@jscraig2006  Thats strange. As you mentioned, rolling a bucket from hot to warm should not change field extraction. Can you keep your props simple, like removing PREAMBLE_REGEX. Below setting should be fine to start with Eg: [mysourcetype] INDEXED_EXTRACTIONS = csv HEADER_FIELD_LINE_NUMBER = 1 FIELD_NAMES = FileDate,Field_1,Field_2,Field_3 TIMESTAMP_FIELDS = FileDate TIME_FORMAT = %Y-%m-%d %H:%M:%S SHOULD_LINEMERGE = false And validate and confirm the active sourcetype settings. $SPLUNK_HOME/bin/splunk btool props list mysourcetype --debug Then test with sample csv and roll the bucket manually and confirm fields remain correct. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@gpinedo  By default data sharing is enabled, but you have option to disable it. But its always better to go in detail about the license agreement and terms. #https://help.splunk.com/en/splunk-cloud-platform/search/splunk-ai-assistant-for-spl/1.1.1/additional-resources/share-data-in-splunk-ai-assistant-for-spl Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@charbelcharro  Splunk ITSI offers the capability to utilize preloaded standard KPIs for database monitoring or to define custom KPIs, which can then be mapped to a specific service. Additionally, you can leverage the Deep Dive feature to analyze these metrics in greater detail and gain comprehensive insights into service performance(single window). Are you planning to replicate this in Splunk enterprise? Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

If for any reason you arent able to index locally using selectiveIndexing (e.g. small local disk) but can forward to your indexers then I have found that setting the Deployment Server up to be able to search against the search peers also fixes the UI and allows management of the agents without local indexing. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

@chandrasekhar46  Where have you placed your WQL query for sourcetype="WMI:Service"? It’s recommended to also deploy Splunk_TA_windows on your Heavy Forwarder, as it already includes a parser for this. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Keigo  Can you also try in the global settings. Refer this #https://community.splunk.com/t5/Installation/Remove-port-from-Splunk-alert-URLS-WITHOUT-changing-actual-web/m-p/677018/highlight/true   ... View more

@msmouse05  Splunkd (the management port on 8089) is still presenting the built‑in SplunkServerDefaultCert. To remediate, you need to replace the default server.pem in $SPLUNK_HOME/etc/auth/ with a certificate issued by your internal CA that has the correct hostname in its CN/SAN, and then update server.conf to point Splunkd at that certificate and its private key. Restart Splunkd afterward so it uses the new cert. Follow below doc #https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.2/secure-splunk-platform-communications-with-transport-layer-security-certificates/configure-tls-certificates-for-inter-splunk-communication Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

Hi @tgulgund  It is possible to use Custom Visualizations such as Network Diagram Viz in Dashboard Studio in > Splunk (Cloud) 10.1 but is not yet possible for on-premise users as 10.1 has not been released for on-premise installation. Based on recent release cadence I would expect this to be available for on-premise customers within the next few months. Check out https://help.splunk.com/en/splunk-cloud-platform/create-dashboards-and-reports/dashboard-studio/10.1.2507/visualizations/custom-visualizations for more information. Custom Viz can be selected from the regular Visualization dropdown on Dashboard Studio. Here is an example of D3 Sunburst Custom viz   🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

It worked. Thank you! ... View more

Adding to what has already been said - I would not recommend doing OS maintenance without a Splunk admin assist (or at least available on call). It is not OS administrator's area of competence to verify whether Splunk has shut down correctly, started correctly, is working correctly and so on. What if something happens when your environment is in maintenance mode? Will your OS admins be able to handle it properly? I wouldn't expect them to because it's not their job. ... View more

@Gregski11  Yes, this issue exists in version 10.0 as well. GUI workarounds: -Go to Settings → Data Inputs → Remote Event Log Collections → New Event Log Collection, then select   Choose logs from this host and enter localhost. -Alternatively, use Add Data → Monitor → Local Event Logs. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

https://help.splunk.com/en/splunk-enterprise/manage-knowledge-objects/knowledge-management-manual/9.4/get-started-with-knowledge-objects/the-sequence-of-search-time-operations#ariaid-title2 KV_MODE-based extractions take place _after_ REPORT and EXTRACT so you can't rely on fields extracted with automatic json parsing in your transform. You might try to rewrite your extraction as a calculated field using text functions but that might be tricky. ... View more

@danielbb  Splunk recommended upgrade path is 3.x.x -> 3.18 ->4.x #https://docs.splunk.com/Documentation/DBX/latest/DeployDBX/MigratefromDBConnectv1 So i recommend to take a backup of your existing dbconnect app and upgrade to 3.18 and verify all your identities and connections are working as expected and then plan for upgrade to 4.x Note: I tested an upgrade straight from an older 3.x release to 4.1, and my config were lost. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

Given the likely performance degradations, why do you want (need) index time extractions? ... View more

Bah...... that's strange... i tried first to delete completely the Deployer "var", totally reinstall the 9.4.5 SH-Cluster, and the problem has gone 🙄  It seems it was a first cluster notification that was stuck somewhere. I also deleted all the "var" from all SHC and relaunched the SHC bootstrap. Nothing happened. Really do not know 😦 SPLUNK has some very strange behavious sometimes 🤔 ... View more

Hi @Jcath  Can you confirm that the ownership of all the files in $SPLUNK_HOME/etc/system/default are set to the correct user that splunk is running as (usually 'splunk') . Unless you have removed any default files Splunk should be able to read the default values from the web.conf there so it seems like it could be a permissions issue. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @dm1  The capability 'use_file_operator' is part of a deprecated feature - whilst it is still listed in the docs (https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities) it has no effect and can be ignored. This is a benign error and not causing any issues. You can find out where this is being applied by running a btool and looking for the 'use_file_operator'  $SPLUNK_HOME/bin/splunk btool authorize list --debug   Regarding the memory limit error - this could be a number of things - are you running inside a container? Is selinux enabled? Are you using the out of the box systemd configuration? Check out https://help.splunk.com/en/splunk-enterprise/administer/troubleshoot/10.0/system-administration-problems/i-get-errors-about-ulimit-in-splunkd.log#Set_limits_using_the_.2Fetc.2Fsystemd_configuration_files for more info on configuring systemd and setting the memory limit within it which might help. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Thanks for the advice! I will keep that in mind, when I try it again.  Now I will focus on the application and play with data and visualization 🙌. See You! ... View more

@Mohammed123  It might be misconfigured index settings. Also might be because of bucket aging and cold storage limit/availability. Share your index settings along with storage details. splunk cmd btool indexes list notable --debug Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

1. XmlWinEventLog (or whatever the case is - it's not important) is the right sourcetype for XML formatted windows events. It's the source that distinguishes from which eventlog channel the event came. 2. Your data seems to be parsed properly (you have your fields extracted). It is not "prettyfied" in the UI but that's normal behaviour. 3. "Need this ASAP" doesn't work here. It's not a free support service. You want something done quickly? Find and engage your local Splunk Partner. ... View more

Hello, |makeresults format=csv data="student_id,student_name,class,school,subject,score 1,Alice,10A,School1,Math,85 2,Bob,10A,School1,Math,72 3,Charlie,10B,School1,Science,90 4,David,10A,School2,Math,65 5,Eva,10B,School2,Science,88" | top score class school | streamstats count as ClassLevel by class | streamstats count as SchoolLevel by school   Thank You! ... View more

Upgrade Path -Upgrade from 8.1.2 → 9.0.x -Upgrade from 9.0.x → 9.2.10 9.0.x are no longer present on Splunk repository. It's possible to upgrade, -Upgrade from 8.x.x → 9.1.x [if there's a SH Cluster, follow how to upgrade KVSTORE/MONGODB] -Upgrade from 9.1.x → 9.4.x -Upgrade from 9.4.x → 10.x.x ... View more

Hi Prewin. The Role solution is not viable for us, as the role is allowed to see the report, but the data must not leave on-prem, so that is unfortunately not an option.   I have disabled all apps, except a few, that has the dashboards for Mobile, but SSG shows reports from apps, that are not enabled in SSG.   It is a good suggestion, but not workable in our case. Kind regards las ... View more

Unless your shared event is butchered by your sharing method, it is NOT a valid JSON object.  You can test this with Python's json.tool module python3 -mjson.tool <<<'<your event text>' json.tool will tell you that the message is incorrectly quoted as @ITWhisperer suggests: "Invalid \escape: line 14 column 39 (char 304)".  When event is not valid, of course Splunk will butcher extraction. (I have also tested with spath - it cannot extract all fields.) If you have sanitized the sample event, make sure you preserve JSON syntax precisely.  Share in a code box, not as plain text.  Otherwise you need to examine your ingestion, even question your developers about the original content. ... View more

@Osama_Abbas1  As long as you see Flask metrics in the Controller, i think you can ignore this warnings. Warning highlights the agent tries to detect if your app is running on aiohttp, Since you’re using Flask, it just log the warning. Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more