@scelikok ,   Thank you . I could able to pull the information from Splunk. ... View more

@scelikok ,   Thank you for your help. And now i have resolved the issue from my end post which the logs are not getting ingested into Splunk for these sourcetypes. ... View more

@scelikok , Just checked the query as you mentioned i can see around 50+ sourcetypes contains with _*small* in the sourcetype so these would of not much important i believe (Correct me if i am wrong?) so I am planning to stop ingesting those logs into Splunk. So any sourcetype which has *small* in it then those logs should not be ingested into Splunk. So kindly help with the props and transforms. ... View more

Hi @anandhalagaras1, You can filter entire event that contains something with regex , please see below sample for your Case 1; In props.conf, set the TRANSFORMS-null attribute: [source::/var/log/messages] TRANSFORMS-null= setnull_case1 Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue": [setnull_case1] REGEX = Timeout\for\sthe\srequested\soperation\shas\sexpired\. DEST_KEY = queue FORMAT = nullQueue Please check below document; https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest  ... View more

Can anyone help on my request. ... View more

@scelikok, Nice it works as expected. Thank you for helping me out. ... View more

@manjunathmeti , Thank you it worked like a charm. ... View more

Hi @anandhalagaras1  You already have what you need basically. Go to settings -> Sarch, Reports and Alerts, click "new Alert" in top right. As search you would put in for example index=windows sourcetype=dns Make sure Alert Type is set to "Scheduled" and select "Run on Cron Schedule"  Use this Cron Expression  */15 * * * *  (run every 15th minute). As Time Range select "Last 15 Minutes". As Trigger Condition set: "Number of Results" and "is equal to " 0. At the bottom you can configure the kind of alert action you need (email, webhook posting, call the police...) Hope this helps. BR Ralph Edit:  Instead of returning all the Events, it would be better (from a performance/ressource usage pov) to run a stats command like: index=windows sourcetype=dns | stats count And  alert based on the count field. So, once you have the alerting running, this would be a good point to optimize it. ... View more

@scelikok  Thank you. It worked as expected. ... View more

The stanza to refer to the source should be [source::xyz] Besides that, it looks fine. Maybe test it local with a single file, before pushing to production.  BR Ralph ... View more

Consider downloading the appInspect utility so you can vet your app locally before uploading it to Splunk Cloud.  That should give you better diagnostics than what you're getting now.  See https://dev.splunk.com/enterprise/downloads Also consider opening a support request with Splunk Cloud so they can look into why your app validation is failing. ... View more

Check out this app on your test instance https://splunkbase.splunk.com/app/742/ ... View more

Hi @anandhalagaras1, good for you! Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

That app seems appropriate for a heavy forwarder.  Version 7.3.1 is not listed as supported, but that's probably because the app hasn't been touched since before 7.3.1 came out.  Be sure to test the app in Dev before using it in production. You will need to go to the Universal Forwarder app in your Splunk Cloud instance and download the credentials app.  Install the app on the HF.  Then install the OTX app. ... View more

I have Splunk cloud deployment in AWS and it's completely managed by Splunk cloud support.  I have never come across this problem ( this seems to be design & architecting problem). I hope definitely Splunk cloud supports to have one more instance in cloud, but I doubt if they allow you to connect to Splunk cloud indexers from your own Splunk Enterprise. But, I would highly recommend you to create a Splunk support case.  ... View more

Hi You should contact to your splunk sales or partner to get this information. They are more than willing to help you. r. Ismo ... View more

Can anyone help on my request please. ... View more

Can anyone help  ... View more

Hi to get information is kernel 32 or 64 bit you can use e.g. next commands: uname -i (i386 or x86_64) arch r. Ismo ... View more

32-bit operating system are not supported. Support for Windows 2008 R2 is deprecated so it may be dropped in a future release. See https://docs.splunk.com/Documentation/Splunk/7.2.9/Installation/Systemrequirements#Supported_Operating_Systems. My advice is to upgrade the OS on those servers. ... View more

Hi @anandhalagaras1, good, have a good splunkg! Ciao and next time. Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @anandhalagaras1  The documentation on supported forwarders for SplunkCloud (https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/Service/SplunkCloudservice#Supported_Forwarder_Versions) states that the minimum supported forwarder version for a 8.0 cloud stack is 7.2.x (Until October 2020) which means strictly speaking anything less than that currently isnt supported. Having said that, there is obviously a difference between what is *supported* and what *works*.... This page on compatibility between forwarders and indexers (https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Compatibilitybetweenforwardersandindexers) suggests that you will need at least a version 7.x forwarder to send to SplunkCloud. If its not possible to upgrade your 6.x instances, whilst not necessarily best practice, you may be able to use an Intermediary Forwarder running 7.3 to receive your 6.x traffic and send on to Splunk Cloud running 8.x   ... View more

thank you. ... View more

To view your on-prem license usage, use the Monitoring Console. Click Settings->Monitoring Console. Depending on your architecture, you may need to do some configuration before you will get any results. For your other license questions, please consult your Splunk account team. ... View more