Thanks much! Going to try and use this to find hosts that are not reporting sysmon data. | tstats count WHERE index=* by host sourcetype | eval count=if(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational",1,0) | stats sum(count) as count by host #| search NOT (<exclude/filter out systems as needed here>, example: index=syslog) | where count = 0 | table host | rename host as "Hosts Not Sending Sysmon" ... View more

Ok, i see now. I really like your app, now i dont need to twist my brain to get the week vs week graphs right. But it would be nice to be able to somehow change the text on the graphs so people not getting confused about 1w ago = current week. Or if you could change the text to like most recent week as you suggested? ... View more

Ok. The Splunk_TA_windows is buggy. This is a quick fix: On the indexer (or where the parsing queue resides) add this to $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/props.conf: [Script:InstalledApps] SHOULD_LINEMERGE = true LINE_BREAKER = Note: Empty string behind LINE_BREAKER is ok In $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_windows/local/props.conf add: [script://.\bin\win_installed_apps.bat] disabled = 0 sourcetype = Script:InstalledApps ... View more

Sounds like in the search app you would just need to explicitly specify the index for the AD data. (index=x eventtype=y) The TAs for Splunk App for Active Directory log events into one of three indices: perfmon = All performance data winevents = All Windows Event Log data msad = Everything else ... View more

I solved it myself! sourcetype="Filter" a44 | transaction research maxevents=2 |stats min(duration) max(duration) avg(duration) median(duration) perc95(duration) ... View more

When i removed the app folder TA-DNSServer-NT6 from splunk and restarted splunk it starts to forward events! the server is a DC with ad integrated DNS. ... View more