This has changed. You can now use IT Essentials Work as a free version, it is like a light ITSI. However, if you want to use premium features you still need to licensed ITSI version. ... View more

This appears to still not have been fixed, even though we are at version 8.2.7. This is very disappointing from Splunk as it fills our logs with garbage and important logs get pushed out of the historical records.  Splunk engineers: This needs to be fixed now. ... View more

This was extremely useful for me, I have a question, how can I append the search based on a second token? like:   $tk1|s$ index="123" | timechart count AS 123 | append search $tk2|s$ index="456" | timechart count 456   I want the first part to run with the first token set, and the second part to run only if the second token is set too. how can I do this? ... View more

I checked my acct again. I am admin, can_delete, power, Splunk-system-role, user Do you think it's the VPN link that I'm using to get to Splunk?  ... View more

Hi Are your DS and DCs all linux servers or have you Windows DS? If later then you must change your DS to linux. r. Ismo ... View more

Hi you should remember that with IA you could use S3 only if you are running that instance on AWS! Splunk have "secret" wildcard for sourcetype in props.conf. I don't know if it works also for IA RULESET or not and can you use it via GUI or not. You can read more from https://www.splunk.com/en_us/blog/tips-and-tricks/quick-tip-wildcard-sourcetypes-in-props-conf.html. BUT remember that this is not officially supported and it can removed anytime!! For that reason I also prefer @richgalloway 's proposal to use cold2frozen script.  r. Ismo ... View more

did you manage to clear the exam? ... View more

Thank you @richgalloway , indeed by simply selecting the option Restart Splunkd from the deployment server GUI (in Settings > Forwarder management > select your app then click Edit abd select: After installation: Restart Splunkd)  logs start coming in 🙂  ... View more

Hi @dokaas_2 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Slight adjustment and  worked out great. Thank you @richgalloway !!! ... View more

Use the lookup command to pull data from the CSV by common fields. ndex="*dyn*" source="*:*dgf*" dt.entity.service_method=* metricId=builtin:service.keyRequest.count.total | stats avg(value) as "AvgValueCountTotal" count as "Total" by dt.entity.service_method | lookup my lookup.csv Service_Method as dt.entity.service_method ... View more

Good morning.  Any new thoughts as to why my results are showing "Missing" only even for devices/servers I know to be reporting? Anything to tweak the query somehow? ... View more

Hi You can use | format "(" "" "OR" "" "" ")" or change "(" and ")" to "" r. Ismo ... View more

I tried this as well "Book bought by" | rex field=_raw "Book\sbought\sby\sAccountId=(?P<Account>\d+),\sBookName=(?P<bookBoughtName>.*)" | join type=left Account [search "Book Sold By" | rex field=_raw "Book\ssold\sbuy\sAccountId=(?P<Account>\d+),\sBookName=(?P<bookSoldName>.*)"] | stats count(bookBoughtName) as "Bought" count(bookSoldName) as "Sold" by Account bookBoughtName but it's not working, giving the same old result. I issue I am getting is in the sold count not in the bought count.  What's happening is. Suppose bought  count is 3 for book1, if sold count for book1 is 0 than it shows 0. but if sold count is more than 0 (let say 1) than instead of showing 1 sold count is showing same as bought count i.e. 3 although it should show bought-3 sold-1 but showing bought-3 sold-3. In short sold count is either 0 or same as bought count that's the issue i am facing. Please help!   ... View more

What I am trying to solve is with botsv1 with the command index=botsv1 | stats count by http.http_method, http.hostname, http.url | sort -count in trying to identify malicious IP addresses. ... View more

That has me much closer, thanks! ... View more

The trick is to use the stats command to regroup the results by a common field.  In this case, however, there is no common field.  If the 'user' field is the same as either 'Owner_Samaccountname' or 'AccountUsed' then you can use rename to create a common field. index=os process=sshd name="session opened" action=success | eval user=upper(user) | lookup all_svc_samaccountname.csv SamAccountName as user OUTPUT Match | search Match =1 | eval dest=upper(dest) | fields dest user | lookup cmdb_all_assets.csv name as dest Output sys_class_name | search sys_class_name=cmdb_ci*server | eval User=mvindex(user,-1) | eval AccountUsed=upper(User) | search AccountUsed IN (*) | fillnull value="Not Provided" AccountUsed | lookup user_info_all.csv Samaccountname as AccountUsed OUTPUT department Samaccountname Owner_Samaccountname | stats values(department) as Department latest(_time) as Time count by Owner_Samaccountname AccountUsed dest | convert ctime(Time) | rename dest as Target_Computer | append [search index=wineventlog EventID IN (4648) ProcessName="C:\\Windows\\System32\\lsass.exe" source="XmlWinEventLog:Security" action=success | stats count by user ComputerName | rename user as Owner_Samaccountname] | stats values(*) as * by Owner_Samaccountname | table Time Owner_Samaccountname AccountUsed Department Target_Computer ComputerName | sort - Time   ... View more

That JSON has unquoted strings.  The first is on line 24. ... View more

Assuming that is the correct set of props (I wonder because BREAK_ONLY_BEFORE_DATE is true and yet events are  not broken at dates) then these settings may help.  Put them in $SPLUNK_HOME/etc/system/local/props.conf and restart the indexers. [<<mysourcetype>>] TIME_PREFIX = timestamp" : " TIME_FORMAT = %Y-%m-%d %H:%M:%S LINE_BREAKER = ([\r\n]+)\{"severity TRUNCATE = 10000 MAX_TIMESTAMP_LOOKAHEAD = 128 SHOULD_LINEMERGE = false BREAK_ONLY_BEFORE_DATE = false AUTO_KV_JSON = true   ... View more