Hi Team, We have P1 Splunk alerts generated based on event ID: 12320 triggered from the following servers: scwdxxxxx0009 scwdxxxxx0008 scwpxxxxx0002 scwpxxxxx0001 Recently, we identified that we have a 24-hour suppression time for the alert, which led to a critical incident. To address this issue, the user has requested a reduction in the suppression time for the alert. The goal is to eliminate suppression unless the previous triggered alert is still open. If there are no open P1 tickets for event ID: 12320, there should not be any suppression of the generation of new tickets. Current Alert Configuration We have one alert in Splunk, and we are using the following query: Splunk query: index=winevent sourcetype="WinEvent:*" ((host="scwpxxxxx0001*" OR host="scwdxxxxx0008*" OR host="scwdxxxxx0009*" OR host="scwpxxxxx0002*") AND (EventCode=12320)) | eval assignment_group = "ABC IT - Computing Services" | eval host=lower(mvindex(split(host,"."),0)) | eval correlation_id=strftime(_time,"%Y-%m-%d %H:%M:%S").":".host | eval short_description=case((host="scwpxxxxx0001" OR host="scwdxxxxx0008"),"Microsoft AAD Proxy Connector - Prod not able to connect due to network issues.",(host="scwdxxxxx0009" OR host="scwpxxxxx0002"),"Microsoft AAD Proxy Connector - Dev not able to connect due to network issues.", 1=1, 0 ) | eval category="Application", subcategory="Repair/Fix", contact_type="Event", state=4, ci=host, customer="no573", impact=1, urgency=1, description="Event Code ".EventCode." encountered on host ".host." at ".strftime(_time,"%m/%d/%Y %H:%M:%S %Z")." SourceName:".SourceName." Log Name: ".LogName." TaskCategory:".TaskCategory." Message=".Message." Ticket generated on SNOW at ".strftime(now(),"%m/%d/%Y %H:%M:%S %Z") | table host, short_description, assignment_group, impact, urgency, category, subcategory, description, ci, correlation_id Alert Type Scheduled Schedule Run on cron schedule: */30 * * * * (every 30 minutes) Time Range Last 4 hours Expiration 24 hours Throttle Enabled Suppress results containing field value: host, EventCode Suppress triggering for: 24 hours Trigger Actions ServiceNow Incident Integration How we can suppress the alert as per the requirement. Please help us here. Thank you. ... View more

Hi Team, We are using below query   [| inputlookup ABCD_Lookup_Blacklist.csv | outputlookup ABCD_Lookup_Blacklist_backup.csv append=false | sendemail to="nandan@cumpass.com" sendresults=false sendcsv=true sendpdf=false inline=true subject="ABCD_Lookup_Blacklist_backup.csv" | rename target as host | eval lookup_name="ABCD_Lookup_Blacklist.csv"]   Now we are getting attachment of CSV file name is unknown.csv So,  we want Attachment of CSV file name with appropriate lookup_name.   Please help with us Thank you, NANDAN   ... View more

Hi All, We have index=gems, in the index we have configured gems servers and wms servers and also created one alert. The alert name is CBSIT Alert GEMS NFS stale. So, we want create an alert for wms servers with the same alert . So, here for us a single alert should contain gems alert name when gems server alert trigger and WMS alert name when WMS server alert trigger. In the index=gems having gems servers 7 and wms servers 7 Ex : Gems server name sclpisgpgemspapp001 WMS server name silpdb5300.ssdc.albert.com We are using below SQL query for CBSIT Alert GEMS NFS stale Alert name : CBSIT Alert GEMS NFS stale   index = "gems" source = "/tmp/unresponsive" sourcetype=cmi:gems_unresponsive | table host _raw| eval timestamp=strftime(now(),"%Y-%m-%d %H:%M:%S") | eval correlation_id=timestamp.":".host | eval assignment_group = "CBS IT - Application Hosting - Unix",impact=3, category="Application",subcategory="Repair/Fix" , contact_type="Event", customer="no573", state=4, urgency=3 , ci=host | eval description = _raw , short_description = "NFS stale on ".host   Can you please help us here.   ... View more

Hi Team, We have DB alerts for server sitpdb0033 are assigning to windows support team first , it needs to be assign to SQL team, How to change the assignment group from windows support team to SQL team. The index=mssql there are 30+ host's are configured. We want only change the group for this server sitpdb0033 we have using this SPL query: index=mssql sourcetype="mssql:database" OR sourcetype="mssql:databases" state_desc!="ONLINE" | eval assignment_group = case(like(source,"%mssql_mfg%"),"Winows_Support - Operations",1=1, "Sql_Production Support") Can you please help on this requirement. Thank you Nandan ... View more

Log ingesting intermittently We could not find the path referenced . We have Univerasal forwarder is Windows server and Heavy forwarder is *nix server. How to get the diag files with debug enable of the UF and the HF? Can you please provide the detailed explanation with commands ... View more

Hi Team, We have 800+ servers contains windows & Linux servers. How to get the data from Splunk with these details O/S version, Allocated Storage (GB), Utilized Storage (GB), Uptime %, CPU Utilization Peak %, CPU Utilization Avg %,  with the help of SPL query . Can you please help us on this requirement. Thanks, Raghunadha. ... View more

Recently configured a new input that has successfully ingesting logs but appears to be working intermittently. There is large gaps in logs that we have confirmed are present and being created regularly from the source server. Example : Logs are captured 8th December and 16 December only. So, here 9th December to 15nth December logs are not captured We have created custom app on our deployment server and push that app across all the deployment slaves. The data flow is coming from source-->Universal forwarder-->Heavy forwarder--> Splunk cloud we have created Inputs.conf  [monitor://F:\Polarion\data\logs\main\*.log.*] sourcetype = catalina index = ito_app disabled = false ignoreOlderThan = 7d initCrcLength = 10000 Please help on the issue Thank you ... View more

I am trying to run a Linux bash script on the deployment server to pull down the deployment clients. I have the Splunk command correct, but get an authentication error when this is run under cron or even from the command line. There are multiple postings on this command, but none of them talk about requiring authentication. How do we work around the account password issue? Splunk 8.2.3 command: Splunk reload deploy-server -class I tried the -auth parameter that is shown on other command options, but this one does not seem to like this option. command: splunk reload deploy-server -class results: Your session is invalid. Please login. Splunk username: admin Password: An authentication error occurred: Client is not authenticated Any guidance would be appreciated. ... View more

Generate a alert when the Status field change from faliures to success..So we want the first success responsecode after failure ... View more