For running jobs - try this from the GUI - see the link for curl base CLI command | rest splunk_server=local /services/search/jobs | fields author title, updated, search, runDuration, provenance, latestTime, owner eai:acl.app, diskUsage | rename author AS user eai:acl.app AS app title AS search_code | eval diskUsage_MB = round(diskUsage/1024/1024,2) | table user search_code, updated, search, runDuration, provenance, latestTime, owner, app diskUsage_MB Here's the Rest API and others https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTsearch#search.2Fjobs    ... View more

You didn't mention that you have are using the sysmon add-on, if not download and check the inputs.conf - start with those settings, must something in there. (your inputs looks ok but I think the other setting is source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational  https://splunkbase.splunk.com/app/5709  ... View more

Hi @azer271  Have a look at this Splunk TLS config page. It sounds like there's a step / config missing, work through this and your steps.   That error could be  incorrect PEM format  or  some config settings   https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_with_TLS    ... View more

Perhaps start here, there's a lot of good information here on certs.  https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_with_TLS  ... View more

Yes it looks like a reset lic,  have you sent to devinfo@splunk.com  Other links that may help  https://www.splunk.com/en_us/resources/personalized-dev-test-licenses.html?locale=en_us https://www.splunk.com/en_us/resources/personalized-dev-test-licenses/faq.html devinfo@splunk.com ... View more

You need to re-apply for the free dev licence - there's an email in the below link, it can take while for them to send you the new lic.  https://dev.splunk.com/enterprise/dev_license  ... View more

@anandhalagaras1  Glad it worked mate, and your welcome   ... View more

Try a couple of things Add the below to inputs.conf  - restart (YOUR CA CERT) under [SSL] rootCA = /opt/splunk/etc/auth/mycerts/myCertAuthCertificate.pem Run these to validate the certs - see if they read and show information openssl rsa -in /opt/splunk/etc/auth/mycerts/myServerCertificate.pem -text openssl x509 -in /opt/splunk/etc/auth/mycerts/myServerCertificate.pem -text -noout   ... View more

From the screenshot of files permissions  - the files look like they are for root, set those for the splunk user and try that   ... View more

Try this for starters  blacklist1 = EventCode="4663" Message="Account Name:\s+COMPUTER8-55\$"   ... View more

This looks like looks like filesystem permissions.  The splunk paths are normally based on the splunk account user permissions  example  sudo chown -R splunk:splunk <YOUR DATA PATH> Find out what account Splunk was running under.  ... View more

Hi @SplunkExplorer  Can you check on the HF's /opt/splunk/etc/apps folder if there are some outputs apps there (Left overs perhaps from testing etc) if so remove the app into a /tmp folder, restart HF's,  and push via the deployment server only.     ... View more

A few things to check - (I know you have done some already)   Check that your serverclass is taking the current config (might be some config that’s  overriding, its normally in /opt/splunk/etc/system/local/serverclass and sometimes in a dedicated app /opt/splunk/bin/splunk btool serverclass list --debug Check the Permissions on the HF's /opt/splunk/etc/apps/  (sudo chown -R splunk:splunk /opt/splunk/etc/apps - this is typical) Restart the HF / Deployment Server Can you verify the ownership of the apps on the Deployment Server (Typically they should be splunk:splunk sudo chown -R splunk:splunk /opt/splunk/etc/deployment_apps) Can you verify the firewall ports are all OK 8089 (HF to DS - port 8089) Can you double check the apps names in serverclass.conf (I have seen app name typo's errors in the past)   ... View more

My understanding is that your UiPath  team, does not know how to export the UiPath logs. You will need to first determine the method's and options available to you in terms of the logs types, they could be json, csv, xml etc.  So its best to have a look at the UIPath documentation that the vendor provides.  Its also best to design the data flow and ensure the data you want to collect, what format it is , and how to get it into Splunk.  This looks like a SaaS service, so , so you may be able to send the data direct to Splunk's HEC endpoint, rather that than the inputs which is logging to a C:\uipath_logs, so you will need to workout how to export those logs to a file in the folder and use the inputs or another option is send it to Splunk HEC via API, which means you create a Splunk HEC service with a token and send the data there.  There is some documentation for this, but you will need your team to ensure its correct, if not, then contact the vendor and get some information on what options are available to you in terms of UiPath export.  https://docs.uipath.com/insights/automation-suite/2023.4/user-guide/overview-real-time-data-export    ... View more

Inputs.conf One of the objectives is for you add data into Splunk via a configuration mechanism, typically this is via an inputs.conf file, so if you have logs you want to add to splunk then you would use inputs.conf as a simple example. There are other use case settings as well such as setting the Splunk server's receiver settings as well - see the below link for further examples and use cases. https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf#inputs.conf.example web.conf The main object is to configure the Splunk Web settings (HTTP/HTTPS) / security settings - this is set with TLS  certificates for production environment’s  - you can see the examples in the below link https://docs.splunk.com/Documentation/Splunk/9.2.1/admin/Webconf#web.conf.example You can  and should create sperate apps, example my_linux_secure_logs and place the inputs.conf there (You can’t change the names of the conf files.  There is a good app folder diagram here to show you where files and folders live - and you have to follow this structure with the config files you need.  https://dev.splunk.com/enterprise/docs/developapps/createapps/appanatomy/   In terms of app precedency, order is based on the lexicographical (alphabetical) order of the app names under global context. Simple example App A (my_app_a)  will be before App B (my_app_b) Have a look at the concepts below  on app precedency https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Wheretofindtheconfigurationfiles   ... View more

Hi @svibhute  There are a number of options and depending on your app deployment architecture.  1. Download the latest version of the app  from Splunk - extract the tar file - copy over to /opt/splunk/etc/apps folder (ensure splunk permissions are set sudo chown -R splunk:splunk - this is typical) and if its Linux based as opposed to Windows.  2. You can directly install via the HF GUI (if you have admin access)  go to managed apps, install from file (you should have already downloaded the tar file) or if you have a registered account with Splunk then use the browser more apps option and di it via there.  3. If you are using a deployment server to manage apps, then follow that process, where the app is pushed out to the HF.  I would also make backup of the /opt/splunk/etc/apps folder on the HF prior to the upgrade.      ... View more

Hi @Cerum  You didn't mention IP allow lists checks, so might be worth checking your cloud  IP allow list config . In the past this has caught me out, for all your Apps (I'm assuming SaaS types) send to HEC cloud, therefore you may need to add them to your IP Allow list for the Splunk cloud feature (HEC access for ingestion), that is if you are even using IP allow lists, if you haven't then all the features are accessible and this is not the issue.  https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Config/ConfigureIPAllowList        ... View more

Hi @czql5v  So, what I  mean by it may be elsewhere, is say for example, a software engineer develops an authentication application, they may well log data in the log files to show why the user's log is failing along side other events. Now for Microsoft they log a lot of events, and do they actually log why?, yes for some, example eventID 4625 is bad password and we know that, and we can look for that. As you said its not a bad a password, so this is really a Microsoft related issue, its not Splunk. Splunk is designed to ingest logs file, as you have done via AD, and we search those logs to find information, but if that data, eventID or information is not in the log file then we can can't search for it. May be look at some of Microsoft forums and post a question there, they may be able to help debug the issue or even tell you what eventID that is to this issue, if there is such an eventID.       ... View more

Start here - it shows the basics    https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-search-best-practices.html  Here are all the many different commands with SPL with examples  - once you have developed the basic concepts, you can start to apply various commands for your use cases.  https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/ListOfSearchCommands   ... View more

If its not in the event data its difficult to say what's the root cause, Splunk only reports whats in the logs not the root cause, but that could be elsewhere in some log. That said, its normally mistyped password's, bad password, etc. Check the Group Policy settings related to account lockout policies, password policies, and Kerberos policies with the AD admin. Ensure that these policies are configured correctly and not excessively restrictive. What about some malware or Unauthorized Access thats causing it, so it could be a number if things. It might be worth speaking to the user and ask them to show you what they are doing, so you can see and spot any obvious mistakes, they may be doing, I have also experienced in the past, odd keyboard keys/characters / locale settings that are being used could also be the cause. ... View more

@PickleRick “Hear, hear!”  : -) The option's are better, @danroberts  go with PickRick's, same results but his is more efficient.    ... View more

The data comes from either the AD server or the Windows servers by the way of the Universal Forwarder, that's the source of the event logs.  You have data coming in from the AD server where a UF is installed and that's how the logs are collected , and the logs are configured by your AD admin, some times they need to enable further logging for advance events.  Try these first   and see if they exist as they may give you further info you need, if they don't , then it might be worth having a chat with your AD admin to find the exact event ID/log information you need.    Event ID 4771 - Kerberos pre-authentication failed. Event ID 644 - User account locked out. Event ID 4625 - An account failed to log on.    ... View more

Have a look at this example it may help, other than that work through the documentation splunk-app-examples/custom_alert_actions/slack_alerts/default/data/ui/alerts/slack.html at master · splunk/splunk-app-examples · GitHub   ... View more