Could you please provide some examples of data in Splunk that you're exporting that is having issues? ... View more

The configuration file precedence is described in following Splunk documentation: https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Wheretofindtheconfigurationfiles  For outputs.conf file, the precedence would be this: $SPLUNK_HOME/etc/system/local/* $SPLUNK_HOME/etc/apps/A/local/* ... $SPLUNK_HOME/etc/apps/z/local/* $SPLUNK_HOME/etc/apps/A/default/* ... $SPLUNK_HOME/etc/apps/z/default/* $SPLUNK_HOME/etc/system/default/*  Based on this, your  /opt/splunkforwarder/etc/apps/comp_all_forwarder_outputs/local/outputs.conf version would take precedense. As Richard mentioned, please run btool command (on your UF back end) to see what configurations are taking place. Example btool command: /opt/splunkforwarder/bin/splunk btool outputs list --debug | grep -v system/default ... View more

Did you check the scheduler logs to see if the original alert search is firing and finding results (index=_internal sourcetype=scheduler savedsearch_name="yourOriginalAlertSearchNameHere")? ... View more

I should've been more clear. You would replace "index= _internal" with your search, where you think duplication is happening. (e.g. index=os ) ... View more

Give this a try | timechart count by field_name limit=0 | rename * as orig_* | eventstats avg(orig_*) as avg_* | foreach orig_* [| eval "<<FIELD>>"=round('<<FIELD>>'/'avg_<<MATCHSTR>>')] | fields - avg_* | rename orig_* as * ... View more

See if your events are getting duplicated (same event is ingested twice) index=_internal | eval IngestTime=_indextime | stats dc(IngestTime) as countIngested by _raw _time | where countIngested>1 ... View more

Try something like this your base search | eval OS_Name=case(match('Base MAC OS',"10\..*"),"Catalina", match('Base MAC OS',"11\..*"),"Big Sur",match('Base MAC OS',"12\..*"),"Monterey", true(),"Unknown") ... View more

Give this a try (workaround, dynamically generating where clause with cidrmatch filters): | inputlookup list_of_devices | where cidrmatch("$CIDR_tok$", devIP) | where [| inputlookup list_of_subnet_sand_sites | search City="*" Street="*" NetIP="10.5.*.*" | rename NetMask AS mask | lookup ip_mask_prefix.csv mask OUTPUT prefix | rename mask AS NetMask | eval CIDRNet_mv = mvappend(NetIP , "/", prefix) | eval CIDRNet = mvjoin(CIDRNet_mv, "") | eval search="cidrmatch(\"".CIDRNet."\",devIP)" | table search | format "" "" "" "" "OR" "" | eval search=replace(replace(replace(search,"\\\\",""),"\"c","c"),"\)\"",")") ] | sort devIP   You could also create a new lookup with lookup definition of cidrmatch and use that to filter records. See this for reference: https://splunkonbigdata.com/cidr-lookup-in-splunk/ ... View more

Yes. The data is being logged in GMT/UTC as you specified in props.conf. The _time (or Time column) in search result is translated event time based on current user's timezone (so if you're TZ before UTC, events will show in future). If you want to see the time in the same timezone where they occurred, then what you did is correct (changing your timezone to match data timezone). ... View more

Add following to end of your search | where tonumber(UsePct)>=90 ... View more

The primaries will be rebalanced after new peer (indexer) joins the indexer cluster but it will not be effective as new indexer doesn't have bucket copies (it'll only have copies of data being ingested after it was added.  To make sure you're distributing buckets uniformly, you should first do the data rebalance after the new indexer is joined, based on the RF/SF you selected. (see https://docs.splunk.com/Documentation/Splunk/9.0.0/Indexer/Rebalancethecluster#Rebalance_indexer_cluster_data). This will ensure new peer has almost same number of bucket copies as other. After that manually trigger primary rebalance so that primary buckets. (see this https://docs.splunk.com/Documentation/Splunk/9.0.0/Indexer/Rebalancethecluster#Rebalance_indexer_cluster_primary_bucket_copies) https://docs.splunk.com/Documentation/Splunk/9.0.0/Indexer/Rebalancethecluster#Rebalance_indexer_cluster_data ... View more

Give this a try index=tenable* sourcetype="*" severity_description="*" | stats dc(ip) as count by severity_description ... View more

There might not be an efficient way to do that. You'll have to sort your data by srcMsgId (and time) and then use Delta. Or you can use following streamstats version of performing the same. index="bl_logging" sourcetype="testsystem-2" | transaction maxpause=5m srcMsgId Correlation_srcMsgId messageId | table _time srcMsgId Correlation_srcMsgId messageId duration eventcount | sort srcMsgId _time | streamstats current=f window=1 values(_time) as prevTime by subject | eval timeDiff=_time-prevTime   ... View more