Hi @david_monaghan  There are a wide range of detections/analytic stories in the ESCU app - it really depends on what your use-cases and requirements are as to which datasources you will need to onboard.  Check out https://research.splunk.com/sources/ for a full list of datasources used by the ESCU app as well as Analytic Stories (https://research.splunk.com/stories/) and Detections (https://research.splunk.com/detections/) which both show which sources are required for them. This will then help your onboarding process. I would also recommend checking out SEC1638 - From Request to Response: Mastering Security Data Onboarding  🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

OK. If you put there literally "<myindex>" that obviously won't work. I'll assume you actually substituted that for the real index name so in case of an internal index that would be index=_internal | stats values(*) AS * | transpose | table column | rename column AS fieldnames So actually there are several possible issues with those searches. Transpose has its limits, tabling all events can be resource-intensive... Actually the best one of those seems to be the fieldsummary one. But if you're not gettting any results (and no errors) at all that means there's something more to it. Inspect the job, check its log. Do you have the permissions to the target index? Aren't you trying to search over a longer period than permitted for your role?  ... View more

Come on. PDF? 1. It's not indexed and searchable so if anyone has similar problem in the future won't be able to find this thread. 2. It's not easy to read and copy/paste from. Especially on mobile devices. 3. Opening untrusted files from the internet isn't many people's idea of fun.   ... View more

Wait. What are you trying to do? As I understand it, you have a field with an epoch-based unix timestamp and want to render it to a string, right? Splunk renders the time in the timezone set in your user's preferences. Period. There is no function which lets you render a given timestamp in a different timezone. It's by design and while in some specific use cases it might be less than perfect in most cases it actually saves you a lot of trouble because you always have a fixed timezone against which you can interpret your timestamp strings. You can cheat a bit by "adjusting" your timestamp by a proper offset between your user's configured timezone and the target timezone and then rendering your timestamp to a string but that's not something I'd recommend since you can quickly lose track the actual time for your events. ... View more

This addon is a bit different. As I understand it from the description, it doesn't check Splunk's own certs, but connects to a given endpoint on the network and checks the cert presented there. It's kinda like check_ssl in Nagios. ... View more

Hi there, if all your saved searches are in the same app ACS is your friend https://help.splunk.com/en/splunk-cloud-platform/administer/admin-config-service-manual/9.3.2411/admin-config-service-acs-api-endpoint-reference/admin-config-service-acs-api-endpoint-reference#b7653fbe_6c5c_448a_baf7_038bb28aca03__Manage_private_apps_and_Splunkbase_apps_.28Victoria_Experience.29 Hope this helps ... Cheers, MuS ... View more

It's better to create a new questions instead of use old closed thread to get more comments. ... View more

Hi there, This is not really a Splunk question; I would start here https://argo-cd.readthedocs.io/en/stable/ cheers, MuS ... View more

@MuSThat got me part of the way there but I think I may have accidentally oversimplified my question a bit. I'll post another question to get the 2nd half answered. Thanks for the help! ... View more

this is what i was thinking when i saw the answer.  ... View more

ES Cannot be installed in a cluster on Windows, it only supports standalone ES search heads. https://docs.splunk.com/Documentation/ES/latest/RN/Limitations ... View more

Hi @Aedah , you could add this to splunk ideas (ideas.splunk.com) surely many people will be interesd on it. Ciao. Giuseppe ... View more

Just adding the translated text here: The Splunk Enterprise upgrade procedure states that the automatic startup setting should be disabled, but why is it necessary to disable the automatic startup setting? ... View more

Hi have same or different lexical form of splunk.com and your local splunk box account name? If those are formally same it’s quite possible that your browser’s password manager thinks that those two different site passwords should be same and it’s offering to you update those to the same.  As @MuS said there are two different accounts one for splunk.com and also for splunkbase then second one for your local splunk instance. I strongly propose that you are keeping those to have different lexical format. Otherwise you must be really careful to avoid updating wrong password. ... View more

A thing of beauty marycordova - thank you! ... View more

Hi there, make sure the user role has the required capabilities: edit_tokens_settings, which turns token authentication on or off edit_tokens_all, which lets you create, view, and manage tokens for any user on the instance edit_tokens_own, which lets you create, view, and manage tokens for yourself https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Security/Setupauthenticationwithtokens#Prerequisites_for_creating_and_configuring_tokens   Hope this helps ... cheers, MuS     ... View more

I know an old question, but actually your idea works, the first part in the subsearch till "fields - ..." simply builds a table I use for field renaming, so that users only need to edit a lookup for renaming fields: | makeresults | eval field1="some value", field2="another value" | rename [| makeresults | eval mapping="field1:field_one field2:field_two" | makemv delim=" " mapping | mvexpand mapping | rex field=mapping "(?<orig>[^:]+):(?<new>.*)" | fields - _time, mapping | eval rename_phrase=orig + " as " + "\"" + new + "\"" | stats values(rename_phrase) as rename_phrases | eval search=mvjoin(rename_phrases, ", ") | fields search] But it can only build arguments, as seen that rename must be in the base search. Maybe of use for somebody out there. ... View more

See my reply here if it can help https://community.splunk.com/t5/Deployment-Architecture/Splunk-Storage-Sizing-Guidelines-and-calculations/m-p/708258/highlight/true#M29013 ... View more

To build on what @MuS says, here's a simple example that simulates two data sets, the switch data (index A) and the devices data (index B) and the stats command shows how to "join" on the two. So, everything up to the last two lines is just setting up dummy data sets to model your example and then the search/stats does sort of what you are looking to do - you can just copy/paste this to a search window | makeresults count=1000 | fields - _time | eval SwitchID=printf("Switch%02d",random() % 5) | eval Mac=printf("00-B0-D0-63-C2-%02d", random() % 10) | eval index="A" | append [ | makeresults count=1000 | fields - _time | eval r=random() % 10 | eval Mac=printf("00-B0-D0-63-C2-%02d", r) | eval dhcp_host_name=printf("Host%02d", r) | eval index="B", source="/var/logs/devices.log" | fields - r ] | eval r=random() % 10 | sort r | fields - r ``` Now we have a bunch of rows from index A and B``` | search (index="A" SwitchID=switch01) OR (index="B" source="/var/logs/devices.log") | stats count values(dhcp_host_name) as dhcp_host_name values(SwitchID) as SwitchID by Mac Hope this helps ... View more

Hi there, Have a read here https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Knowledge/Usesummaryindexing#Get_started_with_summary_indexing    cheers, MuS ... View more

Thanks @MuS! ... View more

You are looking at the wrong tool in the box.  Do not use rex to extract fields from structure data like JSON which your event contains.  Instead, extract the JSON object then use tools like spath to extract data fields.    | rex "^[^{]+(?<message_body>.+})" | spath input=message_body | table *.alias *.responders{}.name   Your sample data will give alert.alias entity.alias params.alert.alias params.entity.alias alert.responders{}.name entity.responders{}.name params.alert.responders{}.name params.entity.responders{}.name FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777, FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777, FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777, FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777, Monitoring_Admin Monitoring_Admin Monitoring_Admin Monitoring_Admin Additional pointers: The sample JSON contains 4 different leaf nodes all named alias.  There is no inherent logic to say they are all the same. The sample JSON contains 4 different arrays that all contain leaf nodes that are all named name.  There is no inherent logic to say they are all the same. What this means is that you need to ask your developer which node you need data from. Lastly, this JSON has a deep structure.  If you are only interested in select few nodes, you can also use a JSON function if your server is 8.2 or later.  For example,   | rex "^[^{]+(?<message_body>.+})" | eval alias = json_extract(message_body, "alert.alias"), name = json_extract(message_body, "alert.responders{}.name") | table alias name   The output will be alias name FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777, Monitoring_Admin Here is an emulation of your sample data.  Play with it and compare with real data   | makeresults | eval _raw = "[36mINFO[0m[2024-11-13T13:37:23.9114215-05:00] Message body: {\"actionType\":\"custom\",\"customerId\":\"3a1f4387-b87b-4a3a-a568-cc372a86d8e4\",\"ownerDomain\":\"integration\",\"ownerId\":\"8b500163-8476-4b0e-9ef7-2cfdaa272adf\",\"discardScriptResponse\":true,\"sendCallbackToStreamHub\":false,\"requestId\":\"18dcdb1b-14d6-4b10-ad62-3f73acaaef2a\",\"action\":\"Close\",\"productSource\":\"Opsgenie\",\"customerDomain\":\"siteone\",\"integrationName\":\"Opsgenie Edge Connector\",\"integrationId\":\"8b500163-8476-4b0e-9ef7-2cfdaa272adf\",\"customerTransitioningOrConsolidated\":false,\"source\":{\"name\":\"\",\"type\":\"system\"},\"type\":\"oec\",\"receivedAt\":1731523037863,\"ownerId\":\"8b500163-8476-4b0e-9ef7-2cfdaa272adf\",\"params\":{\"type\":\"oec\",\"alertId\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"customerId\":\"3a1f4387-b87b-4a3a-a568-cc372a86d8e4\",\"action\":\"Close\",\"integrationId\":\"8b500163-8476-4b0e-9ef7-2cfdaa272adf\",\"integrationName\":\"Opsgenie Edge Connector\",\"integrationType\":\"OEC\",\"customerDomain\":\"siteone\",\"alertDetails\":{\"Raw\":\"\",\"Results Link\":\"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now\",\"SuppressClosed\":\"True\",\"TeamsDescription\":\"True\"},\"alertAlias\":\"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,\",\"receivedAt\":1731523037863,\"customerConsolidated\":false,\"customerTransitioningOrConsolidated\":false,\"productSource\":\"Opsgenie\",\"source\":{\"name\":\"\",\"type\":\"system\"},\"alert\":{\"alertId\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"id\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"type\":\"alert\",\"message\":\"[Splunk] Load Balancer Member Status\",\"tags\":[],\"tinyId\":\"14585\",\"entity\":\"\",\"alias\":\"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,\",\"createdAt\":1731522737697,\"updatedAt\":1731523038582000000,\"username\":\"System\",\"responders\":[{\"id\":\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\",\"type\":\"team\",\"name\":\"Monitoring_Admin\"}],\"teams\":[\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\"],\"actions\":[],\"priority\":\"P3\",\"oldPriority\":\"P3\",\"source\":\"Splunk\"},\"entity\":{\"alertId\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"id\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"type\":\"alert\",\"message\":\"[Splunk] Load Balancer Member Status\",\"tags\":[],\"tinyId\":\"14585\",\"entity\":\"\",\"alias\":\"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,\",\"createdAt\":1731522737697,\"updatedAt\":1731523038582000000,\"username\":\"System\",\"responders\":[{\"id\":\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\",\"type\":\"team\",\"name\":\"Monitoring_Admin\"}],\"teams\":[\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\"],\"actions\":[],\"priority\":\"P3\",\"oldPriority\":\"P3\",\"source\":\"Splunk\"},\"mappedActionDto\":{\"mappedAction\":\"postActionToOEC\",\"extraField\":\"\"},\"ownerId\":\"8b500163-8476-4b0e-9ef7-2cfdaa272adf\"},\"integrationType\":\"OEC\",\"alert\":{\"alertId\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"id\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"type\":\"alert\",\"message\":\"[Splunk] Load Balancer Member Status\",\"tags\":[],\"tinyId\":\"14585\",\"entity\":\"\",\"alias\":\"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,\",\"createdAt\":1731522737697,\"updatedAt\":1731523038582000000,\"username\":\"System\",\"responders\":[{\"id\":\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\",\"type\":\"team\",\"name\":\"Monitoring_Admin\"}],\"teams\":[\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\"],\"actions\":[],\"priority\":\"P3\",\"oldPriority\":\"P3\",\"source\":\"Splunk\"},\"customerConsolidated\":false,\"customerId\":\"3a1f4387-b87b-4a3a-a568-cc372a86d8e4\",\"action\":\"Close\",\"mappedActionDto\":{\"mappedAction\":\"postActionToOEC\",\"extraField\":\"\"},\"alertId\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"alertAlias\":\"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,\",\"alertDetails\":{\"Raw\":\"\",\"Results Link\":\"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now\",\"SuppressClosed\":\"True\",\"TeamsDescription\":\"True\"},\"entity\":{\"alertId\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"id\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"type\":\"alert\",\"message\":\"[Splunk] Load Balancer Member Status\",\"tags\":[],\"tinyId\":\"14585\",\"entity\":\"\",\"alias\":\"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,\",\"createdAt\":1731522737697,\"updatedAt\":1731523038582000000,\"username\":\"System\",\"responders\":[{\"id\":\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\",\"type\":\"team\",\"name\":\"Monitoring_Admin\"}],\"teams\":[\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\"],\"actions\":[],\"priority\":\"P3\",\"oldPriority\":\"P3\",\"source\":\"Splunk\"}} [36mmessageId[0m=7546739e-2bab-414d-94b5-b0f205208932" ``` data emulation above ```   ... View more

As @MuS said, you must as that your account team add rights to you to download it after you have bought it. ... View more

When i enable [WinEventLog] persistentQueueSize=5GB   in the windows_ta, all event flow stops. I see the queue file created in var/run/splunk/exec but no events are indexed. I remove that stanza, and events flow again... ... View more

As @PickleRick notes, if time is critical for correlation, bin is risky.  This is one of the use cases where transaction is appropriate.  But you cannot use span alone.  Using index alone with _time is also unsafe.  From the context implied in mock data, you want transaction by user.  It is very important that you describe these critical logic clearly, explicitly, and without help from SPL. The only obstacle is the field names "username" and "Users_Name"; this is so easily overcome with coalesce. (It is never a good idea to illustrate mock data with inaccuracy.  If the field name is Users_Name, you should consistently illustrate it as Users_Name and not usersname.)  One element that distracted people is the servtime and logtime conversion in initial illustrated SPL.  These fields adds no value to the use case. This is the code that should get you started   index=printserver OR index=printlogs | eval username = coalesce(username, Users_Name) | fields - usersname | transaction username maxspan=3s | table _time prnt_name username location directory file   Using your corrected mock data, the above gives _time prnt_name username location directory file 2024-11-04 12:20:56 Printer2 tim.allen FrontDesk c:/documents/files/ document2.xlsx 2024-11-04 11:05:32 Printer1 jon.doe Office c:/desktop/prints/ document1.doc Here is an emulation of your mock data.  Play with it and compare with real data   | makeresults format=csv data="_time, prnt_name, username, location, _raw 2024-11-04 11:05:32, Printer1, jon.doe, Office, server event 1 2024-11-04 12:20:56, Printer2, tim.allen, FrontDesk, server event 2" | eval index = "prntserver" | append [makeresults format=csv data="_time, Users_Name, directory, file, _raw 2024-11-04 11:05:33, jon.doe, c:/desktop/prints/, document1.doc, log event 1 2024-11-04 12:20:58, tim.allen, c:/documents/files/, document2.xlsx, log event 2" | eval index = "printlogs"] | eval _time = strptime(_time, "%F %T") | sort - _time ``` the above emulates index=printserver OR index=printlogs ```   Hope this helps ... View more