Dear @richgalloway  Let's say like this,  help me to more understand the purpose of fine-tune queries? based on your experience? ... View more

Thank you so much @richgalloway  for the link I have read the documents in the link you posted, I got different information talking all different zero trust model, Is there any other link that explain more about this model in details and how to implement this? ... View more

@richgalloway  netstat -ln | grep 514 tcp      0       0.0.0.0:514         0.0.0.0:*     LISTEN udp     0      0.0.0.0:514          0.0.0.0:*                         this the output I got from the above command.  In udp line there's no LISTEN info appeared , this is how should be or this means that is not listening?  AND nc -u x.x.x.x 514 , I got flashing point ... View more

dear @richgalloway  May you help me and share with me the command I can use to check the below information you shared? I use centos 7 ?  I htave checked the syslog sender all are configured well to send logs into Splunk server log collector, But the problem is that I can't receive logs into splunk server log collector , what are the all troubleshooting to go through to check the root cause??kindly share with me all the command i can use to check all the services?  Thank you     ... View more

Dear nickhills, I have tried the the below, here is what i get: 1.         nc -z -v -u  public-IP  port  output: Ncat: Version 7.50 (https:/nmap.org/ncat) Ncat: Connected to Public-IP:port. Ncat: UDP Packet sent successfully Ncat: 1 bytes sent, 0 bytes received in 2.06 seconds.   2.      netstat -ln | grep port  tcp    0     0.0.0.0:port       0.0.0.0:*            LISTEN udp   0      0.0.0.0:port       0.0.0.0:*                          That are the output of the above command, in the second command there's no listening? how can I fix this? what is the issue ? ... View more

Dear @richgalloway , I was doing configuration in Splunk so that I could index the received logs into Splunk instance, And the error occurred when I tried to check if the logs well indexed well into splunk I used the same command I often use, index="name of index" host= syslog sender IP Actually I have done the same way I usual use before, but I've run into the issue,  have you ever experienced/seen such error before, and share with me what the root cause? also can you help me on how I can looks the search.log from Splunk through CLI? Thank you in advance. ... View more

Thank you @richgalloway ... View more

Dear @gcusello I have a question, forexample if you set that the data will be deleted at 6 months, means the data will be delete the data for six months till now or it delete the data and remains the data with the current? for example if you have started indexed the data in october. means the retention for six months will delete all the data until next February??? which means if like we're in April ,means I can't see data for January and February? ... View more

@Dear richgalloway, @ & All I was looking for the question same as mentioned above, @checking the port if are listening and open,if closed how to open, @Check if forwarder has completed processing log file (i.e. tailing process by using below URL) using CLI? @checking disk size but the Total not by partition df-h (size,used,available?to calculate the total size of all the disk? @Check on indexer if receiving is enabled on port 9997 and port 9997 is open on indexer using CLI? If not, how to enable it using CLI? @what you can advise me to check when you see logs is not being generated into splunk? @ how to Check out log file permissions which you are sending to Splunk. Verify if Splunk user has access to log file? @what are the Command to Checkout filesystem for last modification and verify if the forwarder is monitoring it? @and other basic troubleshooting to look/check you may have, it will be better if you share it, Thank you in advance ... View more

Dear PaveIP, the is the output of the command is: ps aux |grep -i splunk splunk 103.. 0.4 0.1 3537.. 1047.. ? Ssl Apr17 39:16 splunkd --under-systemd --systemd-delegate=no -p 8189 _internal_launch_under_systemd splunk 107.. 0.0 0.0 0 0 ? Z Apr17 0:00 [systemctl] splunk 108.. 0.0 0.0 814.. 95.. ? Ss Apr17 0:35 [splunkd pid=103..] splunkd --under-systemd --systemd-delegate=no -p 8189 _internal_launch_under_systemd [process-runner] root 1492.. 0.0 0.0 1127.. 996 pts/1 S+ 06:21 0:00 grep --color=auto -i splunk ... View more

@Dear PaveIP, @skoelpin , Dear PaveIP ,i have run those command, 1&2 command: I have choose the splunkd.log.5 which is last one on the splunkd log but not last file in running the command, And by looking on WARN and INFO gives me this below output: 04-23-2020 20:51:17.667 +0200 INFO TcpOutputProc - Connected to idx=host_Ip:9997 ,pset=0 , reuse=0. host=host_name source=/opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype=splunkd 04-23-2020 21:05:44.329 +0200 WARN TcpOutputFd - Connect to host_Ip:9997 failed . Connection refused host=host_name source=/opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype=splunkd 04-09-2020 07:26:01.921 +0200 IWARN LookupDataProvider - The Value fro timeformat '' is invalid. 04-11-2020 03:13:55.944 +0200 INFO TailReader -Batch input finished reading file='/opt/splunk/var/spool/splunk/1586567405_3259.stash_common_action_model' etc... NB: -here the problem is i don't know exactly what unknown error should i find to check ,here i find so many log information which i don't well understood,is there any known log error you know i could check on this ??what i was find i mentioned above seeing WARN and INFO, 3-command:systemctl status Splunkd if it is a systemd-enabled splunk running this ,even if splunkd is not running (./splunkd status) but using this command(systemctl ....) is showing me the below information: splunkd.service -Splunk service Loaded: loaded (/etc/systemd/system/splunkd.service;enabled;vendor preset: disabled) Active: active (running) since Sat 2020-04-18 02:14:21 CAT; 5 days ago process: 73xxx ExecStartPost=/bin/bash -c chown -R ....etc run grep -i splunk /var/log/messages Apr 23 20:10:01 splunksh systemd: Started Session 1065 of user root. Apr 23 19:50:01 Splunksh systemd: Removed Slice User Slice of root. Apr 23 20:37:35 Splunksh systemd-logind: New Session 1071of user root. etc.... but the same as above May you identify the error on the above information? for me to be honest i don't well understood on how to fetch error/investigate this info and find error and fix it???? I need help?? ... View more

Dear Skoelpin, addding log_level!="INFO" in search i got this: 04-23-2020 21:05:44.329 +0200 ERROR TcpOutputFd - Connection to host_Ip:9997 failed host=host_name source=/opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype=splunkd 04-23-2020 21:05:44.329 +0200 WARN TcpOutputFd - Connect to host_Ip:9997 failed . Connection refused host=host_name source=/opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype=splunkd running the query i got this above logs and others but it's the same only hours are changed but same error. ... View more