Hi @SplunkWorthy , could you share a sample of your resulta ans logs? Ciao. Giuseppe   ... View more

Hi @spl_aficionado , what do you mean with active-active? you can configure only one DS for each client. You can also configure a Load Balancer with a VIP or a scaling DS. Ciao. Giuseppe  ... View more

Hi @himanshu2 , please don't call people in questions! Anyway, following the documentation, it's a known issue, you must follow the documentation during upgrade from 9.3.x to 9.4.x: https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/9.4/administer-the-app-key-value-store/upgrade-the-kv-store-server-version Ciao. Giuseppe ... View more

Hi @Wohamed_wakkad , as also @PickleRick said, following the Splunk best practices, you should use a dedicated machine to Deployment Server role if it has to manage more than 50 clients. Ciao. Giuseppe ... View more

Hi @ankit13 , if you see license utilization only of the last days, it's related to the retentin of the _internal index. If instead you don't see any information about license utilization, do you forward License Master's logs to the Indexers? Ciao. Giuseppe ... View more

Hi @pruthviraj_k_m , at first, never use a join because it is very slow and expensive. Then if you must use a join don't start with the lookup, because the subsearch has the limit of 50,000 results. Using the lookup command you have a left join. Please adapt to your situation something like this (I cannot test the search because I haven't your data), index=notable | lookup incident_updates_lookup rule_id AS source_guid | table rule_id, source_guid_in_lookup, source_event_id, status  I don't know the relation between rule_id (in lookup) and source_guid (in index). Ciao. Giuseppe ... View more

Hi @0xAli , I usually use something like this: input(type="im<protocol>" port="<port>" ruleset="<input_name>") template(name="<template_name>" type="string" string="/data/syslog/<technology>/%fromhost-ip%/%$YEAR%/%$MONTH%/%$DAY%/<technology>_%$HOUR%.log") ruleset(name="<input_name>"){ action(type="omfile" dynaFile="<template_name>" fileOwner="<splunk_user>" fileGroup="<splunk_group>" dirOwner="<splunk_user>" dirGroup="<splunk_group>") } in a dedicated .conf file. ciao. Giuseppe ... View more

Hi @pruthviraj_k_m , let me understand: which changes do you want to track? Anyway: notable creations are recorded in the notable index, status changes are recorded in the incident_updates_lookup, notes are recorded in the mc_notes lookup. You can find a starting point in this my old answer: https://community.splunk.com/t5/Monitoring-Splunk/Need-help-with-Splunk-query-for-MTTD-and-MTTT-per-SOC-analyst/m-p/760135#M11134 or in this search: index=_audit source=mc_notes | eval json_blob=replace(_raw,"\\\\\"","\"") | rex field=json_blob "\"notable_id\":\s*\"(?<notable_id>[^\"]+)" | rex field=json_blob "\"content\":\s*\"(?<note_value>[^\"]+)" | eval note_value = urldecode(note_value) | rex field=json_blob "\"username\":\s*\"(?<user_value>[^\"]+)" | join type=left notable_id [ search index=notable | rename source_event_id as notable_id ] | table note_value user_value orig_rule_title Obviously, these are only starting point to create your own search. Ciao. Giuseppe ... View more

Hi @0xAli , as also @livehybrid pointed on, it depends on the syslog data volume and on the available storage on your receiver. I usually configure hourly rotation and, when I have available storage, I zip logs after 24 hours (removing zipped files) and I maintain zipped files for three days. If I don't have sufficient storage for this policy I adapt my polity to the available storage. In addition, I prefer to use rsyslog instead syslog-ng because it's more modern, but it's a choice! Ciao. Giuseppe ... View more

Hi @hrawat , could you better describe your search and its purpose? because I have an error in my on-premise installation, Unexpected status for to fetch REST endpoint uri=https://127.0.0.1:8089/servicesNS/nobody/SA-Utils/configs/conf-savedsearches/Audit%20-%20Sourcetype%20readiness%20-%20Lookup%20gen?appcontext=true&count=0 from server=https://127.0.0.1:8089 - Not Found and on Splunk Cloud I have a result but not so comprehensible. Ciao. Giuseppe ... View more

Hi @fatsug , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @fatsug , no props.conf doesn't run only on indexed fields, it works on all fields, but there's a sequence in executions. If you put the eval in the search, it runs on an already done transformation for the severity field, so it correctly runs. If you put it in props.conf, you must analyze the sequence of transformations, in you your case, you have a rename that probably is executed after the eval transformation, for this reason the severity field isn't still available for the eval, and for this reason I hint to put in the eval the name of the severity field before the rename. Ciao. Giuseppe ... View more

Hi @fatsug , I'd modify the calculated field also beacuse it's the easiest way, even if I don't think that the case is relevant. Ciao. Giuseppe ... View more

Hi @gnagasri , where did you locate these conf files? they must be located on the first Heavy Forwarder where data pass through or (if there isn't any Heavy Forwarder) on Indexers. Ciao. Giuseppe ... View more

Hi @wp-uk-36 , no there isn't anything like this. Add this request to Splunk ideas: ideas.splunk.com Ciao. Giuseppe ... View more

Hi @Wohamed_wakkad , only one additional hint: don't use Splunk network inputs but a syslog receiver (like rsyslog) writing on a file that's read by Splunk. This requires more disk resources but gives you more availability because it runs also when Splunk is down. I don't like SC4S, Ciao. Giuseppe ... View more

Hi @kjain041523 , the search you're searching is available in [Settings > Licensing > Usage Report >  Previous 6 days > Split by host] or in the Monitoring Console at [Indexing > License usage > Historic License usage > Split by host ]. This report is for 30 days but you can easily modify it for 120 days: index=_internal [ rest splunk_server=local /services/server/info | return host] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by h fixedrange=false | join type=outer _time [ search index=_internal [ rest splunk_server=local /services/server/info | return host] source=*license_usage.log* type="RolloverSummary" earliest=-120d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff | foreach "*" [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] The problem could be another: are you sure that the retention of your _internal index is more than 4 months? Usually it's less, so you could not have the logs dor this search! Ciao. Giuseppe ... View more

Hi @splunker_ak , have you already analyzed the "SOC Operations" Dashboar in Enterprise Security? probably you can find an answer to your question in this dashboard. Ciao. Giuseppe ... View more

Hi @uagraw01 , yes, try it: in your props.conf the TRANSFORMS-assignSourcetype = rewrite_sourcetype_wmc is associates with the "wmc_events" sourcetype that it isn't associated with your data. Ciao. Giuseppe ... View more

Hi @uagraw01 , how do you assign the "wmc_events" sourcetype (that you're using in your props.conf) to your data? try to use [source::tcp:8097] Ciao. Giuseppe ... View more

Hi @uagraw01 , where did you located the props and transforms? thy must be located on the first Full Splunk Instance (HF ot IDX, not UF) your data pass through, otherwise it doesn't run. Ciao. Giuseppe ... View more

Hi @kjain041523 , there's a lookup not found or not existent, probably an automatic lookup. You shouls search it in the add-ons and check if it's present but not correctly shared or if it isn't present. In the first case, you have to share it at Global level, in the second case, you have to create it. Ciao. Giuseppe ... View more