Hi ,   How to convert 2025-03-13T11:03:38Z to the "%d/%m/%Y %I:%M:%S ". I have tried this, but it didn't work. | eval Lastevent=strftime(last_seen, "%d/%m/%Y %I:%M:%S %p") ... View more

Hi All, I'm build below query for Delayed Forwarder for Phone home for 2 hour and Not Sending Data to indexes more than 15 min through append command as single correlation search. However, query is not working with append command where calculating time duration of data sent and last phone connection.  Kindly suggest if any change in query can fix the calculation. index=_internal host=index1 source=*metrics.log* component=Metrics group=tcpin_connections kb>1 | eval os=os+" "+arch | eval ip=sourceIp | eval type="Datasent" | stats max(_time) as _time values(hostname) as hostname values(fwdType) as fwdType values(version) as version values(os) as os by sourceIp | append [ search index=_internal source="/opt/splunk/var/log/splunk/splunkd_access.log" "/services/broker/phonehome/connection" |rex field=uri "_(?<fwd_name>[^_]+)_(?<fwd_id>[-0-9A-Z]+)$" | eval type="Deployment" | dedup fwd_name | stats max(_time) as lastPhoneHomeTime values(fwd_name) as hostname values(useragent) as fwdType values(version) as version values(type) as types by clientip | convert ctime(lastPhoneHomeTime) | table clientip lastPhoneHomeTime hostname fwdType version] | stats dc(type) as num_types values(type) as types values(hostname) as hostname values(fwdType) as fwdType values(version) as version values(os) as os max(_time) as most_recent_data values(lastPhoneHomeTime) as most_recent_settings by ip | eval data_minutes_ago=round((now()-most_recent_data)/60, 1), settings_minutes_ago=round((now()-most_recent_settings)/60, 1) | search settings_minutes_ago>120 OR data_minutes_ago>15 | convert ctime(most_recent_data) ctime(most_recent_settings) | sort types data_minutes_ago settings_minutes_ago | stats max(_time) as lastPhoneHomeTime values(fwd_name) as hostname values(useragent) as fwdType values(version) as version values(type) as types by clientip | convert ctime(lastPhoneHomeTime) | table clientip lastPhoneHomeTime hostname fwdType version] | stats dc(type) as num_types values(type) as types values(hostname) as hostname values(fwdType) as fwdType values(version) as version values(os) as os max(_time) as most_recent_data values(lastPhoneHomeTime) as most_recent_settings by ip | eval data_minutes_ago=round((now()-most_recent_data)/60, 1), settings_minutes_ago=round((now()-most_recent_settings)/60, 1) | search settings_minutes_ago>120 OR data_minutes_ago>15 | convert ctime(most_recent_data) ctime(most_recent_settings) | sort types data_minutes_ago settings_minutes_ago     ... View more

Dear  All , Some Dynamic Sources in my environment are ingesting more data into Splunk and License limit get breach. So Is there any way to detect this source as outliner through MLTK . i.e. Cisco ASA Source type  has multiple sources(firewall) which ingest around 10 GB data on daily basis  suddenly one day  license usage reach to 20 GB. how to identify which source sent more data into Splunk without creating manual threshold or average of data. ... View more

In Current Splunk deployment  we have 2 HFs, One used for DB connect another one used for the HEC connector and other. And the requirement is if One HF goes done other HF can handle all the functions.   so  is there High Availability option available for Heavy forwarder OR for DB connect APP ? ... View more

Is it possible to get each day first login event( EventCode=4634)  as "logon" and Last event of   (EventCode=4634) as Logoff and calculate total duration . index=win sourcetype="wineventlog" EventCode=4624 OR EventCode=4634 NOT | eval action=case((EventCode=4624), "LOGON", (EventCode=4634), "LOGOFF", true(), "ERROR") | bin _time span=1d | stats count by _time action user ... View more

Dear All, I would like to introduced the DR Site along with active log ingestion (SH cluster + Indexers cluster ). is there any formula for calculator to estimate the bandwidth  to Forward the data from Site1 to Site2. ... View more

In Distributed Clustered Deployment with SHC - Multisite (M4 / M14) model, is there any additional license required ? Is there any downtime require while connection Site A with Site N with Multisite (M4 / M14)  model ?   ... View more

Dear All, Is there any delay option in Splunk multisite M4/M14? Requirement:  Site A is Active site and Site N passive site. Data ingestion from Active site should be in real time and data from site N would be Ingest at 1 AM every day.  Is there any option in mu ... View more

Dear All, Please suggest how to create separate incident review dashboard for different team. OR How the notable will separated base on Teams.  i.e. Windows Team - Windows Team can only check windows related notable  Unix Team -Linux Team can only check Unix related notable  SOC Team - Soc Team can check all the notable  ... View more

Splunk Python readiness app Not being push from deployer to the SH cluster . The deployer server is running as MC, LM, Indexer master node, deployment server.  Tried to push the APP with merge_to_default push mode on deployer. Any suggestion for the troubleshoot this issue.  ... View more

Field is not extracted properly for Windows event log  where Ip address mark as "Client IP" Try to extract Field below Regexs but no luck, in _internal logs Regexs was applied to the prorp.conf Successfully. Please Suggest if anyone face this issue. Regex 1 (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) Regex 2 [^+]Client\s+IP\:\s+(?<ip>\d+.\d+.\d+.\d+)\s+ ... View more

Easiest way to exclude ingestion of events for a specific IP address from a SourceType at UF level OR Syslog-NG   ... View more

Hi All, Can you please guide and suggest, How to onboard the MACOS 13 logs into Splunk. Logs related to Web browser history and and network connection logs from MACOS 13 Systems. ... View more