Hello, What do you mean by entitlement? Is it something that we can configure in Splunk web UI? Thanks ... View more

Why do you need to increase the lines shown? There are various limits in Splunk, e.g. if you just run a simple search index=* it will show you 10,000 results max, but if you run index=* | stats count it will tell you how many result you have, which can be > 10000   ... View more

ThreatConnect just requires two indexes to be created. If you reference the indexes.conf file in the user guide (under installation) you would see the indexes 'tc_app_logs' and 'tc_event_data'. Create those indexes and see if that resolves the issue. ... View more

So licensing in Splunk is a little odd. Basically, you need to remove your trial license, then upload your purchased license. Primarily it is due to license violations as a total sum, instead of ignoring violations once the new license is added. Talk with your Splunk rep as well if the issue is not resolved. Just remember to remove that trial license. ... View more

Any app in the /etc/apps directory would not be affected from the forwarder management side of things. The issue is more than likely that you are setting your configs in the $splunk_home/etc/apps/appname/default/.. directory. When you create a base config/app, your configs need to live in the /appname/local/*.conf directory. This lets Splunk know that these are custom configs and should not be changed. Additionally, make sure that you dont have any affecting stanzas matching your inputs files. Check with btool if there are any inputs taking precedence before your config: splunk btool inputs list <stanza> --debug ... View more

Hi @hoaxm3  I put the restart after the installation, it is not a problem of firewall because before the use of the deployment server it worked correctly ... View more

Thanks @hoaxm3 it worked out, Now I am able to Suppression = src,uri_path,status with three field and getting result as expected. ... View more

Thanks for the guidelines here- I played around with a very basic join command and this resulted in the following: (index=fortfw) level=warning host="XXXXXXXX" category="Malicious Websites" | rename src as ip | join ip [search index="dhcp"] | stats count by hostname, ip This seemed to do the trick and I now get my stats that include the hostname..... ... View more

Thanks. ... View more

Appears to be only available for versions < 8.1:   - https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Viz/ExportHTML   ... View more

If you have access to the rest query searches, you can run against the alert title and the runduration. Or look at the _audit index (Provides the same information) - https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rest  - https://community.splunk.com/t5/Splunk-Search/How-to-create-a-scheduled-job-time-to-find-the-run-time-of-each/m-p/454236  | rest /services/search/jobs | search title="Alert Name" | eval alert = if(runDuration>=300, "TRIGGER", "Normal") | search alert=TRIGGER ... View more

Thanks. They didn't generate any other Event Codes so I figured as such. ... View more

Maybe instead of doing a trending search for no data, look into the metadata command to go by hosts, sourcetype, or source.  Then make your alert based off of the hour last seen.  | metadata type=sourcetypes index=google | sort recentTime desc | convert ctime(recentTime) as Recent_Time | eval hours_since = round((now() - recentTime) / 3600,2)   ... View more

Maybe check this answer out: https://community.splunk.com/t5/Splunk-Search/Can-one-search-trigger-another/m-p/250116 ... View more