I just checked the local logs on the system and they look different to the normal Event logs: <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4624</EventID> <Version>1</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2018-03-26T07:12:32.452412800Z" /> <EventRecordID>2217046350</EventRecordID> <Correlation /> <Execution ProcessID="700" ThreadID="17588" /> <Channel>Security</Channel> <Computer>XY.domain.intra</Computer> <Security /> <Data Name="SubjectUserSid">S-1-0-0</Data> <Data Name="SubjectUserName">-</Data> <Data Name="SubjectDomainName">-</Data> <Data Name="SubjectLogonId">0x0</Data> <Data Name="TargetUserSid">S-1-5-21-00000-00000-00000-00000</Data> <Data Name="TargetUserName">CompetellaSVCAccount</Data> <Data Name="TargetDomainName">DOMAIN</Data> <Data Name="TargetLogonId">0x2e33XXXX</Data> <Data Name="LogonType">3</Data> <Data Name="LogonProcessName">NtLmSsp</Data> <Data Name="AuthenticationPackageName">NTLM</Data> <Data Name="WorkstationName">XY</Data> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">NTLM V2</Data> <Data Name="KeyLength">128</Data> <Data Name="ProcessId">0x0</Data> <Data Name="ProcessName">-</Data> <Data Name="IpAddress">172.1.1.1</Data> <Data Name="IpPort">53000</Data> <Data Name="ImpersonationLevel">%%1833</Data> <Message>An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2088249647-00000-00000-00000Account Name: CompetellaSVCAccount Account Domain: DOMAIN Logon ID: 0x2E330000 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: SRVXY Source Network Address: 172.1.1.1 Source Port: 53000 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.</Message> <Level>Information</Level> <Task>Logon</Task> <Opcode>Info</Opcode> <Channel>Security</Channel> <Provider>Microsoft Windows security auditing.</Provider> <Keywords> <Keyword>Audit Success</Keyword> </Keywords> </RenderingInfo> you know if it's possible to change the input collection for this sourcetype to match the changes? Or you know how the system collects the data? thanks again! ... View more

do you get some data with for example | timechart span=15min avg(PercentUsed) ? if so can you add this search to ITSI and then when you can select there on the next windows.. just choose there "last". ... View more

Hi Rich Thanks for your answer With you command i get nothing. When i change to "WinEventLog:ForwardedEvents" (without the slashes) i get following: [WinEventLog:ForwardedEvents] ADD_EXTRA_TIME_FIELDS = True ANNOTATE_PUNCT = True AUTO_KV_JSON = true BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE_DATE = True CHARSET = AUTO DATETIME_CONFIG = \etc\datetime.xml DEPTH_LIMIT = 1000 HEADER_MODE = LEARN_MODEL = true LEARN_SOURCETYPE = true LINE_BREAKER_LOOKBEHIND = 100 MATCH_LIMIT = 100000 MAX_DAYS_AGO = 2000 MAX_DAYS_HENCE = 2 MAX_DIFF_SECS_AGO = 3600 MAX_DIFF_SECS_HENCE = 604800 MAX_EVENTS = 256 MAX_TIMESTAMP_LOOKAHEAD = 128 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = SEGMENTATION = indexing SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = outer SEGMENTATION-raw = none SEGMENTATION-standard = standard SHOULD_LINEMERGE = True TRANSFORMS = TRANSFORMS-001-sethost_sourcetype = Set-Host-By-ComputerName TRUNCATE = 10000 detect_trailing_nulls = auto maxDist = 100 priority = sourcetype = Is this the error? Do I may Need to change the input sourcetype or something? Also in Splunk I have the Events without the "//" sourcetype="WinEventLog:ForwardedEvents" Thanks ... View more

Try with the same search, but than use a timechart at the end of your search. And in ITSI go and choose "last" value of your eval field. This way it worked for me to get the backfill working ... View more

Because you got more then 5 warnings your Splunk instance got locked. Please contact the person who sold you the new licence and ask for a Reset Key ... View more

If you use it only once you can try it with this command | rex field=_raw "name=\"(?<name>[^\"].+)\",first_name=\"(?<first_name>[^\"].+)\"" If you are using it more then one. Try to extract new fields with the field extractor. There you can also use the regex from above. ... View more

reset key --> from the person/partner you got your new licence ... View more

try to go to settings > Licensing At the end you should see "Warning count" What's the number there? ... View more

have you had more then 5 days over the limit before you installed the new licence? so you had more then 5 violations? Then you need a reset key. ... View more

| eval duration_group = if(duration<=50,"50ms",if(duration<=200,"200ms",if(duration<=500ms,"500ms","1s"))) so you have a new field_duration_group with that you can count | eventstats count as totalCount this one gives you on every event a new field with the total count now you just can calculate the percentage ... View more

so you see the new $hosttype$ value in your label? Or is this one empty? ... View more

Where did you define the $hosttype$ token you are using there? ... View more

Hello Cem, I'm working with the NetApp App as well. And I have all the logs I need to fill the Graphs in the NetApp App. But I also have both of your messages you have (sleeping and 404). If you search for index=_internal level=ERROR host=YourHeavyforwarder you find some errors? ... View more

Hi jperezh I'm indexing for example the number of likes of our facebook group. For this you need to have access to your GraphApi from Facebook. There you need to create an API key which is allowed to read this information. Than I'm using the REST Api Modular Input (https://splunkbase.splunk.com/app/1546/) with following configuration: Endpoint URL: https://graph.facebook.com/v2.5/me?fields=likes&access_token=YOURTOKEN Http Method: Get Authentication Type: None Response Type: json What kind of information do you want to load from Facebook? And are you the owner from the group? ... View more

Or do you want to count for each caseId? so you get a list like: caseId1 count=2 caseId2 count=1 caseId3 count=5 | stats count by caseId ... View more

Hi Paul, Have you tried it with a subsearch where you exclude the new results? index=_internal message="*" | eval Words=split(message,",") | Stats count by Words | search NOT (Words="disk" OR Words="ems") Here I split the message into diverent words. And after this I exclude the words "disk" and "ems" from my search. ... View more

I just used the the original which was in the transforms.conf like this: REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]] and tried to change this one... so this isn't the correct way? ... View more