They are VMs ... View more

Yeah also formulate this for others: Splunk Realtime adhoc and savesearches  doesn’t end, since they are configured to gather the latest data on a Realtime manner.                 Ex. If I ran  adhoc search with 5min Realtime . It wont end, complete or fail (on a normal circumstances), it will just continue until I stop the search. “Expires” configuration on the settings doesn’t really affect the real time search runtime – it only applies on cron job savesearches output. “Expires” is the time that the output of the search will remain on the Splunk environment. Solution to this issue is  to adjust the real time configuration to a cron job that is “almost realtime” (2min,5min or 10min). In this way searches will not queue up and still get the latest output. Also, to refrain using real-time searches. ... View more

They don't want using  summary indexing, that is why im looking for other possibilities to get this through. Is it possible to share the KVSTORE lookup/csv file using indexer ? since they are using similar indexer. ... View more

Hi @PavelP what's the purpose of this tag if it doesn't belong to any datamodel ? ... View more

Could i run this on a inline search ? cause if it is then this would be the answer 🙂 ... View more

Yeah i have access on 8089 request. im trying to update another account password. Can it work using Rest Script ? target server [HF,IDX,MC,DS,LM] ... View more

Hi All, Issue still exist- and we are looking at the internet connection using vpn might be the issue ... View more

Here's the breakdown of the Code: index="app" sourcetype="rxc" host="rxc-ip*" id=7 URL="/user/unauth" OR referer="https://quest.com/user/unauth*" earliest=-15m@m latest=now - [ Base search ] | dedup qid - Using dedup will remove all the duplicate for the specific field. - Example : You have 30 events of "00001", and 10 events of "00002" in total of 50 events. Once you use the dedup command you will only got 1 event per each , meaning you will get only 2 rows | eval "Error"=id+"-"+Name+"(Impacted-"+referer+"OR"+URL+")" | stats count by "Error" Also a screenshot or result would be helpful in this situation. ... View more

is your Email server setup ? Settings > Server Settings > Email Settings? Also can all actions on the alert to monitor if it triggers on the Activity > Triggered activity ... View more

You can do Search Command | makeresults | eval value="{\"snapshot\":[{\"name\":\"systemd\"},{\"name\":\"gvfsd-trash\"},{\"name\":\"gvfsd-metadata\"},{\"name\":\"qterminal\"},{\"name\":\"bash\"},{\"name\":\"systemd-journal\"},{\"name\":\"systemd-udevd\"},],\"action\":\"snapshot\"} {\"snapshot\":[{\"name\":\"systemd\"},{\"name\":\"gvfsd-trash\"},{\"name\":\"bash\"},{\"name\":\"systemd-journal\"},{\"name\":\"systemd-udevd\"},],\"action\":\"snapshot\"}" | rex field=value "name\"\:\"(?<Name>[^\"]+)" max_match=20 | table Name | mvexpand Name | stats count by Name OR Dont include it using regex | makeresults | eval value="{\"snapshot\":[{\"name\":\"systemd\"},{\"name\":\"gvfsd-trash\"},{\"name\":\"gvfsd-metadata\"},{\"name\":\"qterminal\"},{\"name\":\"bash\"},{\"name\":\"systemd-journal\"},{\"name\":\"systemd-udevd\"},],\"action\":\"snapshot\"} {\"snapshot\":[{\"name\":\"systemd\"},{\"name\":\"gvfsd-trash\"},{\"name\":\"bash\"},{\"name\":\"systemd-journal\"},{\"name\":\"systemd-udevd\"},],\"action\":\"snapshot\"}" | rex field=value "name\"\:\"(systemd\")*(?<Name>[\w\-]*)" max_match=20 | table Name | mvexpand Name | stats count by Name ... View more

@DavidHourani - sure will notify you once issue occurred again. Also, thanks for the notif whahaha. 🙂 ... View more

@PavelP - yes this works on bulk ingestion even logs 1second apart. But in my case logs are being ingested 1minute apart. I resolve the issue by using "inputs.conf" time_before_close ... View more

@DavidHourani - we are using Internet Explorer version 11.09. We can't use other browser [IT setup that way]. @MuS hahahha now i get it 42 is the real deal i do audits on ES but nothing really . ... View more

@MuS Did you check all the internal logs of Splunk to see if you get errors when opening the 'Incident Review'? Yes i investigated it , think all Error and Warn are really not related to the issue like truncating lines because of limits. Socket Errors from. Asynchronous bundle replication to An error occurred during the last operation ('deleteData' Error checking for update, URL=https://apps.splunk.com Received fatal SSL* alert. ssl_state='SSLv* Racing between mark job dispatched and heartbeats No response received from IMonitoredThread Missing a search command before The instance is approaching the maximum number of historical searches We recommed using RSA-SHA* for 'inboundSignatureAlgorithm' did you recently upgraded and did you restart Splunk after that? im not the one who upgrade it 1yr ago, but i saw in the process that it has a restart. Have to tried to _bump the Splunk instance? Not yet , will this once the issue occur again It looks like you did not get my previous joke about 42 😉 - HAHAHA still didn't get it. ... View more