Hello! I have an environment with about 200 machines, all Windows Servers. All servers are sending TCP information through port 9997 directly to my Heavy Forwarder, all information is allocated in the "Windows" index    What happens is that about 1-2x a day, the logs sent by Universal Forwarders stop from all machines leaving the Windows index blank. All other data that do not arrive through TCP 9997 are normal, such as some scripts that bring other types of information and save in other indexes. The problem is only solved when Splunk is restarted in Heavy Forwarder Trying to diagnose the problem, the only thing I could find is this message on all servers with Universal Forwarder installed 02-16-2022 15:20:51.293 -0400 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 82200 seconds Has anyone gone through something similar, or can help me try to identify what is happening? Remembering that the Log in Heavy Forwader, doesn't bring me anything relevant Thanks in advance! ... View more

Hello Team! I have a problem I need to solve, but I couldn't find a way to do it. I have some servers that have Universal Forwarder installed and Windows services are being monitored through it. What happens is that sometimes some of these services are unavailable and there is a need to restart this service, I would like to know if, somehow, as soon as Splunk identifies that one of these services is out, run a script on the local server that restarts that service That is, I need to know if there is any way to run a script that is in the universal forwarder through Splunk Server Thanks in advance! ... View more

Hi Team How are u? I have a little question I have a index with same informations,      index="epo" source="endpoint"     In this search will return a column with "JustificationText", Which contains a ticket number   And with this number I need to search in another index to get some information   Today i'm doing this way:       index="epo" source="endpoint"​ | rex field="JustificationText" "(?<number>REQ\d{7}|<number>INC\d{7}|<number>TRE\d{7}|<number>CHG\d{7})" | eval TicketNumber = number | dedup ViolationLocalTime IncindetId | join type=left [search index=servicenow sourcetype="snow:service_task" dv_number = TicketNumber] | table Status ViolationLocalTime IncidentId UserName Name JustificationText TotalContentSize RulesToDisplay contact_type dv_u_requested_by dv_location     All the data from the first serach is coming ok but when I do a second search with the variable "TicketNumber" nothing returns to me. If i for example, put a ticket in      | join type=left [search index=servicenow sourcetype="snow:service_task" dv_number = "REQ0000197"]     Data are brought, but the same for all events My question is how can I do this second search using a variable? Thanks in advance!  ... View more