1. Good point. I should have been clearer in that I was hoping someone else had gone through this and could in general describe what they had done.   3.  Noted.   4.  Noted. 5. Noted.   Appreciate the feedback. ... View more

Very interesting 👍👍👍 Thanks a lot 👏👏 ... View more

It's a tricky case. As far as I remember, the IIS logs are ingested with INDEXED_EXTRACTIONS enabled. That means that events are processed at the initial UF, the fields are extracted as indexed fields and the data is sent to output(s) as already parsed. That means that it is not processed by most of the ingestion pipeline in subsequent components. That in turn means that the events won't trigger the transforms at all. So it's not that you're misconfiguring something. There are two was of dealing with that. 1) Reconfigure the input receiving the data from the UF to send data to parsing queue again. But this is a highly unusual configuration, confusing in long time maintenance and I would strongly advise against it. 2) Instead of transforms use ruleset. This will get fired even on already parsed data. One caveat about indexed fields though. Since you get indexed fields, manipulating raw event won't remove already extracted fields. If you wanted to get rid of them you'd have to explicitly "unset" them. Luckily in your case I see you only want to drop selected events to nullQueue. That should be perfectly doable. ... View more

With timestamp assignment set to CURRENT the TZ setting doesn't matter since the timestamp is getting assigned based on the receving component's OS time. ... View more

I recommend using the SA-cim_vladiator (https://splunkbase.splunk.com/app/2968) app to confirm your data is CIM-compliant.  Add EVAL and FIELDALIAS settings to props.conf to create CIM-compliant fields as needed.  ... View more

How does "Splunk block one of your microservices"? What do you mean by that? ... View more

Hi @zapping575, The optimization consensus is (almost) always a base search with predicates, i.e., do this: index=foo bar=baz not this: index=foo | where bar=="baz" Event types and tags are shortcuts for the former. Pay close attention to the search job inspector. The ratio of returned results to scanned results should be, generally speaking, as close to 1:1 as possible. Writing creative SPL is fun or else we would not be here, but I will echo @PickleRick: If you find yourself modifying event types frequently, reevaluate your knowledge management practices. It may be time to pivot and adjust your source type, field extraction, event type, tag, and (hopefully) data model funnel. But if you need to be creative, be creative! Is it easier to maintain one lookup instead of a global set of eventtypes.conf and tags.conf overrides in a lexicographically "last" app, e.g., zzz_global_types? The answer is arguable, but the primary benefit of the lookup is a restart-free update. If you manage both lookup and configuration file deployment outside Splunk, however, the operational difference may be minimal. In either case, you will need to rebuild data model summaries if you use them, and the impact to searches is semantically the same. The impact to search performance is significantly worse with the combination of the lookup and where commands. ... View more

Hi @gaezeta, Check https://community.splunk.com/t5/Splunk-Enterprise/Need-download-link-for-Legacy-Splunk-Universal-Forwarder/m-p/748925/highlight/true#M22512. ... View more

What would be the additional certificates in that case if I can add to avoid the issue? And where usually we can add those before starting installation? ... View more

Normally I'd say that the searches are run in different contexts (app, maybe user) so they might have access to different sets of KOs. But I don't understand the part about "adding fields to the search" which makes it work. ... View more

It really depends on the use case and data. Unfortunately eventstats can be a memory-hungry command, especially on a high-volume data set so if there is another way, it would be better do find it.  ... View more

OK. If list inputstatus shows no wineventlog inputs at all that means that you didn't enable the input correctly. Check splunk btool inputs list --debug on the forwarder ... View more

OK. Now we're getting somewhere 😉 Poet 9997 is for data forwarding. Forwarders register in Deployment Server on 8089. Also you need to configure the client to use a DS - with Windows UF, if you installed it interactively, you had a dialog during installation letting you specify the DS address. If you pointed it to your Splunk Server, enabled the DS functionality on your Splunk server and opened the 8089 port, the forwarder should register itself with the DS. So that's the reason why you're not seeing your UF as deployment client. If you provided target indexer address during UF installation, you should be (if everything works OK) seeing forwarders internal log in the _internal index. ... View more

Additional to other instructions, here is Splunk's best practice documentation for upgrade https://lantern.splunk.com/Manage_Performance_and_Health/Upgrading_the_Splunk_platform ... View more

This is a question to Salesfroce expert, not for Splunk community. The docs list what functionalities are used for data collection but you need someone with knowledge of the business side of the thing (pricing, packages and so on) to translate it to a specific service offering. https://splunk.github.io/splunk-add-on-for-salesforce/Setupv1/ ... View more

Well, since it's TLS and you can't just eavesdrop on the wire, unless there is a way to raise logging level for add-on builder (I'm not sure about that) the way to go to see what's actually being sent would be to set up a MITM proxy server. ... View more

First let me allow a little rant - there is no such thing as "AI", there are only large statistical models trained on large corpora (which makes them seem to be "better" than ones we had 20+ years ago). But that aside - your question is relatively vague. What do you mean by "implement AI"? You can use Splunk's Machine Learning Toolkit (I think it was recently renamed to AI Toolkit). It includes a lot of statistical tools which you can use to analyze your data.  ... View more

Adding to what has already been said - I would not recommend doing OS maintenance without a Splunk admin assist (or at least available on call). It is not OS administrator's area of competence to verify whether Splunk has shut down correctly, started correctly, is working correctly and so on. What if something happens when your environment is in maintenance mode? Will your OS admins be able to handle it properly? I wouldn't expect them to because it's not their job. ... View more

I would expect it to be the other way around. Splunk can optimize out some extractions so that not all are run if not all are needed. So if the fields extracted by a particular extraction are known and were not requested Splunk might not run the extraction during search at all. ... View more

I hope you’re all doing well. I am currently working on a project involving exporting large volumes of data from Splunk to Elasticsearch / OpenSearch, and I would like to tap into your expertise and assistance on this matter. Project background: We’re using Splunk as our repository and analytical tool for security and operational data. Due to the license size constraints in Splunk, there’s a need to export this data to Elasticsearch, where scalability and storage capabilities are better. The goal is to export the data with the exact same field names as used in Splunk without changing or losing any field names so that we can continue our queries and analysis using the same structure we have in Splunk. If you like, I can send you a shorter version or a version tailored for a specific forum or audience. ... View more

It's not that I'm bothered by what you did as such. It's just that I don't think that promoting unsupported actions is healthy. And I think that if someone finds this thread they should have the full picture. So while I fully sympathize and understand why you did what you did, the reader deserves a full explanation (and the title of this thread is misleading because the upgrade from 8.2 to 9.1 did _not_ cause any problems on its own). You were trying to salvage a situation you put yourself into. What you shouid have done after upgrade from 9.1 to 9.4 was to either resolve the problem with kvstore (which I admit could have been problematic and non obvious) or - if you weren't able to fix the kvstore - restore from backup. "Downgrading" was the worst thing you could have done because there are things which change between releases (otherwise there would be no need for upgrade) which will not work with earlier releases. At this point you "only" ended up with not working DS gui but you might have ended up with broken indexes, or kvstore if it was an upgrade introducing changes to internal data format. So while in your particular situation this worked, it is not a general solution to the problem of broken upgrade and it should not be promoted as such. Especially if others have encountered similar problems after properly performed upgrade. Your "solution" which is only a walkaround for a problem you created yourself, is not helping others. I'm glad that it worked for you. It might be an interesting piece of information but with the proper context. 1. Your problem was not caused by the upgrade from 8 to 9.1 (as the topic says) 2. Your problem was caused (or at least related to) by an unsupported downgrade. That's it. Again - I'm glad it worked for you but it's not something that should be marked as solution to "broken DS gui after upgrade from 8.2 to 9.1". I hope I'm more clear this time. ... View more

OK. In order to produce a notable several things must happen. 1. The search must produce results. Have you verified if the search - when run interactively - yields results? 2. The search must be properly dispatched by the scheduler, run to its completion and produce results. Have you verified if the search was dispatched and if/how many results it returned? (you can do this in the normal reports/alerts part of GUI) 3. If the search had been run and produced results which matched the alerting criteria it should have created the entry in the notable index. If I remember correctly this should also be processed by ES internal mechanics and produce entry in kvstore but I don't recall the details here. So there are still quite a few things to debug. ... View more

https://help.splunk.com/en/splunk-enterprise/manage-knowledge-objects/knowledge-management-manual/9.4/get-started-with-knowledge-objects/the-sequence-of-search-time-operations#ariaid-title2 KV_MODE-based extractions take place _after_ REPORT and EXTRACT so you can't rely on fields extracted with automatic json parsing in your transform. You might try to rewrite your extraction as a calculated field using text functions but that might be tricky. ... View more

Also be aware that the spec files are distributed with your Splunk installation (they are in $SPLUNK_HOME/etc/system/README/) ... View more