Hi @maheshnc , see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @maheshnc , as you can read at the above url, you can directly upgrae from 4.6.0 to 5.1.0, following the instructions in the URL. Ciao. Giuseppe ... View more

Hi @falcon , at first use INDEXED_EXTRACTIONS = JSON in the sourcetype definition and then use, as @ITWhisperer said, the spath command (for more infos see at ( https://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/9.0/search-commands/spath ). Ciao. Giuseppe ... View more

Hi @maheshnc , What version is currently installed? because there are some contraints described at https://splunk.github.io/splunk-add-on-for-microsoft-office-365/Upgrade/ Anyway in this url you can find all the instructions for your upgrade. Ciao. Giuseppe   ... View more

Hi @ThuLe , I never experienced this behaviour also because I usually us two Hfs as concentrators to Splunk Cloud. Anyway, at first did you configured  maxKBps = 0 on your concentrator to avoid queues? If yes, open a case to Splunk Support. Ciao. Giuseppe ... View more

Hi @richah , you can install Data Manager in your Splunk Cloud Instance and I hint to do this because this app has a very user friendly interface to configure inputs. Anyway, you can use the AWS add-on. Ciao. Giuseppe ... View more

Hi @richah , you have to use Data Manager on Splunk Cloud, or, if you prefer, Splunk TA_AWS. In these technical add-ons, you have to configure more connections, one for each account and then one or more inputs for each connection, following the instructions on the documentation of the Technical add-on that you will use. One additional hint: remember to have near you someone with a deep knowledge of AWS configuration because, Splunk configuration is easy, instead the steps on AWS aren't so easy if you don't know very well this environment. Ciao. Giuseppe ... View more

Hi @Souradip11 , in this case, you should try using the transaction command using the startswith and endswith options to correlate events, for more details see at  https://docs.splunk.com/Documentation/Splunk/9.1.0/SearchReference/Transaction https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Abouttransactions https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Searchfortransactions Ciao. Giuseppe ... View more

Hi @richah , I don't know how deeply you know Splunk. Anyway, here, you can find the ways to ingest data in Splunk , without regard using Splunk Enterprise or Splunk Cloud. here you can find detailed instructions:  https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/introduction/what-data-can-i-index https://lantern.splunk.com/Splunk_Success_Framework/Data_Management/GDI_-_Getting_data_in#:~:text=To%20get%20data%20from%20Windows,machines%20you%20want%20to%20monitor. You must ingest all data from your on-premise data sources using Universal Forwarders or syslog or HEC receivers and then concentrate all logs in at least one (or better two) Heavy Forwarder to use as concentrators that forwards logs to Splunk Cloud. You can find the architecture to implement at https://help.splunk.com/en/splunk-cloud-platform/splunk-validated-architectures/introduction-to-splunk-validated-architectures/about-splunk-validated-architectures About field extractions, you must continue to use the normal add-ons, having the only attention to check if they are certificed for Splunk Cloud. Ciao. Giuseppe ... View more

Hi @Souradip11 , even if request_id  isn't available in events, is there something else to correlate events? could you share a sample of your four types of logs? Ciao. Giuseppe ... View more

Hi @kgiri253 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @kuul13 , you have two solutions that depend on how many data you have: 1) run three subsearches adding results to the same search using append: <your_search> earliest=-d@d latest=@d | table <your_fields> | append [ search <your_search> earliest=-30d@d latest=-29d@d | table <your_fields> ] | append [ search <your_search> earliest=-365d@d latest=-364d@d | table <your_fields> ] I used table, but you can apply every output you like (e.g. timestamp, stats, etc...), obviously using the same in all subsearches. 2) classify events using eval: <your_search> earliest=-365d@d latest=@d | eval period=case( _time>now()-86400,"yesterday", _time>now()-30*86400 AND _time>now()-29*86400,"last_month", _time>now()-365*86400 AND _time>now()-364*86400,"last_year") | table <your_fields> period I prefer the first solution that's faster, especially if you have many events. Ciao. Giuseppe ... View more

Hi @AleCanzo , if it is a custom csv lookup, try to use a KV-store that shouldn't have this limit. Ciao. Giuseppe ... View more

Hi @Zombiesunday261 , at first, disable web GUI for the HF could be applicable only if you don't have in your HFs DB-Connect or Add-Ons that require configuration (e.g. Azure or AWS, etc...). About the disabling of search, it is really disabled because on IDXs you can search only on the _internal on the same IDX, not on all the other IDXs and on the HFs you don't have any result if you perform a search. Then I don't understand what you mean with "prasing". Anyway, it's a best practice to separate roles, e.g. not using a Search Head to run ad Add-On for cloud services or not use a HF to manage local indexes. How can I help you more? Ciao. Giuseppe ... View more

Hi @Nithiya1 , sorry what is your issue? the search seems to be correct. maybe the File_Size_MB isn't a number or what else? Ciao. Giuseppe ... View more

Hi @BSilva , if you're speaking of manual updates on the csv file, you could manually update the csv in the Splunk Lookup Editor App instead than in Excel. If you have automatic updates on the file, you could create an input monitor that monitors the folder where the csv file is stored and automatically reads every change. Ciao. Giuseppe ... View more

Hi @sivaranjiniG , probably the sequence of information isn't the same in all the events, so putting all the extractions in the same regex, you didn't match the most events. Try to create extractions focused on the fields you really need and create those extraction using a regex for each one, so e.g.: | rex "Event Type: (?<Event_Type>\w+)\s*Event:" Ciao. Giuseppe ... View more

Hi @sivaranjiniG , Splunk automatically extracts all the pairs field=value, for this reason it extracts  ApplicationType=Internal; Application=xxx; ApplicationVersion=CU2407.95.251112; ApplicationUUID=xxx-35e8-40a3-b7ec-e3e28261002d What is your issue: have you the other fields that you configured in props.conf and transforms.conf? Ciao. Giuseppe ... View more

Hi @cmeo-bcit , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @UncleHugo , the issue isn't in the search that you're using but in the log ingestion. How did you ingest these logs? Where did they come from: a csv or whatelse? Using the corect way to ingest logs you have the correct fields to use in the searches. At the same time, the reason because you don't have results using user and src_ip fields in the top command is probably that you don't have in your events one (or both) of the fields that you're using in the top command: user or src_ip; do you see them in interesting fields?  In addition, to help us to help you:  use "Inser/Edit Code Sample" button to share the searches, use a screenshor (not a photo). My hint is to follow some training in Getting data in: you can run a search on Google and find training documentation and videos, starting from the Search Tutorial: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial Ciao. Giuseppe   ... View more

Hi @verbal_666 , as I said: add this proposal to ideas.splunk.com; I'll vote for it! Ciao. Giuseppe ... View more

Hi @musale23 , if you're speaking of the Proofpoint TAP Modular Inputs, yes it's compatible both with Splunk Enterprise and Splunk Cloud, as you can read at https://splunkbase.splunk.com/app/3681  but what do you mean with "Cloud compatible"? if you mean compatible with a private cloud, the answser is yes, because a private cloud is like an on-prem installation. Ciao. Giuseppe ... View more

Hi @verbal_666 , for my knowledge, there isn't! there's only the information in which app a field configuration (extraction, tramsformation, calculation, etc...) is defined, but there isn't any information on index time extractions. In theory, you should be much structured in your activity to know and document where a configuration is done, nut rarely I found this this , especially if more people work on the same project. Add this proposal to ideas.splunk.com; I'll vote for it! Ciao. Giuseppe ... View more