@abhisplunk1  Can you try below, [extracting_plugin_path] SOURCE_KEY = pluginText REGEX = (?s)Path\s*:\s*(?<plugin_path>.+?)(\\r|\\n) REPEAT_MATCH = true MV_ADD = true   Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@inventsekar  On busy DCs script can take longer than the default timeout to query. Can you run the powershell directly and see how long its taking and adjust your timeout accordingly. & 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-WinDNSAnalytical-inputs\bin\get_dns_analytics.ps1' Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

Thats interesting. Looks like bug or UI glitch. Any possibility for you to test this on version 10.x? ... View more

@Jcath  Can you run $SPLUNK_HOME/bin/splunk btool web list --debug This lists the effective web.conf settings and where they are loaded from, share this Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Jcath  Did you remove or edit your web.conf? Splunk Web is refusing to start because it can’t find the [settings] stanza in web.conf, most probably corrupted or deleted web.conf   If you deleted or modified your web.conf, add a file $SPLUNK_HOME/etc/system/local/web.conf with minimal and restart splunk [settings] httpport = 8000 Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@dm1  Capability 'use_file_operator' is not recognized by Splunk. Ignoring... Do you have any reference of use_file_operator in your authorize.conf? Any upgrade happened? You need to remove that entry from your authorize.conf as its not supported in your current splunk version. preserveStateDuringReload: Method not implemented - I think you can ignore this for now, its just a placeholder warning, might be for future use. Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@verbal_666  If you’ve removed the file, redeploy the app bundle to the search head cluster and verify again. index=_internal sourcetype=splunkd "quarantined lookup" or run the same rest call Alternatively, try adding at least a valid header row to the CSV, then push the bundle again and recheck. If the message still appears, it may be a UI glitch or require some time to clear automatically. Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Janis  Can you try with management port  https://localhost:8089/services/search/jobs?output_mode=json and basic authentication Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Mohammed123  It might be misconfigured index settings. Also might be because of bucket aging and cold storage limit/availability. Share your index settings along with storage details. splunk cmd btool indexes list notable --debug Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@GuruDayal  Did you install Splunk_TA_windows add-on also? XmlWinEventLog sourcetype require this add-on also to parse everything.  With Splunk_TA_windows and Splunk_TA_microsoft_sysmon add-on it should parse as expected. Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@GuruDayal  Did you verify your logs for cim complaint? Eg:    | tstats count from datamodel=Endpoint.Processes where index=sysmon_logs by Processes.process_name   Also why you are forcing sourcetype XmlWinEventLog:Microsoft-Windows-Sysmon/Operational ? Newer add-on sourcetype is XmlWinEventLog with source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" #https://splunk.github.io/splunk-add-on-for-microsoft-sysmon/Sourcetypes/ No need to force your sourcetype for the sysmon. Your UF inputs.conf should be something like this below,   [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = 1 source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational index=sysmon_logs   And put sysmon add-on #https://splunkbase.splunk.com/app/5709 in your HF/Indexer where your parsing is happening Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@_Raj  As others mentioned, its not completely clear. But to start with if you are looking both class-level and school-level ranks, i would suggest use streamstats to put both results into one table eg: | streamstats count as class_rank by class | streamstats count as school_rank by school Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

Its bit tricky, since you are having nested json, but you can try something below,   |spath | spath input=Data path=Description output=Description | spath input=Data path="Entities{1}.SenderIP" output=SenderIP | spath input=Data path="Entities{1}.Recipient" output=Recipient | spath input=Data path="Entities{2}.Url" output=Url | table Description SenderIP Recipient Url Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Osama_Abbas1  As long as you see Flask metrics in the Controller, i think you can ignore this warnings. Warning highlights the agent tries to detect if your app is running on aiohttp, Since you’re using Flask, it just log the warning. Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@chandrasekhar46  Looks like Splunk’s auto JSON extraction is interrupted by the long/escaped message field. Are you using spath in your search? Can you try using spath | spath | table log.datetime log.emmsite log.env log.interface log.interfaceid log.objectname log.objecttype log.project log.side log.logtype log.ack_ai log.ack_gp or target the specific fields you need | spath path=log.logtype | spath path=log.transactionid | spath path=log.ack_ai | spath path=log.ack_gp Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@jfmph_  When you pass an IP to dnslookup, Splunk asks the OS resolver for the PTR record of that IP. If a PTR record exists in DNS, you’ll get back the hostname/FQDN. If no PTR record exists, the field will be blank. When you perform a reverse DNS lookup, you’ll receive whatever PTR record is defined in your DNS for that IP address. If the PTR record is present and correctly configured, the lookup will return the expected hostname. Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@danielbb  You can refer these 2 links, #https://splunk.my.site.com/customer/s/article/Where-does-parsing-happen-if-the-data-goes-through-multiple-Splunk-instances #https://help.splunk.com/en/splunk-cloud-platform/get-started/splunk-validated-architectures/getting-data-in-forwarding-and-preprocessing/intermediate-data-routing-using-universal-and-heavy-forwarders ... View more

@viku7474  Powerscale default api port is 8080, which is added by default to your inputs. #https://www.dell.com/support/manuals/en-us/isilon-onefs/ifs_pub_onefs_api_reference/onefs-api-access?guid=guid-fa46d99d-7df9-4b86-81a0-687893d9644c&lang=en-us If you are using custom port, one workaround you can perform is, Go to Splunk\etc\apps\TA_EMC-Isilon\bin\const.py Edit below setting with your custom port, restart splunk and try again. ISILON_PORT = "8080" Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@las  Once SSG is active, it can lists all reports that are shared to “App” or “All apps” scope. The workaround you can try is, restrict to specific roles. Reports not shared to the user’s role will not appear in Splunk Mobile. Also you can try disabling entire app in SSG, ideally this should not list reports/dashboards from that app in splunk mobile(This i havent tested, but should work) Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@viku7474  Yes you can remove datamodel_summary directories if you need to reclaim disk space. These directories only contain accelerated summaries of data models, so deleting them won’t cause data loss. The only impact is that splunk will need to rebuild the summaries the next time an accelerated data model is queried, which may temporarily slow down searches until the summaries are regenerated. Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Na_Kang_Lim  You don’t need to back up terabytes of raw index data to upgrade Splunk. As long as you perform a rolling upgrade of your indexer cluster and don’t delete or overwrite $SPLUNK_DB your indexed data will remain intact. But back up configurations. Indexed data lives under $SPLUNK_DB. You don’t need to tar this entire directory unless you want a full disaster-recovery backup. Backup your configs from etc. $SPLUNK_HOME/etc → all configs, apps etc.. During an in-place upgrade, Splunk preserves buckets. As long as you don’t wipe $SPLUNK_DB, your TBs of data remain usable. Upgrade Path -Upgrade from 8.1.2 → 9.0.x -Upgrade from 9.0.x → 9.2.10 Better to perform rolling upgrade. #https://help.splunk.com/en/data-management/manage-splunk-enterprise-indexers/9.2/deploy-the-indexer-cluster/upgrade-an-indexer-cluste Check this doc before upgrade #https://help.splunk.com/en/splunk-enterprise/administer/install-and-upgrade/9.2/upgrade-or-migrate-splunk-enterprise/about-upgrading-to-9.2-read-this-firs Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Praz_123  For each day if you want to check try below, index=_internal source="*license_usage.log" type=Usage earliest=-3d@d latest=@d | eval usage_in_GB = b/1024/1024/1024 | bin _time span=1d | stats sum(usage_in_GB) as daily_usage_GB by _time h | where daily_usage_GB > 2 | sort - daily_usage_GB | head 10 ... View more

@debsili05  Check your mongod.log and kvstore errors in the log. And what its showing when you check kvstore status ./splunk show kvstore-status Also run below and see what its showing ./splunk start-standalone-upgrade kvstore -version 7.0 -dryRun true Splunk recommended safest path to follow, which you can try. Also check for corrupted or oversized collections in PROD that may not exist in TEST/DEV. Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Hiattech  You don’t manually “roll” buckets each month — bucket movement (hot → warm → cold → frozen) is automatic, based on size, age, and retention settings in indexes.conf. Sample config you can adapt, [my_index] homePath = $SPLUNK_DB/my_index/db coldPath = /mnt/slowstorage/my_index/colddb thawedPath = $SPLUNK_DB/my_index/thaweddb # Keep data searchable for ~1 year frozenTimePeriodInSecs = 31536000 # Archive frozen buckets instead of deleting coldToFrozenDir = /mnt/archive/my_index/frozendb # OR use a script: # coldToFrozenScript = $SPLUNK_HOME/bin/scripts/archive_to_s3.sh Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more