My search is that I have to log in the client machine, which needs to be ingested into Splunk Cloud- so I have deployed the inputs from deployment master and the app has successfully reached the client machine. Actually the log which I have ingested is last updated on 8th Sep 2019, but I have done the configurations on today (11th Sep 2019) so when I search the data in Splunk Cloud I wasn't able to see the logs into Splunk Cloud. So my search is so that the old data (8th Sep 2019) logs will be also ingested into Splunk Cloud? If yes, then in my case why it's not getting ingested? If no, then this is how the mechanism of Splunk works. Kindly confirm the same. Input Stanza: [monitor:///ijk/lmn/otp.log] sourcetype = xyz index = abc disabled = 0 So kindly help on the same. ... View more

In Splunk Cloud a user (A) has created multiple alerts (around 50+ alerts) in the Search & Reporting App and he has been assigned as an admin role. Similarly a same guy from his team (B) has been assigned to the same role (admin) but he cant able to edit the search which has been created by (A) and the only option it is available for him is "Clone" or "Embed". So in a single shot can we able to change the permissions for all the alerts which has been created by (A) user so that (B) can able to edit or write the search query. I navigated to Manage Apps and checked into "Search & Reporting App" and then i have provided the write permission for the admins and saved it and also reloaded the authentication but still (B) user cant able to edit the query which has been created by (A). So is there any way to change the write permissions in one shot for the alerts which has been created in the "Search & Reporting App" by (A) so that (B) can able to modify the query and save it. ... View more

We are ingesting wineventlog into Splunk Cloud from all our client servers. And the majority of the ingested data seems to be in XML format and few hosts are reporting with normal log structure. So I want to know whether we can ingest the data in XML format itself or can I modify it to the normal structure by adding some stanza in the input .conf file of the wineventlog app. Which one would be considered as a best practice and a recommended one as well? ... View more

Hi Team, We got an requirement to ingest the xyz.log from a client machine. So i have created an app in the deployment master and deployed the same. The app has been successfully reached the client machine as well. I have created an app and deployed the same on 8th Sep 2019 and the log file (xyz.log) has been lastly updated on 5th Sep 2019 in the client machine. Actually i believe the log file should be ingested into Splunk Cloud but here in this case its not getting ingested into Splunk Cloud. So can i know what is the reason behind it and have enclosed my inputs.conf for reference. So kindly check and help on this. [monitor:///abc/def/ijk/lmn/xyz.log] sourcetype = pgr:stv index = 123 disabled = 0 Kindly note the file has the splunk read permission and also in the internal logs it states that the configuration stanza as been parsed. The internal logs are reaching Splunk Cloud without any issues there is no connectivity issues as well. But still i couldn't able to see the logs in Splunk Cloud. ... View more

Hi Team, We got an requirement from Operations team to ingest a particular log file (/abc/xyz.log) which is present in all linux client machines with read permissions hence we have created an app and deployed the input stanza to all linux client machines using the deployment master server. Once we have deployed the app has been reached to all linux client machines and when we checked the logs in Splunk Cloud i can able to see only few hosts are reporting and the remaining hosts are not getting ingested. We actually deployed on Sep 1st 2019 and the file (/abc/xyz.conf) which has been updated after that in the client machines seems to be reporting whereas in the rest of the client machines the file seems to be have updated before Sep 1st 2019 that is on August , July and June dates. So those logs files are not getting ingested into Splunk Cloud. So I want to know the mechanism of Splunk works ? I believe it should be able to ingest all those missing client machine (/abc/xyz.conf) logs as well into Splunk Cloud but unfortunately its not working. The input Stanza would be : [monitor:///abc/xyz.conf] sourcetype = efg:ijk index = yd disabled = 0 For testing purpose I have taken a server for which the xyz.conf log were not getting ingested into Splunk Cloud since the file seems to have been updated on Aug 22nd 2019 so for a change I have updated the file with a test message and saved it. Post saving it the file (xyz.conf) the modified date has been changed from Aug 22nd 2019 to 4th Sep 2019 so when I checked in Splunk Cloud the file seems to have been ingested into Splunk Cloud. So in this scenario if the file is not getting updated before the deployed date then the file is not getting ingested into Splunk Cloud for the client machines. So this is how it works? Can you kindly help on the request. ... View more