cheers, MuS ... View more

Hi jamessevenerlmco, I don't see how this can be a Splunk question ¯\_(ツ)_/¯ but since you got my attention .... here we go 🙂 You are right in setting the Interval option, remember it can be set globally or per plugin. Have to run collectd -t to test your config and more important have you run collectd -h to get the information about the default config file location? Because running it with collectd 5.7.1 tells me the default location of the config file is /etc/collectd/collectd.conf not /etc/collectd.conf . Maybe this can helps as well https://github.com/collectd/collectd/issues/2444 If this all does not help you can always strace the pid and see which config file it really loads. hope this helps ... cheers, MuS ... View more

yep, of course this always gets me eval() requires in this case a ' instead of " because using the " will tell eval() to compare two literal strings, not the values of two fields. So, using this | where "Change by" = "Account Changed" will compare two strings using this | where 'Change by' = 'Account Changed' will compare the values of two fields ... View more

try it without rename and the original field name in the where ... View more

Not exactly, the linked answer tells you to test the LDAP connection, and connection information with another tool and visually check the results for verification purpose. Anyway, have a look at @JDukeSplunk answer how to setup multiple OU's for userBaseDN cheers, MuS ... View more

Awesome, feel free to accept the answer so it is marked as answered 😉 cheers, MuS ... View more

Hi ankithnageshshetty, check the inputs.conf for the following option: followTail = [0|1] * Whether or not the input should skip past current data in a monitored file for a given input stanza. This lets you skip over data in files, and immediately begin indexing current data. Defaults to 0 but if set to 1, Splunk will start monitoring at the end of the file - like a tail -f ... Hope this helps ... cheers, MuS ... View more

Hi Wondergoat77, try this rex SPL which uses mode=sed to removes the various strings: | makeresults | eval foo="{\"status\":500,\"statusDesc\":\"Internal Server Error\",\"code\":\"someCode\",\"message\":\"some error message\"} [code=919285284] [txid=5f6c0952-5184-4bdd-9658-6487dfaeaf3f] }" | rex field=foo mode=sed "s/\[[^\]]+\]|\s\}|\"code\":\"[^\"]+\"//g" The result looks like this: Hope this helps ... cheers, MuS ... View more

Hi kannu, Check this answer https://answers.splunk.com/answers/50175/ldap-authentication-troubleshooting-information.html Also increase the logging for the AuthenticationManagerLDAP and the ScopedLDAPConnection channel in Settings » Server settings » Server logging and check index=_internal for LDAP related messages. Hope that helps ... cheers, MuS ... View more

Well, there is a ARMv6 version of the UF to download here https://www.splunk.com/en_us/download/universal-forwarder.html#tabs/linux and I was able to download splunkforwarder-7.2.0-8c86330ac18-Linux-arm.tgz from there. Also I was able to download an older version using wget like this: wget -O splunkforwarder-6.6.0-1c4f3bbe1aea-Linux-arm.tgz 'https://www.splunk.com/page/download_track?file=6.6.0/linux/splunkforwarder-6.6.0-1c4f3bbe1aea-Linux-arm.tgz&ac=&wget=true&name=wget&platform=Linux&architecture=ARM&version=6.6.0&product=universalforwarder&typed=release' cheers, MuS ... View more

Hi there, I'm currently working on a major new release of it, please hold and wait ... cheers, MuS PS: but looking at the error, it sound like the typical missing pre-requirements - from the documentation of the the app: Python ldap module used in this app https://pypi.python.org/pypi/python-ldap/2.4.19 so make sure you meet all dependencies. ... View more

Just another hint regarding the garbage events, check the charset of the file and set it in the props.conf . See the docs for more http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Garbledevents#Symptom cheers, MuS ... View more

Hi mmdacutanan, you last stats does not use CallID in any other way than the count, therefore you 'lose' it. Just add it to the stats either as values() or in the by clause: index=ABC sourcetype=ABC_MainReportLog "Entered Phone Number" Phone!=1234567890 | dedup CallID | table CallID Phone _time | join type=inner CallID [ search index=ABC sourcetype=ABC_core_MainReportLog "\|RemoteApplicationData\|" CV7=* | dedup CallID] | fields Phone, CV7, CallID | bucket _time span=1m | stats count(CallID) as Count by _time Phone CV7 CallID | where Count >=2 But you should not use join at all, for various reasons. Try this instead: index=ABC ( sourcetype=ABC_MainReportLog "Entered Phone Number" Phone!=1234567890 ) OR ( index=ABC sourcetype=ABC_core_MainReportLog "\|RemoteApplicationData\|" CV7=* ) | bucket _time span=1m | stats count(sourcetype) AS count values(*) AS * by _time CallID | where count = 2 This might need some modifications to match your events, but give a starting point. Also might be worth to read this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html Hope this helps ... cheers, MuS ... View more

Hi mussab, Create 4 different mount points and mount one of them on each of the indexers. Using a shared mount point will lead to various problems, and headaches 😉 Hope this helps ... cheers, MuS ... View more

Hi Log_wrangler, Compressed files (like .gz and .zip) are handled by the Archive processor, and are processed in serial. The Archive processor reads the compressed file during the input phase, on your HWF, and the HWF will send the uncompressed events to the indexer. Unreadable garbage could be either you are having actual unreadable garbage in the file or the indexer is listening on TCP <YourPortNumberHere> instead of SplunkTCP . Sometimes it could also be related to forwarder sending using SSL and receiver not using SSL or vice versa. Hope this helps ... cheers, MuS ... View more