It very much depends on how you want your dashboards to look and behave, but essentially using the html/style blocks can give you access to css to modify your dashboards. These can also be added to a css file which is declared at the top of your dashboard, but this file needs to be uploaded and it is often easier to do it inline in your SimpleXML source. ... View more

Hi @splunkreal , in a Search Head Cluster, all the nodes have the same configurations! If you want to test, use and additional stand-alone SH (out of the SHC). Ciao. Giuseppe ... View more

Hi @ibrahim1  I have set up a few Splunk installations that fits your design UF (Site B) → HF (also act as DS) (Site B) → HF (Site A) → Indexers I have them set up with the original license file on the site B HF, as far is it knows there isn't any License Master in the system and it would not have any issue with the license already been used somewhere else. I have also done this for Splunk Cloud customers using the 0-byte license, typically sending logs from another zone like DMZ inwards to a onsite Intermediate forwarder before sending it to the cloud. So both ways will work. In my experience there is no cost to the 0-byte license, but you need to have an active license in order to send a ticket to Splunk support. ... View more

Even if there was a limit on number of connections or tenants for a single installation of these addons (and I'm not aware of any) you could still spin up separate HFs and install separate addon instances on them. ... View more

Hi @Dav , you must use your Splunk.com credentials, not the credentials on the Splunk instance. Ciao. Giuseppe ... View more

Hi @808antwon , this lookup is in the Splunk_TA_Windows add-on. at this url, https://community.splunk.com/t5/Deployment-Architecture/Why-this-error-on-search-head-cluster-after-updating-Splunk-TA/m-p/584567 you can find a solution/workaround to your issue. Ciao. Giuseppe ... View more

Hi @I_B , even if the Splunk App for MS Exchange is at its EoL, you need the Splunk Add-On for Microsoft Exchange (https://splunkbase.splunk.com/app/3225). You should deploy it to the UF using e.g. the Deployment Server (Splunk Best Practice) or another solution and configure it as described in the documentation. Ciao. Giuseppe ... View more

Hi @SPLKrishna253 , you should at first check if there are any network congestions that block the usual forwarding of your logs. If there isn't any issue on the network, you could use a larger bandwidth occupazione (by default on UFs is 256 kb/s), adding to the limits.conf of your UF the following setting: [thruput] maxKBps = 0 in this way, the UF sends all logs without limits. Send this setting to the UF putting it in a dedicated addon to call e.g. TA_UF_tuning, that could contain also other settings (e.g. maxSize = 2048MB). At least, perform a capacity planning on your UF to understand if you need more storage on the UF to dedicate to Splunk. Ciao. Giuseppe ... View more

I missed ES part earlier. It probably explains your issues. It depends on how many correlation searches and CIM accelerations are running your single box, but I suspect that your environment is too much for running it in single node. You could find monitoring console under settings. There are links/icon for it. Just click it and then enable it from its setting tab/link. After that there are Search link where you could look those several dashboards which shows e.g. what are those deferred and skipped searches.   ... View more

Splunk Search Head clusters use RAFT algorithm to keep the state of the cluster - https://en.wikipedia.org/wiki/Raft_(algorithm) If you want to dig deeper into that - there are quite a lot of materials about it on the internet. Anyway, as others already pointed out, to choose a captain, a quorum of floor(N/2)+1 members is needed. So in a split-brain scenario with even number of member split in the middle, there is no way of choosing the captain. That's the "most common" part of the answer. But there are other factors. Typically if we're talking about the number of member nodes and possible split brain scenario there is a silent assumption that those nodes are somehow (usually evenly) distributed into more than one site - that's when the split brain scenario is most probable. The less common part of the answer is that there are some ways of dealing with this limitation: 1) You can designate the captain manually. 2) You can have a "voting only" SHC member - a small machine not being an "active" part of a cluster (not getting any searches to run) making sure that you have a quorum. The general rule of thumb that you should have odd number of nodes in your SHC is just so that the cluster can handle whole site outages without any need for manual intervention (which still might not be 100% true because if you spread your users' traffic to the nodes only in local site, you still might end up with some issues depending on how your LBs are configured). ... View more

Ha @isoutamo I was tempted to post to my fork of Ryan's repo but @gcusello had already posted the original repo 😉  If it helps @horacio you can use https://livehybrid.github.io/downloadSplunk/ for other version, which is a web-based version of the repo.    ... View more

Hi @dinesh001kumar , my hint is to guide your customer to the easiste solution, anyway, please try this following my approach: index="main" | eval txstatus=case(status=200,"Success",status >200 AND status <500,"Business_Fail",status >=500,"System_Fail") | eval success_pass_count = Success + Business_Fail | eval svc_nm=case(match(api_name,"login"),"Login",match(api_name,"Prepaid"),"Prepaid Registration",match(api_name,"Postpaid"),"Postpaid Registration",true(),"unKnown") | bin span=1d _time | stats count as total sum(success_pass_count) as Success_pass_count by svc_nm,_time | eval Success=round((Success_pass_count/total) * 100,2) | eval Date = strftime(_time, "%Y-%b-%d") | chart max(Success) AS Success OVER Date BY svc_nm | eval Date=substr(Date,9,2)."-".substr(Date,6,2)."-".substr(Date,1,4) | transpose header_field=Date |rename svc_nm AS "Service Name"  Ciao. Giuseppe ... View more

Wait. 1. Indexed extractions have nothing to do with spath command. And as I understand the question, only parts of the original event form json structures, not the whole raw event. In this case indexed extractions won't work anyway. 2. As a rule of thumb, indexed extractions shouldn't be used unless there is no other way. ... View more

Hi @maheshnc , see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @ThuLe , I never experienced this behaviour also because I usually us two Hfs as concentrators to Splunk Cloud. Anyway, at first did you configured  maxKBps = 0 on your concentrator to avoid queues? If yes, open a case to Splunk Support. Ciao. Giuseppe ... View more

Hi @richah , you can install Data Manager in your Splunk Cloud Instance and I hint to do this because this app has a very user friendly interface to configure inputs. Anyway, you can use the AWS add-on. Ciao. Giuseppe ... View more

Hi @Souradip11 , in this case, you should try using the transaction command using the startswith and endswith options to correlate events, for more details see at  https://docs.splunk.com/Documentation/Splunk/9.1.0/SearchReference/Transaction https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Abouttransactions https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Searchfortransactions Ciao. Giuseppe ... View more

Thanks this works perfectly, i will read the link. ... View more

Hi @kgiri253 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @kuul13 , you have two solutions that depend on how many data you have: 1) run three subsearches adding results to the same search using append: <your_search> earliest=-d@d latest=@d | table <your_fields> | append [ search <your_search> earliest=-30d@d latest=-29d@d | table <your_fields> ] | append [ search <your_search> earliest=-365d@d latest=-364d@d | table <your_fields> ] I used table, but you can apply every output you like (e.g. timestamp, stats, etc...), obviously using the same in all subsearches. 2) classify events using eval: <your_search> earliest=-365d@d latest=@d | eval period=case( _time>now()-86400,"yesterday", _time>now()-30*86400 AND _time>now()-29*86400,"last_month", _time>now()-365*86400 AND _time>now()-364*86400,"last_year") | table <your_fields> period I prefer the first solution that's faster, especially if you have many events. Ciao. Giuseppe ... View more

Indexer does its share of searching. It is a part of a searching process - it's how Splunk works. I assume you don't want users to use it to search from it directly, right? Generally, regardless of whether you leave the WebUI enabled or not on non-SH components, you usually simply don't allow normal users to log in there. HF shouldn't even have indexers configured as search peers so you'd have no data to search from. I'm not sure what is your point here. ... View more

Depends how you're using the inputlookup. A "nice" number suggests you're hitting one of splunk's limits which I suspect comes from using inputlookup within a subsearch. You can use inputlookup with append=t but not every use case can be expressed this way. ... View more

Its Working. Thanks for solution and explanation!! ... View more

@sivaranjiniG , have you defined props and transforms under the search app context? Or if you created a new app, did you check the permission for app where you have defined props and transforms? can they be used in app context search or globally? (This can be validated in Splunk by going to Manage Apps (looking for sharing attribute) and searching for the custom app (if that's the case)) I was curious to know, have your tried removing "FORMAT = " (by default it should be considered an empty string)   ... View more

I had it done exactly like this - users had a share where they would upload a current version of the csv file. That file would be picked up by the monitor input and sent as events to the indexers. Then a scheduled search on the SH tier would search for the most recent events and do outputlookup. ... View more