Contact Splunk Support for access to older versions.  Don't accept code from random Internet users. ... View more

I fixed the command. ... View more

There are a few ways to onboard data into Splunk. Install a universal forwarder on the server to send log files to Splunk Have the server send syslog data to Splunk via a syslog server or Splunk Connect for Syslog Use the server's API to extract data for indexing Use Splunk DB Connect to pull data from the server's SQL database. Have the application send data directly to Splunk using HTTP Event Collector (HEC). ... View more

Have you verified the web server is enabled? splunk btool --debug web list | grep startwebserver ... View more

Please share the solution. ... View more

It's hard to evaluate the expressions without sample data, but I have doubts about the number of escape characters (particularly "\\s*").  Have you used regex101.com to verify the expressions? ... View more

I've seen that setting used like this transforms.conf [mytransform] INGEST_EVAL = queue=if(condition, "nullQueue", queue) STOP_PROCESSING_IF = queue=="nullQueue"   ... View more

Almost every search request is sent to your indexers and those indexers each have a uri.  This error message is generated when Splunk is no longer able to communicate with one of the indexers.  It could be because the indexer is down or because a network error prevents communication with it.  Verify all indexers are running and the search head can connect to them all. ... View more

Alerts do not record when they were created or updated.  You should be able to get that information from the _configtracker index, however. ... View more

Splunk can only track what is reported to it.  That means all systems must send logins, report and application accesses, file exports, etc.,  to Splunk.  Then you can use that data to build reports and alerts. Specifics will depend on what platforms and application you have as well as company policies. ... View more

Instead of using append, split the query into two separate queries.  They'll each run faster. The first table command probably is showing empty Date and Comments fields.  That's because those fields don't exist after the stats command. ... View more

It's not clear if you want to use Splunk to track user activity on other systems or if you want to track what users do in Spunk itself. The former will depend on what events are sent from the systems of interest to Splunk.  These probably will include Windows event logs and/or Linux audit logs. The latter can be done by searching _audit and _internal (especially the splunkd_access and splunkd_ui_access sources). ... View more

When Splunk monitors a file, it monitors the entire file.  There is no mechanism for starting somewhere in the middle. This is not to be confused with the ignoreOlderThan setting which tells Splunk to skip a file that is too old. ... View more

That is correct. Also what @PickleRick said. ... View more

Unlike the Cluster Manager Splunk makes no provision for HA in the Monitoring Console (MC).  That means changes on one node will not automatically happen in the other.  Setting up the MC as a search head cluster (SHC) may help, but that's an unsupported configuration and is not known to replicate MC artifacts.  Using an SHC adds complexity and means you'll need four VMs, three for the cluster and one for a deployer. Having multiple MC hosts also adds to the search load imposed on the monitored instances. A load balancer is not strictly necessary since there's no read load to balance.  You can achieve the same goal with DNS round-robin. ... View more

You could do that, but I don't advise it.  When those VMs are rehydrated their Splunk license will (probably) be expired so they will not function in the same distributed fashion they do now. A better approach would be to archive a fresh download of the current Splunk software version.  When you need the archived data, launch a few VMs (a search head and some indexers), install the software, and thaw the data.  The fresh software installation will give you 30 days of distributed functionality. You could use a single VM on which to thaw the data and search it.  That gives you an unlimited period for searching (no license expiration after the switch to Free in 30 days), but will be much slower since it's just one indexer performing the search. Be warned that your "time capsule" of data may become the equivalent of an 8-track tape in a few years.  The current version of Splunk may not support the OS you're using (or is available) when you need the archived data.  Future versions of Splunk may not support the index format used today (although that's unlikely). ... View more

You must have permission to open/view cases before the dropdown will populate.  Contact your portal admin or the person who owns your Splunk license if you need to be on the entitlement. ... View more

PS can migrate live data to your Splunk Cloud stack.  I'm pretty sure they cannot migrate frozen data (couldn't when I was in PS).  The data will live only as long as you are subscribed to Splunk Cloud, however (plus 30-ish days). ... View more

Frozen data cannot be restored to Splunk Cloud.  You must stand up your own Splunk instances (local or virtual) for thawed data. ... View more

Yes, there is a way to troubleshoot.  Run the alert query manually and modify it until the expected results are produced. If you want help with this, please share the alert SPL. ... View more