Dear All, To create the below table for the Notable dashboard in  ES, can you please advise. Thanks    User1  User1  User2 User2 Splunk Search Pending Closed  Pending Closed  Rule 1         Rule 2         ... View more

Dear All, I have observed License usage for one of the sourcetype is high capmpare to privious days. However events count is low capmpare privious days . How to check this in splunk , how to validate the licence utilization.   I.e. :  Sourcetype: Cisco: asa  12 July'23 - Eventcount:16819087, license usage : 21GB 14 July'23 - Eventcount:15722874, license usage : 42 GB ... View more

Hi Team, I would like to drop/trim .png and .jpg files in the output result. will be appreciated if you could help with regex or any other idea and solution. ... View more

Hello! I'm trying to make a timechart day wise action by unique user for the proxy logs like this one below, but I'm unable add action field as column. Below query i had build . please suggest command to archive this requirement . _time Action/User  Raj Jane Tom 2023-03-11T00:00:00.000+0000 Permitted 1 1 1 2023-03-11T00:00:00.000+0000 Block 0 2 4 Query was build which generate above result without action column   | from datamodel:web | timechart span=1d count(actions) as Actions by user useother=0 limit=10 | addcoltotals ... View more

Dear All, Can you please suggest whether any index creation (though cli) is required to configure/Onboard new API in to Heavy forwarder .   APP Name :Cisco Umbrella Add-On for Splunk   ... View more

Dear Friends , Suddenly all indexers are running with multiple process more then 800 count . How to check if any increase in process recently is due to any changes? And how the  process can be reduced? ( Resources( RAM/CPU) of Server already upgraded ).         ... View more

Hi Spelun Community team, I have Observed High number of events(log) from WinEventLog:Security . Please suggest best practice or solution to reduces /suppresses the events. I have referred  below Document  found that current ADD On i upto date. https://docs.splunk.com/Documentation/WindowsAddOn/8.1.1/User/Configuration     ... View more

Hi Splunk Experts, I have configured custom application on deployment server, however my linux universal forwarder is not appearing for App client config.  And also not appearing in forwarder management clients section  . On Linux Universal Forwarder,  config for the deployment  server and Communication also allowed between UF and DS server. However server is not appearing  Commands : splunk set deploy-poll 10.1.1.30:8086                          splunk restart     ... View more

Can Someone  help to build the query for below. Need to collect configured path list (coldpath/homePath / thawedPath ) by indexes.   ... View more

would like to reduce the Log data size in index by cut field which are not useful for the use case .  Before cut fields  would like check the utilization of  field, whether fields are used in any dashboard or searches by any other users. ... View more

Use case has been prepared with help of Splunk article  https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-determine-when-a-host-stops-sending-logs-to-splunk-expeditiously.html | tstats latest(_time) as latest where index=* earliest=-24h by host | eval recent = if(latest > relative_time(now(),"-5m"),1,0), realLatest = strftime(latest,"%c") | where recent=0 However receiving multiple false positive alerts for the windows servers(index=windows). what will reason behind this ? its slow logs ingestion or in real there is no events for the mentioned index/sourcetype. ... View more

Hi All, Please suggest the query or solution to achieve below requirement. 1. List of searches or query run by user (looking for the report where shows searches as per user) 2. List of Searches/reports which use one particular index. (i.e - Use case: User locked out is using index=windows)  ... View more

Hi Team,  Can some one help me who already enabled below attribute ([config_change_audit] in Version 8.2.4 or 8.2.7 . below caution was mentioned in document. * CAUTION: This setting is experimental and is related to a feature that is still under development. Using the setting might increase resource usage. What is the Experimental feature ? What will risk to the environment a part from resource usage? And if its enabled in environment what will be resource utilizations ?  ================================================================================================================ [config_change_audit] disabled = <boolean> * Whether or not splunkd writes configuration changes to the configuration change log at $SPLUNK_HOME/var/log/splunk/configuration_change.log. * If set to "false", configuration changes are captured in $SPLUNK_HOME/var/log/splunk/configuration_change.log. * If set to "true", configuration changes are not captured in $SPLUNK_HOME/var/log/splunk/configuration_change.log. * Default: true mode = [auto|track-only] * Set to "auto" or "track-only" to get log of .conf file changes under $SPLUNK_HOME/etc/system, $SPLUNK_HOME/etc/apps, $SPLUNK_HOME/etc/users, $SPLUNK_HOME/etc/slave-apps or changes to $SPLUNK_HOME/etc/instance.cfg. * The values "auto" and "track-only" are identical in their effects. Set mode to "auto" to auto-enroll this deployment into all the latest features. * CAUTION: This setting is experimental and is related to a feature that is still under development. Using the setting might increase resource usage. * Default: auto ==========================================================================================================       ... View more