Hello colleagues, I would like to know I have events where there is a unixTime field. B ut the _time field does not show correctly how can I write in props.conf so that the _time field takes time from the unixTime field ... View more

Hello colleagues. we recently switched from Splunk HF to UF. before this event with sourcetype = MSWindows:2012:IIS. parsed normal but after installation, something went wrong. and events in the spanner do not take all the fields from the logs ... View more

Hello dear colleagues, has anyone encountered this error, I checked search.log for inconsistent metadata. Help me decide. I have a request in SH, when I drive it I get this error ... View more

how parsing xml data ?     <v8e:Event> <v8e:Level>Information</v8e:Level> <v8e:Date>2022-01-26T16:20:24</v8e:Date> <v8e:ApplicationName>Job</v8e:ApplicationName> <v8e:ApplicationPresentation>Фоновое</v8e:ApplicationPresentation> <v8e:Event>Finish</v8e:Event> <v8e:EventPresentation>Сеанс</v8e:EventPresentation> <v8e:User>Jong Wik</v8e:User> <v8e:UserName>Корот</v8e:UserName> <v8e:Computer>srv-2-srv</v8e:Computer> <v8e:Metadata/> <v8e:MetadataPresentation/> <v8e:Comment/> <v8e:Data xsi:nil="true"/> <v8e:DataPresentation/> <v8e:TransactionStatus>NotApplicable</v8e:TransactionStatus> <v8e:TransactionID/> <v8e:Connection>0</v8e:Connection> <v8e:Session>5146</v8e:Session> <v8e:ServerName/> <v8e:Port>0</v8e:Port> <v8e:SyncPort>0</v8e:SyncPort> </v8e:Event> ... View more

ERROR TailReader - File will not be read , is too small to match seekptr checksum ( file=c:\logs\ MailBoxAudit \ mailboxaudit _23_12_2021_13_48.csv ) . Last time we saw this initcrc , filename was different. You may wish to use larger initCrcLen for this sourcetype , or a CRC salt on this source.     inputs.conf   /opt/splunk/etc/deployment-apps/TA-Exchange-Mailbox/local/ inputs.conf  [monitor://c:\logs\MailBoxAudit] whitelist=\.csv$|\.CSV$ sourcetype=csv index= indexname disabled=false crcSalt = <SOURCE> initCrcLength=8192 after making a change to the file inputs.conf. i ran the command /opt/splunk/bin/splunk reload deploy-server -class heavy_forwarders for the changes to be accepted the file comes to the index, but it does not start up some   what could be the problem ?         ... View more

I have an alert. which runs every minute "cron" and the setting is set to "time range last 4 minutes" but for some reason my alert works 30 minutes ago and in this interval look for 4 minutes    create at 4:46:04 PM  search 4:16:00 pm to 4:20:00 pm      Time is correct on SH servers.   ... View more

hello my friends.  how using regex can delete everything in bold   {"test": "  {   \n \"data\": \"check\",\n \"git_branch\": \"master\",\n \"git_repo_name\": \"reponame\",\n \"id\": 234,\n \"timestamp\": 16378522342,\n } "}   output  { \"data\": \"check\", \"git_branch\": \"master\", \"git_repo_name\": \"reponame\", \"id\": 3413, \"timestamp\": 16378522342 } ... View more

Hello my friends.    I have a report that uses the "ldapsearch" command. He works every day    The problem is that the report can be executed. and the next day the report is in the "running" status.  And it works through. somewhere right away somewhere it keeps ... View more