Thanks for pointing me in the right direction. I slightly modified the search and it now works:   index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName IN (samr,lsarpc,srvsvc,winreg) src_user!=*$ | stats count by src_user,src_ip,RelativeTargetName,host_fqdn | stats list(RelativeTargetName) as all by src_ip, src_user,host_fqdn | where mvcount(all) = 4 ... View more

Hi, thanks for the answer, but i don't want to expand the multi value field. So this is not what iam looking for ... View more

"Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?" Yes - that would be my question. I assume splunk should know that it would exceed some length. So i dont get why there is a "limit" for internal logs. But yeah, that question has no real "this" or "that". Thanks for the reply ... View more

So we did a little more digging. The magic in this case is called "channelAccess". This setting basically grants access to specific event logs for "normal user" accounts. High value event logs, for example: security event log, are only available for higher privileged accounts. The sysmon event log is considered "high value". So when you check the "channelAccess" settings you get this by default: But Microsoft allows you to modify this setting. So we modified the "channelAccess" settings based on the "powershell operational" settings: After you set the setting, restart the SplunkForwarder Service. And voila - you have access to the sysmon event log without adding the virtual account to a specific group.   ... View more

Hi, so I also had the same problem. I tested several setups and what worked was the solution provided by MaverickT. Just create a GPO and add the virtual Account to the "Event Log Readers" Group. This does the trick. It seems that the privilege "SeSecurityPrivilege" isnt enough to read the sysmon event log.   Which is weird, because all the other logs are readable. I can read power shell logs with this settings, but not the sysmon logs. ... View more

Adding my 2 cents here - we have the exact same error messages. Also a multisite Cluster and a Search Head Cluster - all Hardware based. Since we updated to 8.2.2 this issues startet to occur. We have timeouts on our Search Head Cluster Members "Timed out waiting for peer [XXX] . Search results might be incomplete! If this occurs frequently, receiveTimeout in distsearch.conf might need to be increased." And we also have the broken pipe events for our indexers. Splunk Support so far couldnt help. Their last resort was to look at the network and os level. Before we updated we had no issues, now they started... ... View more

  Hi, thats what i tried. But then i get a multi value field "environment" back which contains both prod and test. I could split that into two fields, but in the summary its wrong because than i have 6 prod events insted of 3. Idea behind this is: we have a system that calls for specific functions. Every call is tied to an ID, but since they also test the system it can happen that this id is valid both in prod and test. So when i create a search that queries only for calls from a specific id within the prod environment, i get douple results.  Because the id is both found in prod and test. So i wanted to filter for two conditions first one would be the id and second one would be the environment. But that need to happen within the lookup statement and not after wards.   Example search with mvexpand: index=XX  sourcetype=iis NOT cs_User_Agent=performanceTester cs_uri_stem="*datapoints*values/*"  | search XXid=XX475  | lookup local=true lkp_XX_ids_kv XXId AS xx_id  OUTPUTNEW SourceSystemName as source_system Environment | mvexpand Environment |search Prod ... View more

I would like to push this Question back to top. I have a similiar Problem, with importing a csv file. Splunk also "cuts" the Import after 20.000 lines. Is there some sort of max supported lines withing an csv file? ... View more