https://community.splunk.com/t5/Splunk-Enterprise/Migration-of-Splunk-to-different-server-same-platform-Linux-but/m-p/538062 this links contains those exact steps which are needed including remove old peers from CM! As "splunk offline --enforce-counts" is not enough. ... View more

Worked perfectly.  Thank you for posting. ... View more

Is your lookup's ip field using CIDR notation? Did you set up CIDR(ip) in lookup definition? Is there any overlapping CIDR's (ip) that 10.10.10.10 can match in your lookup? About 3, for example, if your lookup is like this: ip Description 10.10.10.10/27 New 10.10.10.0/24 In Progress 10.10.8.0/16 Closed 10.10.10.10 will match all three. ... View more

Hey so did you find the solution? We stacked with the same issue and seams no one knows how to fix it.  ... View more

Hi @syazwani  please follow below steps to reset password go to  <SPlunk installation directory>/splunk/etc/  under this location file called passwd  rename it to passwd.backup  go to following location  <SPlunk installation directory>/splunk/etc/system/local create new file user-seed.conf  inside user-seed file  add following contents  [user_info] USERNAME = admin PASSWORD = <newpassword> and restart splunk from cmd  <SPlunk installation directory>/splunl/bin/ splunk restart  ---- Regards, Sanjay Reddy ---- If this reply helps you, Karma would be appreciated ... View more

Hi @PickleRick, Noted on this. Yes I am using the Splunk App for Salesforce and it is using the "distance" command. Seems like they dont have a documentation for this app. Btw thankyou for your feedback. ... View more

Hi @Akmal57, I usually avoid to use transaction because it's so slow, the only use case when I use transaction is when i have to use ther startswith and endswith conditions or a duration. This means that this is the only solution I know. Check if my first solution could solve your need becsuse it isn't usual that the failed logins follow a successful login: the normal case is the opposite. Ciao. Giuseppe ... View more

Hi @batabay, thank you for the response. It works! ... View more

Hi, have you found solution for this? Im currently facing the same issue. Need to add more information. ... View more

"Server is busy" does not mean the HEC configuration is missing anything.  It means the server is busy processing other inputs.  See https://community.splunk.com/t5/Getting-Data-In/HttpInputDataHandler-parsing-error-Server-is-busy/m-p/468396 and https://community.splunk.com/t5/Monitoring-Splunk/How-to-fix-error-Server-is-busy-HTTP-Event-Collector/m-p/587904 How did you conclude you need to set the token name?  That should have been done by the GUI. See https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/Inputsconf#HTTP_Event_Collector_.28HEC.29_-_Local_stanza_for_each_token for documentation on the http stanza.  What information do you need that is not documented? ... View more

Hi @yuanliu , thanks for reply. This solution worked. I try to do  ... View more

The append command gives you two separate sets of results and it's up to the author to put them together.  That's usually done with the stats command. index=sslvpn | iplocation src_ip | search Country != Malaysia | eval Country = if(isnull(Country),"unknown",Country) | table _time, user,src_ip,Country,action | append [search index=sslvpn group_path="ADL" | iplocation accessIP | where Country !="Malaysia" | rename accessIP as src_ip] | stats values(*) as * by src_ip | rename user as "User ID", src_ip as "Source IP" action as "Status" If you want to do the same with using join: index=sslvpn | iplocation src_ip | search Country != Malaysia | eval Country = if(isnull(Country),"unknown",Country) | table _time, user,src_ip,Country,action | join src_ip [search index=sslvpn group_path="ADL" | iplocation accessIP | where Country !="Malaysia" | rename accessIP as src_ip] | rename user as "User ID", src_ip as "Source IP" action as "Status" ... View more

Hello @syazwani , I am also pretty bad at it, but you can try to use this regex below :   "actionResult":"(?<action_result>\w+)   This should capture "success" (or "failure" I suppose) within a group called "action_result" Hope it helps, GaetanVP  ... View more

Hi @syazwani, using my hint are you able to create the field? otherwise, could you describe some sample of the values of the ping_status field? Ciao. Giuseppe ... View more

Thankyou! ... View more

Hi @ITWhisperer, thank you for helping me with this issue. I thought the format of the output would be an issue when sending the alert to the 3rd party app. As you say, the problem was the 3rd party application that were not be able to integrate the Splunk output. Thank you again! ... View more

A typical question when something that's supposed to be calculating OK returns an empty value - is your "Bytes" field (from which you're calculating the bandwidth further down the pipeline) a numeric field? If it is not, summing over it will not produce results and you have to firstly convert it to a number using something like | eval numbytes=tonumber(Bytes)   ... View more

Adding on to what @SanjayReddy was saying on the props.conf configurations, best practice is to include the minimum configurations below. I'm assuming your events starts off with the date format, (Feb 17 10:25:09), so here is an example of the big 6/8 configs depending what Splunk host is sending or ingesting the data; put the props on the HF/IDX for parsing. I think you're sending the logs via syslog since I notice two timestamps and I'm going to use the timestamps inside the double quotes for the event time. props.conf   # Assuming your time prefix is the first set that starts with double quotes TIME_PREFIX = ^[^"]+ MAX_TIMESTAMP_LOOKAHEAD = 20 # Assuming your hours is in 24 hour notation (%T) TIME_FORMAT = %F %T SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2} TRUNCATE = 10000 # Use the following attributes to handle better load balancing from UF. # Please note the EVENT_BREAKER properties are applicable for Splunk Universal # Forwarder instances only. Valid with forwarders > 6.5.0 EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+)\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}       ... View more

Got it! Ive removed the transaction command and just leave the stats command. It works. Thank you so much for your explanation. Really appreciate it. ... View more

Did you set your file monitoring inputs with proper sourcetypes as per https://docs.splunk.com/Documentation/AddOns/released/JBoss/Sourcetypes ? ... View more