@Luis_Torres  How does this csv file generated on the HF?  you can always use monitor stanza in inputs.conf ($SPLUNK_HOME/etc/system/local/inputs.conf) to monitor and index this file. Please refer splunk doc for the config settings https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Monitorfilesanddirectorieswithinputs.conf   [monitor://<path>] index = index_name sourcetype = sourcetype_name   Coming to your architecture, to connect HF to a DS you need to configure it as a deployment client. This can be done using deploymentclient.conf ($SPLUNK_HOME/etc/system/local). Please refer splunk doc shared here https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Configuredeploymentclients   [deployment-client] [target-broker:deploymentServer] targetUri = deploymentserver.splunk.mycompany.com:8089   Once you made this connection, you need to create a server class, app (with inputs.conf) on DS to distribute  it to the HF. For now option 1 looks simpler. you can try that Hope this helps. ... View more

@uagraw01  The logic should work. Do you have events in the data with this error? If yes, the text "server is not responding" in the eval command of the logic should match as is to the event. ... View more

@willadams  If I understood your issue here correctly, you want lookup the userid and get the type from the lookup. But I am not sure you are only looking for type="valued" in the subsearch. This should work index=devices status="in use" | rename prim_user as userid | lookup mycatalog.csv userid | table userid type machinename   Hope this helps ... View more

@splunk_tci_2020  Can you please share the complete error message?   ... View more

@khojas02  you have to use simple js& css code to change the color of the row. Splunk dashboard examples has the sample code (table row highlighting). you can use that https://splunkbase.splunk.com/app/1603/   hope this helps. ... View more

@rahul2gupta  It is possible to query database from Splunk. You need read permissions to the database. You need to install splunk app for dbconnect on splunk The syntax to run this query is   | dbxquery connection="connection_name" query="select ...."     Hope this helps ... View more

@Dingu  If you have spaces in the log file name, you should monitor the base directory to monitor the log files    [monitor://E:\files\xxxx\eeee] index = <myindex> disabled = false sourcetype = <mysourcetype> ignoreOlderThan = 30d crcSalt = <SOURCE>     Hope this helps ... View more

@Sunil2020  You can use subserach in this scenario. Based on the number of events in the subsearch and in the index, you can use one of the below logic that best suits your use case. For less number of long running jobs: index=index_name source="table B" [ search index=index_name source="table A" | (your criteria to get long running job IDs | table jobID | format ] | table JobID, AgentName, JobType, JobDate,JobEndHour For more/optimal number of long running jobs: index=index_name source="table B" | table JobID, AgentName, JobType, JobDate,JobEndHour | join type=inner JobID [ search index=index_name source="table A" | (your criteria to get long running job IDs | table jobID ]   Note: subsearch has limitations both in the number of events (10000 OR 50000 depends on where you use) & run time (60s). when it hits either of this limit, it auto completes the search. If you face this scenario, please create a csv file for the long running job IDs and use that in the second example. Hope this helps ... View more

@pratapa  If the users are trying the SPL you shared here, then The syntax is not correct Please try this   | dbxquery connection="connection_name" query="select REC_TYPE, CODE_TYPE, CODE_DESC, SHORT_DESC, USER_ID from SYS_CODE_TYPE"     Hope this helps ... View more

@adnankhan5133  I am sure these audit logs are written to a log file before uploading to an internal database. Does your team has access to this server? If you can identify the log path (location of the logs on the server), either you OR server team can install splunk UF on the server and can forward the data to splunk indexers. Other option would be calling REST end point for this application (if available) using splunk modular input. Hope this helps ... View more

@erikmuir  looks like you are not part of the admin role. Can you check with your team about your role who has more privileges? They can check here settings -> users -> yourname If you are part of the AD Group that mapped to admin role and still does not see admin capabilities, please ask the user (currently has admin capabilities) to reload authentication as mentioned earlier.     ... View more

@triest  What happened to the alert action run time after you increased the maxtime? Does the alert action stopped after 5 mins? In which configuration did you update the maxtime attribute? Ideally it should be in alert_actions.conf under this alert action staza. maxtime = <integer> [m|s|h|d]  Hope this helps. ... View more

@uagraw01  the SPL you mentioned won't work. Assuming "new_error" field is not available   index=os source="/var/log/messages" | eval new_error= if(like(_raw,"%server is not responding%"), "Yes", "No") | where new_error="Yes"    you can also use search in place of where command. Hope this helps. ... View more

@adnankhan5133  Have you tried using confluence REST API? You can try splunk modular input to call confluence rest api to import the audit data. Below are some  documentation references for both confluence & splunk that will give some direction https://confluence.atlassian.com/cloud/audit-logging-970612562.html https://developer.atlassian.com/cloud/admin/organization/rest/api-group-orgs/#api-orgs-orgid-events-get https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/AdvancedDev/ModInputsIntro Hope this helps. ... View more

@tengugurl  Its quite possible to sent the search parameters (caused alert) to users by choosing "send email" alert action. You can always include job fields as tokens in the email. This is better option. If you don't want to use this alert actions, you can create savedsearch to search REST end point to get the results of triggered alerts and send an email with the result set. | rest /services/alerts/fired_alerts   Hope this helps ... View more

@UMDTERPS  Hope it gave some direction ... View more

@erikmuir  Are you using LDAP for authentication? You can try to reload the auth configuration from here settings -> Authentication methods   Hope this helps ... View more

@srive326  The import option is disabled when you use base search in the dashboard/form. If you really need this report to be downloaded and base search is not essentially required, try without base search. other option would be click on the search icon-> pops up a new tab with the search -> import.     ... View more

@drubench29  what do you mean by update? Do you want to update a record? Do you want add a new record? you can always use a saved search & outputlookup to add/update (upsert) records to the the kvstore.  saved search: base search ... | eval _key="key as in your kvstore" | outputlookup append=t  "collection name" ... View more

@burwell  what would be the ideal config on forwarders? Is it possible to setup outputs on forwarder without using sslPassword? Since this configuration is on DS and will be deployed to all forwarders, I would like to avoid storing it in cleartext.     ... View more