Hi @Skinny  I think you probably meant to use sum(All_Email.size) as size instead of values(All_Email.size) as size? Then it should sum the sizes rather than return a list. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @KKuser  Do you have either IT Service Intelligence or Enterprise Security premium apps on Splunk Cloud? If you do this might significantly change how you approach this task.  These sound like a deliverable work item list but actually each should be broken down for some further analysis and collaboration with the stakeholder to determine exactly what they need, otherwise you may end up building something which is different to what they need (Been there, done that). A lot of these also depend on various other factors such as architecture, hosts, hosts type, infrastructure hosting provider (On Prem? VMware? AWS? Azure?) Do you already have all the data in Splunk for these data sources? If so, are the appropriate Technical Addons installed?  Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Oh I see, I thought this was a completely fresh install? ... View more

Hi @TJLAN  As @richgalloway  mentioned, the installation should come with a trial license bundled in.  There’s only two scenarios that I can think of which would cause this issue, the first is if it’s not truly a completely fresh install - if you have previous internal indexes from another install then this can cause the trial license to fail. The other scenario is if the time/date is incorrect on your server. Please could you confirm that this is correct? Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @TJLAN  You say this is a new installation of Splunk, are there any files copied from an existing Splunk instance? Just to confirm, is this an update from a previous version or completely vanilla install? Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

You can check this on your existing inputs, if you have acknowledgement enabled you'll have the useAck set to true in your inputs.conf stanzas such as below: [http://answers] disabled = 0 host = macdev index = answers token = bbe67d25-6eca-41c3-9046-e1e9b75bb571 useAck = true   useACK = <boolean> * When set to "true", acknowledgment (ACK) is enabled. Events in a request are tracked until they are indexed. An events status (indexed or not) can be queried from the ACK endpoint with the ID for the request. * When set to false, acknowledgment is not enabled. * This setting can be set at the stanza level. * Default: false Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @danielbb  As @PickleRick has pointed out in his reply just now, as you have an indexer cluster you should be making changes by pushing your indexer config via a configuration bundles pushed from your Cluster Manager. This means making changes in the manager-apps/yourOrg_inputs/local/inputs.conf file (or similar) and then pushing a bundle. Splunk will determine if a restart is needed however I think improvements have been made in more recent versions to reduce the number of restarts needed, but there is no guarantee if wont need a restart. When you click "Validate and Check Restart" it should tell you if a restart is required. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @danielbb  Receiving cooked data from a HF or receiving HEC shouldnt have much impact on the I/O saturation of your disks because Splunk will still write the same amount of data to disk if sent either way. The parsing of HEC data that will be done on your indexers instead of HF may use more CPU/Memory but I do not think disk IO should be affected. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @danielbb  If you are using config files to create your HEC tokens, which I suspect you will be! then Yes you will need to restart Splunk for it to allow the new HEC tokens to work. For more info check out https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UseHECusingconffiles#:~:text=Restart%20Splunk%20Enterprise%20for%20the%20changes%20to%20take%20effect. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @danielbb  Are you running your infra on-premise or using a cloud service such as AWS? If you are using AWS Firehose to send data to HEC then there are specific requirements for loadbalancing (See https://docs.splunk.com/Documentation/AddOns/released/Firehose/ConfigureanELB) Also, if you are using indexer acknowledgement with HEC then you need to ensure that (similar to Firehose sources) that your loadbalancer does cookie-based session stickiness so that the client can connect to the same indexer to check the acknowledgement. Other than that, I believe any modern HTTP Load balancing product should work well. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @JohnD-Splunker  I have a suspicion that when you do $PhoneNumber$ ="*" your actually going to end up with *="*" I would suggest updating $PhoneNumber$ to  $PhoneNumber|s$ This adds quotes around the value. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @gaguilar  Have you been assigned credits by your organization or Splunk account team? Once this is done these should be applied to your account when at the checkout for training.  Check out https://www.splunk.com/en_us/training/using-training-credits.html for more information on how to have your account configured and how to use the training credits. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @luizpolli  The java process is specifically looking for mssql-jdbc_auth-8.4.0.x64.dll rather than the higher version you have, I would suggest downloading and installing the specific 8.4.0 version of the DLL as I believe this should resolve the issue. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @lcguilfoil  To achieve this you can use the following  <drilldown> <eval token="form.rule_token">mvappend($form.rule_token$,$click.value$)</eval> </drilldown> Ive updated my previous answer to include this but also see below for working example: <form version="1.1" theme="light"> <label>AnswersTesting</label> <fieldset submitButton="false"> <input type="multiselect" token="rule_token" searchWhenChanged="true"> <label>Rule</label> <choice value="*">All Rules</choice> <default>*</default> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>| tstats count where index=_internal by host</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <prefix>host IN (</prefix> <delimiter>,</delimiter> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> </input> </fieldset> <row> <panel> <table> <search> <query>|tstats count where index=_internal by host</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <drilldown> <eval token="form.rule_token">mvappend($form.rule_token$,$click.value$)</eval> </drilldown> </table> </panel> </row> </form> Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @lcguilfoil  You need to use "form.rule_token" in the set token like this: <set token="form.rule_token">$click.value$</set>   Updated:  If you want to append to existing selections then use: <eval token="form.rule_token">mvappend($form.rule_token$,$click.value$)</eval> Here is a full example to demonstrate if it helps <form version="1.1" theme="light"> <label>AnswersTesting</label> <fieldset submitButton="false"> <input type="multiselect" token="rule_token" searchWhenChanged="true"> <label>Rule</label> <choice value="*">All Rules</choice> <default>*</default> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>| tstats count where index=_internal by host</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <prefix>host IN (</prefix> <delimiter>,</delimiter> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> </input> </fieldset> <row> <panel> <table> <search> <query>|tstats count where index=_internal by host</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <drilldown> <eval token="form.rule_token">mvappend($form.rule_token$,$click.value$)</eval> </drilldown> </table> </panel> </row> </form> Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @ssanplunk  This app actually uses the python Requests library under the hood and looking through the curl.py script (where it emulates curl requests via SPL command) it does not reference proxy anywhere, and also doesnt support passing additional flags, therefore unfortunately it is not currently possible to pass the curl proxy option to the command. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @SN1  Are you wanting to get rid of duplicates? e.g. so that only EMEA only appears once for bar-t1001.homag-group? If so I think the following might help | stats values(*) AS * by DeviceName Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @Poojitha  It sounds like your search is running to 11am UTC which I believe is 16:30 IST? (UTC+5.5hr) This is likely because the owner of the search has their timezone set to UTC - Is the search owned by your account, or a service account? Can you confirm that the account has the timezone set correctly to IST? Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @tchamp  Check out my other response first, but you may also be able to achieve this with an INGEST_EVAL == props.conf == [yourSourceType] TRANSFORMS-extractMessage = myExtract == transforms.comf == [myExtract] INGEST_EVAL = _raw:=json_extract(_raw,"message") Visualised as SPL this would be Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will   ... View more

Hi @dtaylor  I think something like the following might work for you? Ive tried to recreate it using some old dns/pihole data I have:   In the screenshot you can see that there were 2 hosts which resolved google.com, and based on the earliest/latest of 60 seconds either side of those events, the 2 hosts also queried mask.icloud.com This is the query I used,  the query is fairly obvious, the "src_ip" field is the client IP in this case.  The return command returns the first <n> (100) src_ip/earliest/latest fields as an OR statement like this: (src_ip="192.168.0.197" earliest="1726212774" latest="1726212894") OR (src_ip="192.168.0.226" earliest="1726213512" latest="1726213632") That is fed into the main query as a subsearch, you then use stats to get a distinct count of src_ip and a count of src_ip by query to match the sources and queries, sort in descending order and your common domains should float to the top! index=pihole [search index=pihole query=google.com | dedup src_ip | eval earliest=_time-60, latest=_time+60 | return 100 src_ip earliest latest] | stats dc(src_ip) as hostCount, values(src_ip) as hosts by query Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @molla  Im glad this helped - this change means that it runs on the SH you are running the search on, rather than on the search peers (indexers) -  if you move from a SH to SHC then the lookup will replicate to the other nodes (quite quickly) so hopefully you wont see this issue! Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more