Is there a way to embed the same into this query? rex field=logLine "(Error Occurred During Script|UnhandledException ->)(\s|\S)(?<errorMessage>.*)"   This didn't work, but something like this? rex field=logLine "(Error Occurred During Script|for job id \'\w*\d*\' :|UnhandledException ->)(\s|\S)(?<errorMessage>.*)" ... View more

thanks for your reply, we do have https://splunkbase.splunk.com/app/1724)? that one just need your help to create a dashboard . ... View more

I tried installing Add-on on HF and mapped the right source type still no luck.  Few events are truncated in the beginning.   ... View more

Hi @Aatom! Thanks for your community input. Since this is an old post, I recommend starting a new thread with your question, so it can gain more current visibility.    Cheers! -Kara D, Splunk Community Manager   ... View more

A couple of things wrong - field names should be in single quotes not double quotes when on the right hand side of the evaluation - equalities don't work with *, that's just for search filters, try match() | eval UserAgent = if(match('ContextData.UserAgent',"ios"),"ios","android") ... View more

Hi @AL3Z, if you don't have any recognized field, this means that you have a parsing problem. At first you have to check if you instaled the correct Add-On and if you associated the correct sourcetype with yur data flow. Then you have to analyze your data, see the sourcetype associated with these events and see what's the issue, Ciao. Giuseppe ... View more

Try something like this <input type="checkbox" token="checkbox" id="checkABC"> <label></label> <choice value="All">All</choice> <choice value="AA">AA</choice> <choice value="BB">BB</choice> <choice value="CC">CC</choice> <change> <condition match="match($checkbox$,&quot;All&quot;)"> <unset token="A"></unset> <unset token="B"></unset> <unset token="C"></unset> <set token="form.checkbox">All</set> </condition> <condition> <eval token="A">if(match($checkbox$,"AA"),"A",null())</eval> <eval token="B">if(match($checkbox$,"BB"),"B",null())</eval> <eval token="C">if(match($checkbox$,"CC"),"C",null())</eval> </condition> </change> <default>AA,BB,CC</default> <initialValue>AA,BB,CC</initialValue> <delimiter>,</delimiter> </input> Once All has been checked, you can't set anything else until All is unchecked. By setting the default to all options, when All is unchecked, all the options are checked. Obviously, you can use a different default if you prefer. ... View more

Hi @BoldKnowsNothin, did you tried field aliases (https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Addaliasestofields)? Ciao. Giuseppe ... View more

Hi @AL3Z, if you don't have results to the control search and you have all the other logs, you solved your issue. Ciao. Giuseppe ... View more

Hi @Navanitha , publish the solution when you'll solve for the other people of Community. Ciao. Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @AL3Z, modify the regex in Search and see if the new regex matches all the events to filter. Ciao. Giuseppe ... View more

Hi @cmlombardo, where did you located this props and transforms files? They must be located in the Indexers or, if present in the first Heavy Forwarder they are passing throgh, not on Universal Forwarder. Ciao. Giuseppe ... View more

Hi @Choi_Hyun, the UniversalForwarder App is an internal Splunk App and usually it isn't used to add configurations, how do you have an inputs.conf in this App? Anyway, I'm not sure that it's possible to manage this App using a Deployment Server, but if you have the inputs.conf file in local you could try to deploy this App with an inputs.conf with this stanza disabled. Otherwise, the only solution is a remote script shell that remove this file (not the App!) and restarts Splunk. I'm very confident about this last solution. If all the above solutions don't work, open a case to Splunk Support. Ciao. Giuseppe ... View more

Hi @hiersdd, my first hint is to use a syslogs server like rsyslog or syslog-ng so it receives syslogs also when Splunk is down. You could also use the SC4S (https://splunkbase.splunk.com/app/4740) that's a syslog-ng and a Universal forwarder. In this way you can easily manage inputs. Anyway, did you tried to use an inpul like the following? [udp://192.168.2.*:514] connection_host = ip index = checkpoint sourcetype = syslog Ciao. Giuseppe ... View more

Hi @blazingblu, I don't think that's relevant and anyway Splunk will upgrade Splunk Cloud soon, so the versions will be aligned. Only for your better tranquillity, open a case to Splunk Support. Ciao. Giuseppe ... View more

Hi @AllandNothing , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @loganramirez, it was a pleasure to help you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉   ... View more

Hi @sarge338 , the solution is the same using the sync-time field instead _time, being in epochtime it's easier to manage. As I said you have only to define if you want the exact sync-time or a period (e.g. 5 minutes) and what's the rule to apply filter. index=your_index host IN (M1, M2, M3) | stats dc(host) AS host_count BY "time-sync" | where host_count=3 if the timestamps must be exactly the same, if instead they must be similar (e.g. 5 minutes ranges), you could run: index=your_index host IN (M1, M2, M3) | bin span=5m "time-sync" | stats dc(host) AS host_count BY "time-sync" | where host_count=3 If possible, don't use the minus char "-", but understand char "_", because Splunk read it as the minus operator, so yu have to use quotes. Ciao. Giuseppe ... View more

Hi @AL3Z, if you want to remove only a part of events, you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Anonymizedata you should insert in your props.conf  one SEDCMD-<class> = y/<string1>/<string2>/g, using my above regex: SEDCMD-remove_strings = s/Data Name\=\'ParentProcessName\'\>C:\\Program Files\\(Windows Defender Advanced Threat Protection\\MsSense\.exe)|(Windows Defender Advanced Threat Protection\\SenseIR\.exe)|(AzureConnectedMachineAgent\\GCArcService\\GC\\gc_worker\.exe)|(Rapid7\\Insight Agent\\components\\insight_agent\\3\.2\.5\.31\\ir_agent\.exe)//g  Ciao. Giuseppe ... View more