Hi @kgiri253 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @kuul13 , you have two solutions that depend on how many data you have: 1) run three subsearches adding results to the same search using append: <your_search> earliest=-d@d latest=@d | table <your_fields> | append [ search <your_search> earliest=-30d@d latest=-29d@d | table <your_fields> ] | append [ search <your_search> earliest=-365d@d latest=-364d@d | table <your_fields> ] I used table, but you can apply every output you like (e.g. timestamp, stats, etc...), obviously using the same in all subsearches. 2) classify events using eval: <your_search> earliest=-365d@d latest=@d | eval period=case( _time>now()-86400,"yesterday", _time>now()-30*86400 AND _time>now()-29*86400,"last_month", _time>now()-365*86400 AND _time>now()-364*86400,"last_year") | table <your_fields> period I prefer the first solution that's faster, especially if you have many events. Ciao. Giuseppe ... View more

Hi @AleCanzo , if it is a custom csv lookup, try to use a KV-store that shouldn't have this limit. Ciao. Giuseppe ... View more

Hi @Zombiesunday261 , at first, disable web GUI for the HF could be applicable only if you don't have in your HFs DB-Connect or Add-Ons that require configuration (e.g. Azure or AWS, etc...). About the disabling of search, it is really disabled because on IDXs you can search only on the _internal on the same IDX, not on all the other IDXs and on the HFs you don't have any result if you perform a search. Then I don't understand what you mean with "prasing". Anyway, it's a best practice to separate roles, e.g. not using a Search Head to run ad Add-On for cloud services or not use a HF to manage local indexes. How can I help you more? Ciao. Giuseppe ... View more

Hi @Nithiya1 , sorry what is your issue? the search seems to be correct. maybe the File_Size_MB isn't a number or what else? Ciao. Giuseppe ... View more

Hi @BSilva , if you're speaking of manual updates on the csv file, you could manually update the csv in the Splunk Lookup Editor App instead than in Excel. If you have automatic updates on the file, you could create an input monitor that monitors the folder where the csv file is stored and automatically reads every change. Ciao. Giuseppe ... View more

Hi @sivaranjiniG , probably the sequence of information isn't the same in all the events, so putting all the extractions in the same regex, you didn't match the most events. Try to create extractions focused on the fields you really need and create those extraction using a regex for each one, so e.g.: | rex "Event Type: (?<Event_Type>\w+)\s*Event:" Ciao. Giuseppe ... View more

Hi @sivaranjiniG , Splunk automatically extracts all the pairs field=value, for this reason it extracts  ApplicationType=Internal; Application=xxx; ApplicationVersion=CU2407.95.251112; ApplicationUUID=xxx-35e8-40a3-b7ec-e3e28261002d What is your issue: have you the other fields that you configured in props.conf and transforms.conf? Ciao. Giuseppe ... View more

Hi @cmeo-bcit , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @UncleHugo , the issue isn't in the search that you're using but in the log ingestion. How did you ingest these logs? Where did they come from: a csv or whatelse? Using the corect way to ingest logs you have the correct fields to use in the searches. At the same time, the reason because you don't have results using user and src_ip fields in the top command is probably that you don't have in your events one (or both) of the fields that you're using in the top command: user or src_ip; do you see them in interesting fields?  In addition, to help us to help you:  use "Inser/Edit Code Sample" button to share the searches, use a screenshor (not a photo). My hint is to follow some training in Getting data in: you can run a search on Google and find training documentation and videos, starting from the Search Tutorial: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial Ciao. Giuseppe   ... View more

Hi @verbal_666 , as I said: add this proposal to ideas.splunk.com; I'll vote for it! Ciao. Giuseppe ... View more

Hi @musale23 , if you're speaking of the Proofpoint TAP Modular Inputs, yes it's compatible both with Splunk Enterprise and Splunk Cloud, as you can read at https://splunkbase.splunk.com/app/3681  but what do you mean with "Cloud compatible"? if you mean compatible with a private cloud, the answser is yes, because a private cloud is like an on-prem installation. Ciao. Giuseppe ... View more

Hi @verbal_666 , for my knowledge, there isn't! there's only the information in which app a field configuration (extraction, tramsformation, calculation, etc...) is defined, but there isn't any information on index time extractions. In theory, you should be much structured in your activity to know and document where a configuration is done, nut rarely I found this this , especially if more people work on the same project. Add this proposal to ideas.splunk.com; I'll vote for it! Ciao. Giuseppe ... View more

Hi @chandrasekhar46 , usually Splunk_TA_Windows correctly parse all windows events, even if this seems to be a very strange windows logs that usually have a different format; are these logs windows servers logs or application logs? Anyway, you should install Splunk_TA_Windows both on UF, HF and SH. Ciao. Giuseppe   ... View more

Hi @jonxilinx , don't attach a new question to another one, open a new one to have more choices to have an answer. Anyway, open a case to Splunk Support. Ciao. Giuseppe ... View more

Hi @Rushilgupta02 , did you checked the local firewalls on the nginx servers? Ciao. Giuseppe ... View more

Hi @Ted-Splunk , you should correlate the two searches using the common key (using eval coalesce) and check the presence in both searches (e.g. if they are in different indexes), something like this: (search A) OR (search B) | rex "cust (?<MyIdA>\d+)" | rex "\"custId\",\"value\":\"(?<MyIdB>\d+)" | eval key=coalesce(MyIdA,MyIdB) | stats dc(index) AS inex_count BY key | where index_count>1  modify the condition based on the way to identify the two searches. Ciao. Giuseppe ... View more

Hi @Nithiya1 , check the macros and the eventtypes used in the Alert Manager's dashboards. Ciao. Giuseppe ... View more

Hi @jariw , you're comparing pears with apples! to compare two searches, you have to work: on the same machine and in the same time, not using earliest=now, but something in the past (e.g. from -70m@m to -10m@m), to be sure to search on the same events, run both the searches in the same app, because there could be different eventtypes, tags and field extractions that give different times, use the same mode: Fast, Smart or Verbose, isn't relevant, but use the same. Anyway, the presence of ES on a SH gives a greater load on the server, so this server must have more resources (e.g. to run Splunk you need at least 12 CPUs, to run ES you need at least 16 CPUs or more!), so for this reason you cannot compare searches. But, why do you need to do this comparison? Ciao. Giuseppe ... View more

Hi @Nithiya1 , are your alerts shared at Global level? Ciao. Giuseppe ... View more

Hi @_Raj , when you have fieldname=fieldvalue you don't need to extract fields because fields are automatically extracted by Splunk. To mask field values, do you want to do this at index time or at search time? if at index time, data are modified and indexed modified, so you lose the original values, you can do this in the props.conf using SEDCMD command: SEDCMD_Anonymize = s/student\=(\w+)\s/student\=(*****)\s/g For more infos see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Anonymizedata If at search time, data aren't modified and masked only in the dashboard, but accessing data using a search they are visible. You can do this in many ways, e.g. eval or rex command (using the same regex of the other solution): | rex mode=sed "s/student\=(\w+)\s/student\=(*****)\s/g" Ciao. Giuseppe ... View more

Hi @_Raj , as also @richgalloway and @livehybrid said, your requirements aren't so clear, do you want to have the count of students for each class and for each school or what else? and how do you want to display these results in the same table? probably you could create different panels different searches in a dashboard. Anyway, if you want to have the results in a single table (I don't understand why!), you could run something like this (resusing the data visualization of @livehybrid 😞 | makeresults format=csv data= "student_id,student_name,class,school,subject,score 1,Alice,10A,School1,Math,85 2,Bob,10A,School1,Math,72 3,Charlie,10B,School1,Science,90 4,David,10A,School2,Math,65 5,Eva,10B,School2,Science,88" | stats count(eval(class="10A")) AS 10A_count count(eval(class="10B")) AS 10B_count count(eval(school="School1")) AS School1_count count(eval(school="School2")) AS School2_count Ciao. Giuseppe ... View more

Hi @_Raj , see these: https://www.youtube.com/watch?v=ZiNCRsUE7LQ https://help.splunk.com/en/splunk-enterprise/administer/manage-indexers-and-indexer-clusters/10.0/overview-of-indexer-clusters-and-index-replication/about-indexer-clusters-and-index-replication https://docs.splunk.com/Documentation/Splunk/9.3.1/Indexer/Clusterdeploymentoverview https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/overview-of-search-head-clustering/about-search-head-clustering https://www.youtube.com/watch?v=VPa3EjqD8Q4 https://www.youtube.com/watch?v=3JjLtoRDXOE Ciao. Giuseppe ... View more