Hi All, We are running with Splunk Cloud 7.2.9.1 version in our environment. And now we are planning to upgrade the same to 8.0. and above version. So I have logged a ticket to Splunk Support for upgrading the core Splunk Cloud they said to review the Cloud Monitoring Console App installed in the Search head and then have navigated to Splunk Upgrade Dashboard. Splunk App Compatibility Summary Forwarder Compatibility Forwarder Count by Status Here in the Forwarder Count by Status i can see under Provisional some 10 client machines and in Upgrade Needed i can see around 20 client machines. So when i viewed the list i came to know that most of the servers are Windows 2003 OS and they are running with Splunk Forwarder version of 6.2.15 and few of them are RHEL 5 (5.11) running with 6.5.1 Splunk Forwarder version. So as of now teams are working to decommission this old servers but it might take few months but still I want to know If we upgrade the core Splunk Cloud to 8.0 and above will be the client machines running with OS (Win2k3 & RHEL 5 (5.11)) and Splunk Forwarder versions (6.2.15 & 6.5.1) are able to ingest logs into Splunk Cloud without any issues? Kindly help to know on my request.   ... View more

Hi Team, We have purchased 200 GB of licenses for Splunk Cloud subscription and another 200 GB of licenses for Enterprise Security Subscription for our organzation. So currently we are calculating the license usage for Splunk Cloud Subscription by logging into URL the Splunk Cloud search head and navigating to Cloud Monitoring Console App. So we can able to calculate for Splunk Cloud Subscription. So we want to know how to calculate the licensing for Enterprise Security Subscription? i.e. How many GB we are ingesting for the Enterprise Security subscription in a day out of 200 GB? How to check it? And in the upcoming future we are planning to buy additional license for Splunk Cloud subscription so during that time will it be mandate to buy additional license for Enterprise Security subscription along with Splunk Cloud subscription? Also I believe we are not utilizing the full GB of license for Enterprise Security Subscription so will it be possible to move those license to Splunk Cloud subscription? ... View more

Hi Team, I want to do a field extraction during the search time itself so i want the following fields to be extracted from the below logs. Jan 8 12:52:29 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 session status forced disabled. Jan 8 10:44:23 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 monitor status up. [ /Common/https_xxxx: up ] [ was down for xxhrs:Xxmins:XXsec ] Jan 8 10:44:22 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 session status enabled. Jan 8 10:30:42 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 monitor status forced down. [ /Common/https_xxxx: up ] [ was forced down for Xxhrs:Xxmins:Xsec ] Jan 8 10:24:21 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 session status forced disabled. xyz.abc.com as "hostname" hostinfo as "client" The below information as "remarks" session status forced disabled monitor status up session status enabled monitor status forced down session status forced disabled So how to do a field extraction in the search time itself if yes can you kidnly help with the query? ... View more

Hi All, We have deployed Splunk Cloud in our environment with version 7.2.9.1 and currently we have planned to upgrade to 8.0 and above. So we have submitted a case for upgrade our Splunk to 8.0 and above at that time we came to know that the following add-on in ES-Search head is not compatible with Splunk Cloud 8.0 and above. Add-On Information: TA-QualysCloudPlatform version 1.4.0 https://splunkbase.splunk.com/app/2964/ So we have installed & configured the Add-on in Heavy Forwarder server as well as in ES-Search head. But i got the information as per the document stating that the Add-on is required in Search head as well. But completely not sure whether it is really required or not. https://www.qualys.com/docs/qualys-ta-for-splunk.pdf If its not required then we would go and uninstall the Add-on from ES- Search head then we can upgrade our Core Splunk to 8.0 and above. So kindly help to check and update. So how come can i overcome this issue and proceed with core upgrade to 8.0 and above. ... View more

Currently we are running with Splunk Cloud 7.2.9.1 version the same applicable for indexers ,cluster master and search heads. So we have recently build a heavy forwarder server so that can i go ahead and install the latest version i.e. 8.0.3 ? So i want to know will it be compatible to 7.2.9.1? and will the data ingestion wont be disturbed? Or should i need to install the Heavy Forwarder package with older version i.e. nearer to 7.3 something? Kindly let me know. ... View more

In one of the file the password seems to be present and the same has been getting ingested into Splunk. So is there any way to hash the password for that field so that it wont be visible in Splunk during searching eventhough it is present in the logs. ... View more

Hi Team, Do we have any specific add-on and documentation to integrate the LogMeIn logs into Splunk Cloud. If yes kindly let me know. https://www.logmein.com/central https://www.logmein.com/pro https://www.lastpass.com/ ... View more

Last year 2019 we have deployed Splunk Cloud in our environment . Post which we have configured the logs into Splunk Cloud and the data seems to be searchable as per the retention policy post retention policy the data seems to be getting deleted from the system so this is how it should work. So when i searched the data for few indexes i was shocked to see the data is available from 2014 in Splunk Cloud. We have deployed Splunk Cloud only last year then how come is it showing the event timestamp as 2014 date. And also when i search with index=* for 2014 year as a whole i can see more than 20000+ events and shocked. When i checked the log files of those data from 2014 in few source files i can see that the log file doesn't have the date in it and only the time is present so if the date is not present in the log file it should take the system time but still how come it assign with the event timestamp as 2014. And another set of logs i can able to see the log file with latest timestamp i.e with date and time in it but still the event time seems to be assigning with 2014 date and time. Its getting confused a lot why come it is assigning with 2014 date and time. So I have ran the query adding the index time field into the query for the whole year of 2014 as mentioned below: index=* host=* source=* | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | stats count by _time indextime host index source sourcetype I can see the index time with latest timestamp whereas the eventtime seems to be with 2014 date and time. Its really confusing how come the recently indexed data (Based on index time) it is assigning with very old timestamp. So kindly let us know how it works. Or what is the issue behind it. How the bucket concept work in Splunk Cloud? Any one can help on this request please. ... View more

Hi Team, We are using Splunk Cloud in our environment. I just created a report and i can able to see the option as Embed Report and also i have tested out the website it works fine. But i want to know how to embed the Dashboard as a whole in an external website from Splunk Cloud. Is the feasibility embed Dashboard is available for Splunk Cloud or not kindly let us know. If there is any feasibility kindly help on the same. ... View more