There are several topics related to this , but it seems they not exactly what im asking (ie those are related to custom dashboards, while im asking with regard to the basic splunk search function).   When viewing search results, on the left sidebar ,  if you try to open a new tab via the results of either "selected fields" or "Interesting fields",  that value is not appended to the search (in the new tab).  But rather you just get a duplicate of the current search results. Is there anyway to fix this?  (or to manually modify the splunk JS files to support this?) animated gif screen cap of what im referring to (using v9.1.0.2 demo): (just adding screen shots, the web server  keeps throwing a Less than 1m characters error when i add the animated gif); what im referring to:   what we get:     what im hoping for:     This has bugged me since splunk v6 (im now on v8 latest),  and just did a test / demo install of v9.1 and the issue remains with all versions. thanks   some related topics that are very similar to what im asking here (but are not exactly the same):   https://community.splunk.com/t5/Dashboards-Visualizations/how-to-create-drilldowns-which-open-in-new-window-so-that-the/td-p/399087?sort=oldest https://community.splunk.com/t5/Dashboards-Visualizations/How-to-enable-a-new-tab-opening-from-within-a-dashboard/m-p/388622#M25461 https://community.splunk.com/t5/Dashboards-Visualizations/How-to-drill-down-launch-another-search-with-parameter-from/td-p/49957   ... View more

I always struggle with this common task (common for me) -  I have a v8 UF setup on a windows10 machine,  it is logging all of the winEvent logs beautifully (back to my splunk v8 server),  however i need to monitor something specific on this machine.   (NB: i do NOT use deployment-server in anyway, anywhere) I need this windows UF to monitor all *.log files , recursively, within X Directory.  in this case, its : C:\ProgramData\vMix\    (any/all *.log files recursively) and C:\Users\pc\Documents\vMixStorage\logs    (any/all *.log files recursively) So i edit inputs.conf: notepad++.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf" and i add these stanzas, one at a time (and then test to see if data is getting to my splunk server):      [monitor://C:\Users\pc\Documents\vMixStorage\log\*] disabled = 0 index = pcs recursive = true sourcetype = vMIX [monitor://C:\ProgramData\vMix\...\*.log] disabled = 0 index = pcs blacklist = .*stream.*|stream.* whitelist = *.log recursive = true sourcetype = vMIX [monitor://C:\ProgramData\vMix\*.log] disabled = 0 index = pcs blacklist = .*stream.*|stream.* sourcetype = vMIX [monitor://C:\Users\pc\Documents\vMixStorage\...\*.log] disabled = 0 index = pcs recursive = true sourcetype = vMIX [monitor://C:\Users\pc\Documents\vMixStorage\logs\] disabled = 0 index = pcs blacklist = .*stream.* whitelist = *.log recursive = true sourcetype = vMIX      At some point in adding the above, one stanza at a time,  i did get the *.logs to flow in,  however they then stopped updating/ flowing in (but win event log is ofcourse still flowing in, rock solid). I get this output from  .\splunk.exe list monitor   which to me seems like its NOT what i want (as i *think* i should be seeing those directories under "Monitored Directories"  ,  but i have yet to be able to get that to occur.     PS C:\Program Files\SplunkUniversalForwarder\bin> .\splunk.exe list monitor Monitored Directories: [No directories monitored.] Monitored Files: C:\ProgramData\vMix\*.log C:\ProgramData\vMix\...\*.log C:\Users\pc\Documents\vMixStorage\...\*.log C:\Users\pc\Documents\vMixStorage\log\* C:\Users\pc\Documents\vMixStorage\logs\     btool debug:     .\splunk.exe cmd btool inputs list --debug ## <snip> ## C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\ProgramData\vMix\*.log] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf blacklist = .*stream.*|stream.* C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\ProgramData\vMix\...\*.log] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf blacklist = .*stream.*|stream.* C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf recursive = true C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf whitelist = *.log C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\Users\pc\Documents\vMixStorage\...\*.log] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf recursive = true C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\Users\pc\Documents\vMixStorage\log\*] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf recursive = true C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\Users\pc\Documents\vMixStorage\logs\] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf blacklist = .*stream.* C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf recursive = true C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf whitelist = *.log C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\default\inputs.conf [monitor://C:\Windows\System32\DHCP] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\default\inputs.conf crcSalt = <SOURCE> ## <snip> ##     Can anyone please help or point me to the correct Stanza i should be using here?  i really have spent hours searching and reading forum posts,  (which is how i arrived at the stanzas above) as i know this is a common task, however i know im still not doing this correctly. ( + its not working 😞  )  -  thank you! (appologies for the poor spacing,  i have tried to re-edit but it does not seem to be saving my changes on edit->post) ... View more

While debugging an issue where a forwarder would not send a specific log to our main splunk instance,  i found this great post (among others): https://community.splunk.com/t5/Deployment-Architecture/Unix-Forwarder-is-not-Sending-Logs/m-p/167347/highlight/true#M6237 in the inputs.conf on the Universal Forwarder, the fix was adding initCrcLength = 2048  to the specific logs stanza: ( in:  C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf) Apparently the default is initCrcLength = 256.  This made me start thinking,  how many other forwarder logs are we not getting/indexing that im not aware of !? thus,  this search below showed me that 4 of our Forwarder's (of ~22 forwarders in total) where showing this same error for various specific log files (thus those specific logs have not been getting indexed):     index=_internal source=*splunkd.log host=* "seekptr checksum"     (while this is very unfortunate),  my question is: Should we be manually setting something like initCrcLength = 2048 on every one of our Forwarders (and on future new forwarders)? I assume the downside is increased RAM and CPU usage on the forwarders (but this is not an issue for us, as volume is not very high, and resources plentiful).  Anything else im not considering as a downside? question 2: I assume we can "globally" set this on a forwarders inputs.conf by simply placing:     [default] initCrcLength = 2048     and it will apply to all stanzas (unless a stanza overrides initCrcLength, of-course), Right? thanks! ... View more

I frequently use my 400+ splunk saved reports.   Thus im constantly accessing this url: http://splunkServer.com:8000/en-US/app/search/reports and then type into the search box in the middle (which filters the reports displayed in real-time). Is there any direct url which can search/list my saved reports?  (ie a url that can give me the the same output as typing into the search box in the url above). ie something like  http://splunkServer.com:8000/app/search/saved-reports/reports?q=Cisco (and then ill see any of my saved-reports where report-title matches "Cisco") Im trying to add my splunk saved searches as a "My Search Engines" entry in Chrome browser, such that i can just type into the chrome url bar:   spr <tab> blah (and it will bring me to a page showing any saved reports matching "blah" ). The closest ive been able to pull out is a long splunk url which i can add a search query to, but it returns my saved-reports matches as raw JSON.  thanks ----------- BTW: A super useful, related tip for others: Im already doing this for splunk searches (this= chrome url bar -> splunk search results) via this url below (note the %s at the end, chrome uses %s to fill in what you have typed into the chrome url bar) http://splunkServer.com:8000/en-US/app/search/search?earliest=-4h%40m&latest=now&q=search%20%s (the chrome setting for this is located in:   Settings -> Search Engine -> Manage Search engines -> "Other Search Engines" (Add) ) So using chrome keyword "sp" im able to type into the chrome url bar:   sp <tab> blah and i get the splunk search results for "blah"  for the past 4 hours. (ofcourse i can also do: " sp <tab> index=network blah "  ,  and so on ) thanks ... View more

I cant imagine this is possible, but splunk continuously surprises me, so ill ask: Is there anyway to exclude results, from the same host, + or - 2 seconds from a match. (or N seconds/minutes) example, in this image below, id like to exclude the results above and below the match on the ip address 68.x.x.x ? (this is just an example, i know i could get to my goal in this case by just showing IP matches, and investigating any IPs not on a known good IP lookup csv) thanks ... View more

Im a bit new to deploying forwarders on endpoints i manage (im not new to splunk)- Many guides i see (including the install instructions for this sysmon TA), state that you should deploy this TA onto your forwarders. To do this, the user will need to manually create a outputs.conf file (w indexer IP/dns) and place it in: \TA-microsoft-sysmon\default\ So why is there not a default/blank output.conf file located in \TA-microsoft-sysmon\default\ , from the start? (or even a blank file, with just a #nothing line? I get that the devs dont know the IP / DNS of our indexers). (im not complaining about this , im asking this incase im missing something and so that i can better understand, as it would seem to me a majority of users of this TA will be deploying it on forwarders as well as their indexer- so im wondering why there is not a outputs.conf "place holder"). thanks! ... View more

hi, i have several universal forwarders deployed, and im getting lots of events i want to filter out. I understand from reading answers here i need to do this on the indexer (or else install heavy forwaders on my endpoints, which i dont want to do). This is a raw entry that im trying to drop / filter out from my indexer (ie to keep it from using up lots of my license): 02/13/2020 10:19:09.016 event_status="(0)The operation completed successfully." pid=1216 process_image="c:\Program Files\VMware\VMware Tools\vmtoolsd.exe" registry_type="CreateKey" key_path="HKLM\system\controlset001\services\tcpip\parameters" data_type="REG_NONE" data="" This is the entry from the inputs.conf on the forwarders that is sending some of the events i want to filter out: [WinRegMon://default] disabled = 0 hive = .* proc = .* type = rename|set|delete|create And i have added these lines on my indexer (and restarted), but im still seeing the events come in: #on props.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\props.conf): [WinRegMon://default] TRANSFORMS-set= setnull #on transforms.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\transforms.conf): [setnull] REGEX = process_image=.+vmtoolsd.exe" DEST_KEY = queue FORMAT = nullQueue Thanks! (ive been referencing many answers, including this good one): (h)ttps:// answers.splunk.com/answers/37423/how-to-configure-a-forwarder-to-filter-and-send-the-specific-events-i-want.html ... View more

hi, i have several universal forwarders deployed, and im getting lots of events i want to filter out. I understand from reading answers here i need to do this on the indexer (or else install heavy forwaders on my endpoints, which i dont want to do). This is a raw entry that im trying to drop / filter out from my indexer (ie to keep it from using up lots of my license): 02/13/2020 10:19:09.016 event_status="(0)The operation completed successfully." pid=1216 process_image="c:\Program Files\VMware\VMware Tools\vmtoolsd.exe" registry_type="CreateKey" key_path="HKLM\system\controlset001\services\tcpip\parameters" data_type="REG_NONE" data="" This is the entry from the inputs.conf on the forwarders that is sending some of the events i want to filter out: [WinRegMon://default] disabled = 0 hive = .* proc = .* type = rename|set|delete|create And i have added these lines on my indexer (and restarted), but im still seeing the events come in: #on props.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\props.conf): [WinRegMon://default] TRANSFORMS-set= setnull #on transforms.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\transforms.conf): [setnull] REGEX = process_image=.+vmtoolsd.exe" DEST_KEY = queue FORMAT = nullQueue Thanks! (ive been referencing many answers, including this good one): (h)ttps:// answers.splunk.com/answers/37423/how-to-configure-a-forwarder-to-filter-and-send-the-specific-events-i-want.html ... View more