Hi @ilhwan , a backslash is mised befor the s: \"cluster_host_id\"\:\s\"([a-zA-Z.-_]+)\" Ciao. Giuseppe ... View more

HI @danielbb , as also @livehybrid said, it's mandatory to have a sample of your logs to check your regex, even if it's very simple. One additional question: what's the flow of your data? To correctly work this transformation must be located in the first full Splunk instance where logs pass through, in other words in the first Heavy Forwarder. Ciao. Giuseppe ... View more

Hi @JohnsonMarcus , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @JohnsonMarcus , anyway, you could append the content of the lookup file to your search and group the results using the stats command BY one or more  common fields to have a unique key. In this way, if you have results, you merge these results with the content of the lookup, if you haven't results, you have the content of the lookup, eventually, you can update the lookup at the end of the search with the new results. Ciao. Giuseppe ... View more

Hi @ws , the best solution (Splunk best practices) is to use a syslog server (as rsyslog or syslog-ng) to receive syslogs and write them in files that are read by Splunk. In this way you can continue to receive syslogs also when Splunk is down and you haven't any port problem. Otherwise you can redirect port 514 to an higher port by operative system, but the other is the best solution. Ciao. Giuseppe ... View more

Hi @_pravin , I di this and it runs: # cat props.conf [default] TRANSFORMS-default = set_splunk_hf # cat transforms.conf [set_splunk_hf] INGEST_EVAL = splunk_hf := splunk_server # cat fields.conf [splunk_hf] INDEXED = true Ciao. Giuseppe ... View more

Hi @bettyborer , if you want better dashboards, start to see Dashboard Studio. If you want to use CSS in Classic Dashboard see at https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-customizing-simplexml-dashboards-with-inline-css.html or https://help.splunk.com/en/splunk-enterprise/developing-views-and-apps-for-splunk-web/10.0/customize-splunk-web/customize-dashboard-styling-and-behavior in addition there are many videos on YouTube, e.g: https://www.youtube.com/watch?v=lDnrZ5QkMIo Ciao. Giuseppe ... View more

Hi @splunkreal , in a Search Head Cluster, all the nodes have the same configurations! If you want to test, use and additional stand-alone SH (out of the SHC). Ciao. Giuseppe ... View more

Hi @ryo01 , let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @ryo01 , for my knowledge, there isn't any limit to the number of connections related to an app. The only limitations could be related to the resources on the servers where apps are installed and to the network bandwidth. You can monitor both these limitations using the Monitoring Console or the os tools. Ciao. Giuseppe ... View more

Hi @Dav , you must use your Splunk.com credentials, not the credentials on the Splunk instance. Ciao. Giuseppe ... View more

Hi @808antwon , this lookup is in the Splunk_TA_Windows add-on. at this url, https://community.splunk.com/t5/Deployment-Architecture/Why-this-error-on-search-head-cluster-after-updating-Splunk-TA/m-p/584567 you can find a solution/workaround to your issue. Ciao. Giuseppe ... View more

Hi @I_B , even if the Splunk App for MS Exchange is at its EoL, you need the Splunk Add-On for Microsoft Exchange (https://splunkbase.splunk.com/app/3225). You should deploy it to the UF using e.g. the Deployment Server (Splunk Best Practice) or another solution and configure it as described in the documentation. Ciao. Giuseppe ... View more

Hi @SPLKrishna253 , you should at first check if there are any network congestions that block the usual forwarding of your logs. If there isn't any issue on the network, you could use a larger bandwidth occupazione (by default on UFs is 256 kb/s), adding to the limits.conf of your UF the following setting: [thruput] maxKBps = 0 in this way, the UF sends all logs without limits. Send this setting to the UF putting it in a dedicated addon to call e.g. TA_UF_tuning, that could contain also other settings (e.g. maxSize = 2048MB). At least, perform a capacity planning on your UF to understand if you need more storage on the UF to dedicate to Splunk. Ciao. Giuseppe ... View more

Hi @ibrahim1 , you should configure one of HF in Site A as License Master for all the Indexers and other Splunk Server in SiteA. Then open the firewall routes on port 8089 between HF-A and HF-B, in this way you can use this HF as Liense Master also for the HF-B. Ciao. Giuseppe ... View more

Hi @jatin3101 , they are both acceptable: you need as available at least more than 51% of all peers, so if you have 8 peers, you can support 3 peers down. Anyway, usually SHs are odd and not pair. Ciao. Giuseppe ... View more

Hi @ibrahim1 , there is a Forwarder License that you can enable on your HFs instead of the connection to the License Master. But there's a restriction: if on the HF you must use DB-Connect or and Add-Ons that use APIs (e.g. Azure or AWS) or use it as a Deployment Server, you cannot use this kind of license. So, the solution could be one of the following: open the connection between the HF/DS/B and the License Master, Create a new DS on Site B and open the connection (both 8089 and 9997 ports) with the LM/A only for this server, Use the DS on the Site A to manage UFs and HFs on Site B, but in this case you should open more connections! use the HF/A as License Master: but you can use this solution only if the License Master has less than 50 clients, but anyway, you have to open the connection between the HF/LM/A and the HF/DS/B also on the 8089 Port, that's the required port for management and that usually closed, in addition to the 9997 data port, add a minimal License (also 500 MB/day) on the HF/DS/B. Ciao. Giuseppe ... View more

Hi @jatin3101 , in general, for more infos see at https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/overview-of-search-head-clustering/search-head-clustering-architecture#captain-election-0  anyway, trying to answer to your questions: q1: if the Captaing goes down, you still have 4 SHs, so you have more than 51% of all peers (not active peers) that can elect a new Captain, there could be an issue if the Captain and other two peers goes down because you will not have 51% of the peers active. q2: You need an odd number of members (like 3, 5, 7) in a Splunk Search Head Cluster (SHC) to guarantee a majority vote during captain elections, preventing split-brain scenarios; a 6-member cluster (even) requires 4 votes for a majority, but if 3 members fail, the remaining 3 can't reach that 4-vote threshold, causing the cluster to fail, whereas with 5 members (requiring 3 votes), losing 2 still leaves 3 members to elect a new captain, ensuring continuous operation.  q3: the Captain election is random, so it is statistically impossible to have the condition you described. The election process involves timers set randomly on all the members. The member whose timer runs out first stands for election and asks the other members to vote for it. Usually, the other members comply and that member becomes the new captain. Ciao. Giuseppe ... View more

Hi @fedayn05 , in addition to the checks hinted by @richgalloway , check the IOPS of your storage (e.g. using Bonnie++ or anothe tool) : probably this is the bottleneck. Ciao. Giuseppe ... View more

Hi @dinesh001kumar , my hint is to guide your customer to the easiste solution, anyway, please try this following my approach: index="main" | eval txstatus=case(status=200,"Success",status >200 AND status <500,"Business_Fail",status >=500,"System_Fail") | eval success_pass_count = Success + Business_Fail | eval svc_nm=case(match(api_name,"login"),"Login",match(api_name,"Prepaid"),"Prepaid Registration",match(api_name,"Postpaid"),"Postpaid Registration",true(),"unKnown") | bin span=1d _time | stats count as total sum(success_pass_count) as Success_pass_count by svc_nm,_time | eval Success=round((Success_pass_count/total) * 100,2) | eval Date = strftime(_time, "%Y-%b-%d") | chart max(Success) AS Success OVER Date BY svc_nm | eval Date=substr(Date,9,2)."-".substr(Date,6,2)."-".substr(Date,1,4) | transpose header_field=Date |rename svc_nm AS "Service Name"  Ciao. Giuseppe ... View more

Hi @horacio , open a ticket to Splunk Support, it's the easiest way. Otherwise (I never used it) you could see if this url can help you:  https://github.com/ryanadler/downloadSplunk/tree/main  Ciao. Giuseppe ... View more

Hi @dinesh001kumar , if it's acceptable for you, the easiest solution is to use a different date format: yyyy-mm-dd instead of dd-mm-yyyy, because in this way dates are automatically sorted. If it isn't possible you should pass throgh this format to sort the results and then display the output in the requested format. Could you share your SPL search? Supponing that Your SPL is something like this, you could try something like the following: <your_search> | eval date=strftime(strptime(your_date,"%d-%m-%Y"),"Y-%m-%d") | chart max(success) AS success OVER Service_Name BY date Ciao. Giuseppe ... View more

Hi @maheshnc , see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @maheshnc , as you can read at the above url, you can directly upgrae from 4.6.0 to 5.1.0, following the instructions in the URL. Ciao. Giuseppe ... View more

Hi @falcon , at first use INDEXED_EXTRACTIONS = JSON in the sourcetype definition and then use, as @ITWhisperer said, the spath command (for more infos see at ( https://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/9.0/search-commands/spath ). Ciao. Giuseppe ... View more