It's not clear if you want to correlate Splunk data in your ITSM product or ITSM data in Splunk. There are a few ways to onboard data into Splunk. Install a universal forwarder on the server to send log files to Splunk Have the server send syslog data to Splunk via a syslog server or Splunk Connect for Syslog Use the server's API to extract data for indexing Use Splunk DB Connect to pull data from the server's SQL database. Have the application send data directly to Splunk using HTTP Event Collector (HEC). There are REST API calls available for getting data out of Splunk. Let us know which you are trying to do and we'll point you toward to relevant docs.   ... View more

Use the table command to put the fields in the desired order | chart sparkline count by a,b | table a b count sparkline   ... View more

There is no way to mitigate the vulnerability except to install the next version of Splunk that includes a fix.  We don't know which version that will be, but Splunk typically announces when vulnerabilities are fixed.  Check out https://advisory.splunk.com/ ... View more

Thanks for clarifying. While Splunk Enterprise can be installed on Windows workstations, that's typically done for dev/test purposes.  Workstations don't have the horsepower to handle enterprise quantities of data. The typical model is to install SE on shared servers (on-prem or virtual) with all other enterprise devices running a Universal Forwarder to send data to SE. ... View more

These are two different problems. For the first, know that Splunk indexes are immutable.   Data cannot be removed selectively.  My advice is to copy  the desired data to a new index (use the collect command) and then delete the contents of main. For the second, I presume you're referring to the list of forwarders in the Monitoring Console.  The "missing" forwarders can be removed by clicking the "Rebuild asset list" button. ... View more

Why are you installing Splunk on every Windows system?  It should be installed on a central server and accessed via web browser. Perhaps you're referring to the Splunk Universal Forwarder.  That should indeed be installed on each machine, but do it as part of the system image.  If that's not possible then I know customers have installed it using GPO. To prevent Splunk from asking for credentials, supply them when launching the installation.  See the installation manual.   ... View more

You may want to contact the developer directly at support@pingidentity.com ... View more

Searches are delayed because too many searches are trying to run at the same time.  There are a few things you can do about it. Ensure all instances meet or exceed Splunk's Reference Hardware specification. Ensure Splunk Enterprise Security runs on a dedicated Search Head (or SHC).  Do not run searches unrelated to ES on that SH. Eliminate unneeded scheduled searches. Prohibit real-time searches. Verify all scheduled searches complete as quickly as possible.  Do this by minimizing their search windows and using efficient searches. Implement Allow Skew and Schedule Windows. Distribute search run times evenly across the clock.  Avoid running at peak times such as 0, 15, 30, or 45 minutes of each hour. Consider using Workload Management to control the search behavior of users. Move daily/weekly/monthly scheduled searches to off hours. ... View more

Please contact your Splunk account team or the Partner from which you purchased Splunk for answers to pricing questions.  Only they will have the correct answers. ... View more

No, you are not losing "Running" from each event.  Only the first capture group in LINE_BREAKER is discarded from the event. However, positive and negative lookaheads do not perform well in Splunk so they should be avoided. ... View more

Always.  It never hurts to have it and can help when the UF has to break an S2S packet.  Don't forget to also set EVENT_BREAKER_ENABLE=true. ... View more

Positive lookahead wastes resources.  Over millions of events, those extra cycles add up to excess SVC consumption.  This works better LINE_BREAKER = ([\r\n]+)Running ... View more

It's not that simple and we don't have enough information.  Have a conversation with your Splunk account team and they will be able to give you the answer that fits your environment. ... View more

Subsearches are performed first, before the main search executes.  That's why there's nothing for the lookup command to find. ... View more

What you're trying to do seems like overkill for a data dictionary.  It also ignores queries contained in saved searches.  I don't see how parsing search queries helps build a data dictionary; although I can see how it might show what data people are searching for. When I work with my customers to build data dictionaries, we use nightly scheduled searches to pull lists of sources and sourcetypes from the indexes.  Using the tstats command makes this fast and lightweight. | tstats count where index=* by index,sourcetype | outputlookup DD_sourcetypes.csv.gz Once the lookup file is created, you can use it to build your Data Dictionary dashboard. Don't forget to add logic that trims the lookup file or else it might grow forever. ... View more

1. This information is available from the eai:acl.app and label fields, respectively. 2. Not all panels have a name.  To get the names, parse the eai:data field and pull out the dashboard.row.panel.title and form.row.panel.title elements. | rest splunk_server=local /servicesNS/-/-/data/ui/views | fields eai:acl.app label eai:data | rename eai:* as * | spath input=data | rename dashboard.* as *, form.* as * | fields acl.app label row.panel.title Note that this SPL works only with Simple XML dashboards.  That's because Dashboard Studio uses a very different name scheme for elements and because the spath command fails on DS dashboards because it contains JSON nested within XML. 3. This is tricky because base searches can exist both within and without a panel.  Also, you'll probably want to retrieve the earliest and latest elements for each query. 4. This is in the row.panel.search.query and row.panel.*.search.query elements, however, not all panels have a query. 5. This is another tricky bit.  The data returned above will be multi-valued since there may be many elements with the same name ("row.panel.table.search.query", for example).  Mapping a panel name to its query will be a challenge. If you still want to attempt this (and, like @ITWhisperer , I wonder about the utility of this), then consider using Python instead of SPL to do it. Depending on the use case, it may be possible to get much of the same information from Splunk's internal logs.  Tell us more about the use case so we might offer other solutions. ... View more

Have you tried fixing the inputs.conf error to see if that makes a difference? ... View more

It may help to enumerate the data fields rather than have Splunk extract them from the input file.  Use the FIELD_NAMES setting to do that.  See https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.0/configuration-file-reference/10.0.2-configuration-file-reference/props.conf#:~:text=set)%3A%20not%20set-,FIELD_NAMES,-%3D%20%5B%20%3Cstring%3E%2C...%2C%20%3Cstring%3E%5D%0A*%20Some ... View more

Contact your Splunk account team.  They will look at your Splunk usage and will be able to determine if you can save any money by switching to workload pricing. ... View more

TIME_PREFIX is the wrong setting to use for CSV files.  Use TIMESTAMP_FIELDS, instead. Also, the TIME_FORMAT setting should be "%Y-%m-%d %H:%M:%S to pick the time as well as the date of the events. ... View more

Make sure you installed a Splunk package that is compatible with your platform (Windows, ARM, etc). ... View more

Deployment Servers (DS) do not process data.  They're only for managing forwarders.  The forwarders contact the DS, get a list of apps, then download and install them.  Typically, one of those apps contains an outputs.conf file that tells the forwarder how to connect to Splunk Cloud (including the required certificate). All forwarders *should* send their data directly to Splunk Cloud.  In some circumstances, however, it may be necessary to send the data to an intermediate forwarder (IF) that then sends it to Splunk Cloud.  The IF should NOT be the DS. Contact Splunk Support by phone or via the support portal. ... View more

Access to splunkd.log is available to anyone whose role gives them access to the _internal index.  The TA's logs should be in the same index. If you don't have access, contact your Splunk Admin. ... View more

It depends on what data you're trying to get from AWS to Splunk Cloud.  Splunkbase has add-ons for CloudWatch, CloudTrail, GuardDuty, and others.  You probably should look at the Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) first, however. ... View more