Hi @minpd0309, It depends on indexes.conf configurations. The most critical parameters are below; indexes.conf tsidxWritingLevel = [1|2|3] 7.3.3 default is 1 9.0.2 default is 3 journalCompression = gzip|lz4|zstd 7.3.3 default is gzip 9.0.2 default is zstd  If you are using 9.0.2 defaults on your 7.3.3 you can try. But if not unfortunately you cannot copy. If parameters are the same,  it is better to try on a seperate test server first. ... View more

Hi @jcas, "Splunk Security Essentials" and "Splunk Enterprise Security Content Update" apps are using some shared resources. If you have "Splunk Enterprise Security Content Update" installed, you can try updating it to the latest version. ... View more

Hi @zakirhere, You can append the new UUID value to a lookup, your second search use that lookup for the graph.   ... View more

Hi @monug8, You don't need PowerShell or another issue if you can see DNS Server events inside Event Viewer. Maybe there is a mismatch between your Event channel name and input stanza. Could please share screenshot of your EventViewer showing your DNS Server events tree and your inputs.conf stanza?   ... View more

Hi @dionrivera, The reason I mentioned delayed is you are having problem only on WinEventLog:Security events.  Since the rest are flowing fine it can not be congestion or thruput problem.  If you run your above search again do you see increase on values? If yes there is delay , if not they are stopped.  I think it is better for you to create a support case. ... View more

This seems fine and should not cause problem with uploading.  I can not think any reason for the problem. ... View more

Can you please share your full config about TRUNCATE setting? Did you enter it into the right stanza?  ... View more

Hi @michaelnorup, Since action field is enriched by Splunk you cannot search with action="login attempt". Also you can just use _time field for timerange. Please try below; | rest /services/authentication/users splunk_server=local | table realname, title | rename title as user | join user type=left [ search index=_audit TERM(action=login) attempt ( TERM(info=succeeded) OR TERM(info=failed) ) action IN ("success","failure") earliest=-6mon | stats latest(_time) as last_login_time by user | convert ctime(last_login_time)]     ... View more

Hi @vernikose, If the file is bigger than 10000 characters and Splunk tires to import as one event your should be hitting TRUNCATE=10000 default limit. You can change this parameter on your sourcetype and try again. In order to split the file into 344 events you should set LINE_BREAKER settings accordingly.   ... View more

Hi @JohnHC, That cli command is the same function as uploading using GUI. You can set index and sourcetype if you will. As a sample; [root@myserver bin] ./streamfwd -r my.pcap --index pcap_index ... View more

Hi @JohnHC, If you have access to command line you can try cli commands; [root@myserver bin] ./streamfwd -r my.pcap https://docs.splunk.com/Documentation/StreamApp/8.1.0/DeployStreamApp/streamfwdcommandlineoptions#Read_PCAP_files ... View more

Hi @mlrhazi, Splunk REST API does not extract fields like GUI. You should specify the required fields by rf (or required_fields on older versions) parameter. Please see the below documentation.  https://docs.splunk.com/Documentation/Splunk/9.0.3/RESTTUT/RESTsearches#Tips_on_creating_searches   ... View more

Hi @avr, Can you please describe your need in more detail? Maybe with samples? ... View more

You must restart UF service on those servers. ... View more

Hi @solaced, Can you please try the below search? If I understood correctly I added an extra field to be able to filter values from lookup. index=myindex sourcetype=k_logs (ns4:phoneNo OR emailInfo OR address) AND DummyOrgName AND "<requestType>UPDATEUSER</requestType>" | xmlkv | rename "ns4:phoneNo" as phoneNo | search orgName = "DummyOrgName" | eval phoneAndEmail= coalesce(phoneNo, address) | fields phoneAndEmailphoneNo address ipAddress userName | table phoneAndEmailphoneNo address ipAddress userName | append [|inputlookup thisLookup.csv | table phoneAndEmail phoneNo address ipAddress userName | eval from_lookup="1"] | stats values(phoneNo) AS phoneNo values(address) AS address values(ipAddress) AS ipAddress values(userName) AS userName values(from_lookup) as from_lookup dc(userName) AS UserCount by phoneAndEmail | where UserCount>2 AND from_lookup="1"   ... View more

Hi @dionrivera, In your config, there is a current_only setting twice which is 1 actual. This may cause missing events when your restart the forwarder service or host. Please keep this as current_only=0. Please try below setting (cache settings) [WinEventLog://Security] use_old_eventlog_api = true disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" renderXml = true index = my_windows_ad evt_ad_cache_exp = 1200 evt_ad_cache_exp_neg = 1200 evt_ad_cache_max_entries = 40000 evt_sid_cache_exp = 300 evt_sid_cache_exp_neg = 300 evt_sid_cache_max_entries = 4000 evt_dc_name = localhost   If you still have a delay you may have another problem. It is better to open a support case.    ... View more

Hi @Alexander17, You can use timechart command like below sample; | timechart span=1h count as pieces ... View more

Hi @human96, Universal Forwarders cannot parse events. Line breakers work on Indexer or Heavy Forwarders if they are receiving data from UF. Only EVENT_BREAKER setting works on UF, but this will only tell UF to tell where the events boundaries are and make it send full events to indexers.    ... View more

@AL3Z, Could you please share sample events?     ... View more