Hi Team, On May 20th, we successfully migrated from Splunk On-Prem to Splunk Cloud. We have a scheduled search that runs every 31 minutes, which was functioning correctly in the on-prem environment. However, after the migration, the same search query is no longer working in the cloud environment. on-prem index=proofpoint earliest=-32m@m latest=-1m@m | transaction x, qid keepevicted=true | search action=* cmd=env_from cmd=env_rcpt | addinfo | fields action country delay dest duration file_hash file_name file_size internal_message_id message_id message_info orig_dest orig_recipient orig_src process process_id protocol recipient recipient_count recipient_status reply response_time retries return_addr size src src_user status_code subject url user vendor_product xdelay xref filter_action filter_score signature signature signature_extra signature_id | fields - _raw | join type=outer internal_message_id [search index=summary sourcetype=proofpoint_stash earliest=-48m | fields internal_message_id | dedup internal_message_id | eval inSummary="T"] | search NOT inSummary="T"| collect index=summary addtime=true source=proofpoint sourcetype=proofpoint_stash Cloud index=proofpoint earliest=-32m@m latest=-1m@m | transaction x, qid keepevicted=true | search action=* cmd=env_from cmd=env_rcpt | addinfo | fields action country delay dest duration file_hash file_name file_size internal_message_id message_id message_info orig_dest orig_recipient orig_src process process_id protocol recipient recipient_count recipient_status reply response_time retries return_addr size src src_user status_code subject url user vendor_product xdelay xref filter_action filter_score signature signature signature_extra signature_id | fields - _raw | join type=outer internal_message_id [search index=summary sourcetype=stash earliest=-48m | fields internal_message_id | dedup internal_message_id | eval inSummary="T"] | search NOT inSummary="T"| collect index=proofpoint_summary addtime=true source=proofpoint sourcetype=stash Thanks ... View more

Hi Team, As checked our Splunk ITSI default schedule backup is taking more than 10 hours to complete, could you please assit us on this. Thanks ... View more

Hi @richgalloway  Good Day!! How to fix the vulnerabilities in Splunk? Please guide me with some example. Thanks ... View more

Hi Team, Hi Splunk Team, could you guide me through the process on how to consolidate Thousand Eyes into Splunk to centralize alerts on the dashboard? Please, Share me the each and every steps to process on how to consolidate TE into Splunk. Thanks ... View more

Hi Team, As we need to monitor memory by process for each windows hosts. As checked we couldn't find any processes for memory and instances value is showing only "0" but we are monitoring CPU by process for hosts, it contains instance field and we could see the processes name for CPU. We verified the inputs.conf stanzas everything is looking good need your help to configure this memory processes in the instances field. Below are query used to populate CPU utilization by process index=perfmon source="Perfmon:Process" counter="% Processor Time" instance!=_total instance!=idle | timechart limit=20 useother=f span=10m max(Value) as cputime by instance So, we need same for memory utilization by process, and the counter = "% Committed Bytes In Use" Thanks ... View more

Hi Splunk team, My question : Can we create two modules to add the devices which are not listed in the entity management. if we can create two modules means is it affect other things in ITSI? Please provide me the steps and guide how to overcome with this issue Thanks ... View more

We could see only 10 hosts in index=os sourcetype=cpu & index=os source=vmstat. We should get all the unix/linux hosts on the mentioned sourcetype & source. We are using this to generate high cpu utilization, High memory utilization incidents. Like till August end we are able to see 100+ host for the mentioned source and sourcetype but after August we are not able to see 100+ host like we could see only 10.15,7  Please help me on this ... View more

Hi, I want to import the entities via csv to entity management in Splunk ITSI, so please help me with this. Thanks ... View more

Hi, I am facing issue with "no recent logs found for the sourcetype =abc:xyz (example) and index=pqr (example) after 25th November Like we are able to see the logs till 25th of Nov So, please guide how to check it would be helpful. Thanks, Pooja ... View more