Hi, I have installed Splunk UF in E drive on windows server and able to monitor all the logs present in E drive. I have request to monitor Network drive logs present on the same windows server and the user has full access to network drive. I have placed monitoring stanza under splunk_home/etc/system/local/inputs.conf( E drive) mentioning the path of the logs present in network drive . But i do not see any logs related to Network drive in Splunk. Is there way to monitor network drive logs when UF is present in E drive on windows server?   ... View more

Hi, I have installed UF in one of the drive ( E drive) on a windows server. I want to fetch logs from another drive (Netwrok drive) .This drive is present on the same server itself and the server has access to this drive.  I have placed montirong stanza in splunk_home/etc/system/local in E drive mentioning the path of the logs present in Network drive. But i am not seeing any logs in Splunk getting indexed. So can you suggest how can i fetch logs from another drive when Splunk UF is installed in E drive. P.s i cannot change Splunk UF location from E drive because of compliance.   Thanks ... View more

Hi, I want to write a case condition where i can check values from Range column. For instance If range for both cost & product is low the a new column should show value as low If range for both Cost & Product = severe then New Column should show severe If range for Cost=severe & Product=low OR if Cost=low & Product =severe Then New column = elevated Please suggest ... View more

Hi, I am trying to use this Splunk Add-on for Microsoft Cloud Services on Splunk Enterprise platform. I have followed all the steps mentioned in the splunk doc Configure a Storage Account in Microsoft Cloud Services - Splunk Documentation But Data is not getting indexed in Splunk unless i select the highlighted one in below pic in the Azure storage account  Due to company policy i cannot set it to "Enabled from all networks". I have tried raising microsoft support request but didnt get the solution. I am able to fetch the data from the storage account directly into Virtual Machine using azcopy command but using add on i am not able to index/fetch the data into splunk. Any help on troubleshooting this issue will be of great help ... View more

Hi, In place of count I want to show the server name, And change color based on condition if count is >250. I referred many links and docs but could not achieve what I wanted  index = webss sourcetype = webphesst earliest= -1d latest=now | where HTTP=500 | stats count by host | eval color=if(count>=250, "#dc4e41", "#65a637"), icon=if(count>=250, "times-circle", "check-circle") ... View more

I need to index only the lines which has .pl in the source file into splunk(highlighted below data). Regex expression is working as expected(tested in rex tool) . Now i am using below props and transform.conf to index the only required data captured in regex expression but my data is not getting index or it indexes completed log file. Please assit where am i going wrong props.conf [phone_access] TRANSFORMS-set= phone_access_extraction transforms.conf [phone_access_extraction] REGEX = ^(\d{1,2}\.\d\.\d\.\d - - \[\w+\/\w+\/\w+:\d+:\d+:\d+ -\d+\] .\w+ \/\w+.+\.pl.+) DEST_KEY = queue FORMAT = indexQueue Log file: 11.7.1.0 - - [27/Nov/2022:00:00:00 -0600] "GET /cgi-bin/phonedata.pl?pq=a1%3oGHK9416&names=a1%7Ca2&&attrs=a1a2&delim=%09 HTTP/1.1" 302 - 11.7.1.0 - - [27/Nov/2022:00:00:04 -0600] "-" 408 - 11.7.1.0 - - [27/Nov/2022:00:00:21 -0600] "-" 408 - 11.7.1.0 - - [27/Nov/2022:00:00:22 -0600] "GET / HTTP/1.1" 20 14497 11.7.1.0 - - [27/Nov/2022:00:00:23 -0600] "GET /mobile.html HTTP/1.1" 200 1001 11.7.1.0 - - [27/Nov/2022:00:00:24 -0600] "GET /PhoneOrgiChart/ HTTP/1.1" 302 - 11.7.1.0 - - [27/Nov/2022:00:01:15 -0600] "GET /cgibiWn/xml.pl?vk236e HTTP/1.1" 20 11.7.1.0 - - [27/Nov/2022:00:01:15 -0600] "GET /cgi-bFin/xml.pl?hv163t HTTP/1.1" 20 ... View more