@sawwinnaung  Try below, props.conf [linux_audit] TRANSFORMS-set = discard_proctitle [source::/var/log/audit/audit.log] TRANSFORMS-set = discard_proctitle transforms.conf [discard_proctitle] REGEX = type=PROCTITLE DEST_KEY = queue FORMAT = nullQueue Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@Andre_  You are correct. Unlike file-based inputs, Windows Event Log inputs in Splunk Universal Forwarder (UF) do not provide a built-in option in inputs.conf to exclude events based on their age at collection time. This means you cannot natively configure the UF to only ingest Windows events newer than 7 days during onboarding. But, If you want to ingest only new Windows Event Log events (and skip all historical data), set current_only = 1 in your inputs.conf. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@dinesh001kumar  1-Due to security restriction, normally you can't upload or reference custom js files directly in the cloud. You can raise a support request to include simple xml js extensions for review and to upload it for you. 2-You can use the <html> panel in Simple XML dashboards for custom HTML, but it is limited. Normally you cannot use inline JavaScript, and some HTML elements may be restricted. Alternative - Unfortunately use the built-in features of Dashboard Studio or Simple XML extensions. For specific needs, reach out to Splunk Cloud Support to request a review and upload of vetted JS/CSS files. Audio Support-Dashboard Studio does not natively support embedding or playing audio files. As a workaround, you could set up external alerting (e.g., send a webhook/email to a system that plays audio) Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@Trevorator  I dont think there is any Splunk setting to enable automatic retry or continuation for .tsidx file operations. The only way to ensure all data is accelerated and .tsidx files are preserved is to maintain a healthy infrastructure and address any resource limitations. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@Raghavsri  Whats the version of splunk you are running? Also to start with, check few options. Review logs: Look for errors, warnings, or abnormal behavior in splunkd.log Check destination health: Ensure that SyslogNG and the second indexer cluster are healthy and accepting data efficiently Also If HF2 is not able to forward data fast enough (due to network, destination, or performance issues), the queue fills up, consuming memory Memory upgrade: Increasing memory on HF2 may help if the issue is due to legitimate high data volume and not a leak or misconfiguration. However, if the problem is a memory leak/bandwidth issue, increasing memory will only delay the inevitable crash Load Balancing: Consider load balancing across multiple HFs if possible, to distribute the data load Monitor memory usage: Set up alerts for high memory usage to detect issues early. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@SN1  If you must move indexed data from the indexer to the Search Head, you can copy the data files,  Stop Splunk on both the indexer and the Search Head. Copy the index data directories from the indexer to the Search Head: Example: Copy $SPLUNK_HOME/var/lib/splunk/<index_name> from the indexer to the same path on the Search Head. Ensure file ownership,permissions,storage size,os and splunk versions are correct on the Search Head. Also make sure you have configuration for the indexes.conf for the indexes you have. Start Splunk on the Search Head. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@SN1  To clarify your scenario, You want Search Head to query the indexer for data as needed or having data on the Search Head for  testing/some reason without using the indexer? ... View more

@a1bg503461  The error highlights that, opt_ca_certs_path is not defined in your configuration Are you using SSL/TLS with Elasticsearch? If yes Make sure you mention your .crt path in your config Eg: opt_ca_certs_path = /path/to/your/ca.crt If you are not using SSL/TLS, then try below in your config use_ssl = 0 # opt_ca_certs_path = Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@cdevoe57  As mentioned by @bowesmana  Its not best to use join, as it can sometimes cause fields from lookup to be lost. but anyway can you try below if you still want to use join, | inputlookup system_info.csv | eval System_Name=System | join type=left System_Name [ | search index=servers sourcetype=logs | stats latest(_time) as Time by System_Name | eval mytime=strftime(Time,"%Y-%m-%dT%H:%M:%S") | eval now_time = now() | eval last_seen_ago_in_seconds = now_time - Time ] | stats values(*) as * by System_Name | lookup system_info.csv System_Name OUTPUT Location Responsible | eval MISSING = if(isnull(last_seen_ago_in_seconds) OR last_seen_ago_in_seconds>7200,"MISSING","GOOD") | where MISSING=="MISSING" | table System_Name Location Responsible MISSING or you can also try and check below, without join. index=servers sourcetype=logs | stats latest(_time) as Time by System_Name | eval last_seen_ago_in_seconds = now() - Time | eval MISSING = if(isnull(last_seen_ago_in_seconds) OR last_seen_ago_in_seconds>7200, "MISSING", "GOOD") | where MISSING=="MISSING" | lookup system_info.csv System_Name OUTPUT Location Responsible | table System_Name Location Responsible MISSING last_seen_ago_in_seconds | sort -last_seen_ago_in_seconds Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@caschmid  \d+ matches only digits, not any word. If "This is my" is always constant, you can try below rex field=_raw "This is my (?<string>\w+)" | stats count by string Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@ND1 Agreed with @sainag_splunk   Also, Most ES dashboard expects data in CIM fields or from a specific data model/summary index. Check fields Run your correlation search in Search & Reporting Use the field picker to see if required CIM fields are present If not, review your field extractions or data model configurations Check Datamodel | datamodel <datamodel_name> search If the data model is empty, review your data sources and field extractions. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@tgulgund  Unfortunately i dont think dashboard studio can set auto refresh for entire dashboard in a single config, auto-refresh is set per data source. You must define the refresh interval for each relevant data source in the dataSources section of your dashboard JSON Eg: "dataSources": { "myDataSource": { "type": "ds.search", "options": { "query": "your search here", "queryParameters": { "earliest": "-48h@h", "latest": "@h" }, "refresh": "5m", "refreshType": "delay" } } } #https://docs.splunk.com/Documentation/Splunk/9.4.2/DashStudio/dsOpt Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@ww9rivers  The message File too small to check seekcrc, probably truncated. Will re-read entire file indicates that Splunk detected that /var/log/messages was truncated. Would you mind checking your logrotate setup? Splunk interprets file truncation as a reduction in size and will restart reading from the start of the file. Troubleshooting 1-Review your logrotate config or Temporarily disable log rotation for this file to verify whether it is causing the issue. 2-Add a test message to /var/log/messages and verify whether Splunk is ingesting the new entry. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@Raj_Splunk_Ing  Modify Your Python Script in Alteryx: You need to find the part of your Python script where you build the URL or the parameters for the HTTP request to Splunk. You will then add a tz parameter to that request, setting its value to the time zone string you found in your splunk ui timezone. Eg: params = { 'search': spl_query, 'output_mode': 'csv', 'tz': splunk_ui_timezone } url adding tz parameter https://server/services/search/jobs/export?search=search%20index%3Dcfs_apiconnect_102212%20%20%20%0Asourcetype%3D%22cfs_apigee_102212_st%22%20%20%0Aearliest%3D-1d%40d%20latest%3D%40d%20%0Aorganization%20IN%20(%22ccb-na%22%2C%22ccb-na-ext%22)%20%0AclientId%3D%22AMZ%22%20%0Astatus_code%3D200%0Aenvironment%3D%22XYZ-uat03%22%0A%7C%20table%20%20_time%2CclientId%2Corganization%2Cenvironment%2CproxyBasePath%2Capi_name&tz=America%2FChicago&output_mode=csv Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@tangtangtang12  NEAPs are primarily triggered when an episode's severity changes (e.g., Normal -> Critical, or Critical -> High) or when a new notable event matches the policy. The most robust and common way to achieve this involves using a Saved Search You need a search that identifies services currently in a critical or high state. Eg: | itsi_get_service_health | search service_health_score > 0 AND service_health_score < 60 /* Or whatever your critical/high thresholds are. Typically: Critical < 40, High < 60 (or similar) Adjust based on your ITSI configuration. */ | rename title AS itsi_service_name | fields itsi_service_name, service_health_score, severity_label | eval alert_message = "ITSI Service " + itsi_service_name + " is still " + severity_label + " (Health: " + service_health_score + ")." Then save as a Saved Search/Alert with your desired schedule. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@danielbb  _time is being set by the Tenable Add-on itself, using a timestamp field from the Tenable API response (e.g., last_seen, last_found). DATETIME_CONFIG = NONE in props.conf for tenable is intentional to prevent Splunk from trying to re-parse _time from the event's raw data and potentially overriding the TA's carefully chosen timestamp Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@mchoudhary  Multiple appends: Fundamentally, this is the main performance killer. You're running 6 distinct "heavy" searches. Main performance killer is on the transaction in EDR: The transaction "event.DetectId" command is notoriously resource-intensive, especially over a 6-month period. It should be avoided if at all possible, or its scope drastically limited   Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@mohsplunking  @sainag_splunk  already explained very well. But If your goal is simply: UF (collects, basic sourcetype=WinEventLog:Security or sourcetype=linux_secure set by DS) -> HF (aggregates, forwards) -> Indexer (parses fields like EventCode, user, sshd_pid etc.) then you do not need the full Splunk_TA_windows or Splunk_TA_nix on the Heavy Forwarder. The indexers(with TA's) will handle the detailed parsing. But it becomes necessary IF you want the HF to perform actions that rely on the knowledge within that TA (like parsing fields to use for routing, or specific sourcetype recognition that isn't happening on the UF) Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@Amira  Identify your exact index and sourcetypre for your data. Make sure your datamodel Cisco_SDWAN root event constraints have the same index and sourcetype. Are there events with the root event constraint search? If not, your syslog data isn't being assigned the correct sourcetype/index that the app's data model expects. Also check Data Model Acceleration status Check the "Status" or "Acceleration" column. Is it enabled? Is it 100% built? - If not, Enable acceleration. If acceleration seems stuck, incomplete, or you suspect corruption - try to rebuild. Disk space summaries full? - Check your indexer disk space via the Monitoring Console (Settings > Monitoring Console > Indexing > Indexes and Volumes). If the volume holding the summaries is full, acceleration will fail. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@Raj_Splunk_Ing  This is generally because API call normally defaults to UTC. So specify time zone in API call. If you are using Splunk python SDK, then try "tz": "America/Chicago" as search parameter. By adding the tz parameter with your local time zone ("America/Chicago" for CST), you instruct Splunk to interpret earliest=-1d@d and latest=-0d@d relative to that timezone, making the API search behave identically to your UI search in terms of the time window. This should resolve the discrepancy in event counts Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@mchoudhary  You can try below sample xml dashboard code <form> <label>Index Sourcetype and Host/Source Explorer</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="selectedIndex" searchWhenChanged="true"> <label>Select Index:</label> <choice value="*">All</choice> <search> <query> | rest splunk_server=local /services/data/indexes | search disabled=0 | stats count by title | fields title | rename title as index_name </query> <earliest>-1s</earliest> <latest>now</latest> </search> <fieldForLabel>index_name</fieldForLabel> <fieldForValue>index_name</fieldForValue> <default>*</default> </input> </fieldset> <row> <panel> <table> <title>Details for Index: $selectedIndex$</title> <search> <query> | tstats values(sourcetype) as sourcetypes, dc(host) as host_count, dc(source) as source_count where index="$selectedIndex$" <!-- Use the token here --> by index | eval sourcetypes = mvjoin(sourcetypes, ", ") </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="count">20</option> <option name="refresh">5m</option> <option name="refresh.auto.interval">300</option> </table> </panel> </row> </form> Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more