Good find, @PickleRick !  The docs do imply one should set sendCookedData=false when sending to third-party systems. @vikas_gopalPlease try that and report the results. ... View more

Whether via HTTP or TCP, the UF only sends data using the Splunk-to-Splunk protocol so cannot send successfully to Logstash.  I suggest using a Logstash agent, instead. The sending of UF internal logs is a setting in an inputs.conf file.  Turning that off will not solve the above problem, however. ... View more

Which dashboard?  Is it custom or Splunk-provided? ... View more

When a UF sends data via HTTP it uses the Splunk-to-Splunk protocol, which logstash doesn't support. ... View more

Contact the Certification office at certification@splunk.com for assistance. ... View more

I think perhaps there's some mix-up in terminology that is making it harder to communicate the goal. Splunk Enterprise is Splunk's core data platform product for on-premises installation.  It can be used to collect observability (o11y) data. Splunk Cloud (AKA Splunk Cloud Platform) essentially is Splunk Enterprise on a public cloud provider (AWS, GCP, or Azure). Splunk Observability Cloud is Splunk's o11y product offering and is distinct from both Splunk Enterprise and Splunk Cloud.  This product is available only in a cloud offering. Splunk Real User Monitoring (RUM) and Splunk Synthetic Monitoring are other separate Splunk products. That said, can you please re-state the goal? ... View more

This is a question only you can answer based on your risk tolerance level and how much storage you have. I recommend RF/SF values of at least 2.  Higher values offer more protection against failure, but at the cost of additional storage. ... View more

We need more information. Please say more about the problem you are trying to solve.  It would help to see sample data and desired output. ... View more

Try this query that does not use appends or transpose. (index=fortinet dlpextra IN (WatermarkBlock1,Log_WatermarkBlock2,Log_WatermarkBlock3,Log_WatermarkBlock4)) OR (index=035 "Common.DeviceName"="p151.d.com" OR Common.DeviceName="p1p71.c.com" "SensitiveInfoTypeData{}.SensitiveInfoTypeName"=*) OR (index=iron AutomaticClassification) OR (index=testing sourcetype="net:alert" dlp_rule="AZ C*") | eval type = case(index=fortinet, "Proxy", index=iron, "Email", index=035, "SFTP", index=testing, "Netskope", 1==1, "Unknown") | stats count by type ... View more

Each command works only with the results from the previous command. If the most recent event from each host is SESSION_STATE_UP then your job is done since there are no down hosts.  The where command will find no SESSION_STATE_DOWN events so there are none to display or alert on.  This is the desired state (isn't it?). OTOH, if a host currently is down then dedup host will return SESSION_STATE_DOWN for that host and the where command will decide if the host has been down long enough to worry about. ... View more

Search for up/down events and take the most recent for each host (switch).  Discard all of the up events and anything newer than 60 seconds.  The remainder will be down events at least a minute old without a following up event. index=foo ("SESSION_STATE_DOWN" OR "SESSION_STATE_UP") | dedup host | where match(_raw, "SESSION_STATE_DOWN") AND _time<relative_time(now(), "-60s")   ... View more

The first example will produce a count of destinations, etc, for each hour of the search time window.  Something like this _time Processes.dest count 12:00 foo 2 12:00 bar 1 13:00 foo 4 13:00 bar 2   The second example will produce counts by destination, etc.  The counts will not be broken down by time. Processes.dest count foo 6 bar 3   The bin command will have no effect because there is no _time field at that point. Putting span in the tstats command gives you control over the bin sizes.  Without span, tstats will choose a span it thinks best fits the data. ... View more

You can do that with Ingest Actions in either an intermediate HF or the indexers. Go to Settings->Ingest Actions and click the New Ruleset button.  Select the sourcetype to filter and then choose "Filter using Eval Expression" from the Add Rule dropdown.  Enter "len(_raw) > 10000" as the Eval Expression and click Apply to see the effect.  When you're happy with the set-up, click Save. ... View more

Have you checked the search log or splunkd.log on the remote search head? ... View more

@michael_vi wrote: I'm trying to run a search via CLI from federated Splunk instance > Splunk cloud. Everything is configured correctly and I have access to all indexes that on Splunk Cloud from Federated Instance  via web interface But when I'm trying to check connection via CLI on Federated Search instance splunk display app -uri https://<splunk cloud uri>:8089 I get this error:  argument uri is not supported by this handler splunk That's because "-uri" is not an option to the display command.  Run splunk help display app to see the full syntax. ... View more

This query will give the number of warnings for each indexer. index=_internal source=*license_usage.log type=SlaveWarnSummary ... View more

I contend the documentation is incorrect.  LINE_BREAKER and BREAK_ONLY_BEFORE are contradictory and shouldn't be used together.  At the very least, great care should be used to ensure the two settings work properly. ... View more

@hemant_lnu wrote: We have one index os_linux which has 2 source type and i see props and transform is written . can you help me to understand how its working . linux:audit Linux_os_syslog   props.conf [Linux_os_syslog] TIME_PREFIX = ^ Tells Splunk to look for the event timestamp at the beginning of the event TIME_FORMAT = %b %d %H:%M:%S Tells Splunk what a timestamp looks like MAX_TIMESTAMP_LOOKAHEAD = 15 How far from TIME_PREFIX the timestamp is allowed to be SHOULD_LINEMERGE = false Don't combine lines LINE_BREAKER = ([\r\n]+) Events break after a newline (CR and/or LF) TRUNCATE = 2048 Cut off each event after 2048 characters TZ = US/Eastern Event timestamps are expected to be in this time zone Transforms.conf [linux_audit] DEST_KEY = MetaData:Sourcetype REGEX = type=\S+\s+msg=audit FORMAT = sourcetype::linux:audit Look for "type=", some text followed by white space, then "msg=audit".  If it's found, set the sourcetype field to "linux:audit" [auditd_node] REGEX = \snode=(\S+) FORMAT = host::$1 DEST_KEY = MetaData:Host Look for "node=" in each event and set the 'host' field to the word that follows it. ... View more

There are no defaults for charting.fieldColors. ... View more

Try increasing the maxKBps setting in the forwarder's limits.conf file.  It sounds like the default of 256 is not enough.  Try 512 or 0 (unlimited). ... View more

Have you enabled receiving of data in Splunk?  Go to Settings->"Forwarding and Receiving"  to turn on receiving. Does "localhost url" include the port number (9997 by default)? Do your firewalls allow connections between Mulesoft and Splunk? ... View more

Check out 'charting.fieldColors' in the Dashboards and Visualization manual. ... View more

Example?  Screenshot? ... View more

It's normal to see "splunkd -p 8089 restart" in the process list because that is the command that launched Splunk.  I'm not sure, however, about why it appears so many times.  AIUI, there should be a single "splunkd -p 8089 restart" process and additional "splunkd" processes for running searches.  I could be mistaken, however. ... View more