Hi ITW, Thanks for the reply. The only result I get is one line, and the values in the fields: daily_bytes, week_avg, w_o_w_change, all have the same value. While I do not expect that the weekly average should differ too (low standard deviation) much from a simple mean, I do not think they should be the same value. So, I am trying to understand where the query is wrong.     ... View more

Hi scelikok, Thanks, that is a possible solution but not one feasible right now, partly because as you say it is expensive. I am working on testing the manual download, a conversion to CSV and then upload to ES. I will update this post with my results. ... View more

Does  index=WhatEverIndexTheseLogsAreIn type OR displayId   produce any of the logs you want? ... View more

Have you set-up any eventtypes or tagging? ... View more

Are you asking a question? If so, this is not clear. Did you follow the installation instructions? Did you verify that there are no host or network rules or filtering that block SNMP packets/queries? ... View more

Pete, I guess I don't quite understand what you're trying to do. Are you trying to develop a Splunk app? If so, you should have your own Splunk instance with relevant components to replicate the data. Is this data going back into the same Splunk instance or are you trying to get the Splunk data into some external non-SplunkDB? I guess, I'm also asking for how this is architected and what data is being moved from where to where (including ports and data types, etc)?  Also per Splunkbase: What can DB Connect do? Database import - Splunk DB Connect allows you to import tables, rows, and columns from a database directly into Splunk Enterprise, which indexes the data. You can then analyze and visualize that relational data from within Splunk Enterprise just as you would the rest of your Splunk Enterprise data. Database export - DB Connect also enables you to output data from Splunk Enterprise back to your relational database. You map the Splunk Enterprise fields to the database tables you want to write to. Database lookups - DB Connect also performs database lookups, which let you reference fields in an external database that match fields in your event data. Using these matches, you can add more meaningful information and searchable fields to enrich your event data. Database access - DB Connect also allows you to directly use SQL in your Splunk searches and dashboards. Using these commands, you can make useful mashups of structured data with machine data.   ... View more

Perhaps an irrelevant question, but did you engage your local infrastructure or security team; or whomever is managing Splunk?   If your org does not have a proper process for making these sorts of adjustments because you only have access to a UF, there may be larger challenges to tackle. Every Splunk deployment is different, so providing more specific advice is harder when you cannot spell out all of the cans and cant dos, since at least some of the possible solutions mean that you have proper administrative access to all of your relevant Splunk components, of which a HF is very much an important piece. That aside, you should be working with your Splunk admins to get the right configurations in place. ... View more

@StephenD1  Start a new thread, this is a better practice than trying to resurrect a post that has already been answered. You can then reference this previous response. ... View more

@Dabbsy to add a proviso to Rich's response, make sure that you are coordinating with the system owner or backend admin or support team, to make sure that if they need those credentials that you are getting the right approvals and documenting things. ... View more

The local admin account is not just an account with an admin role, it is the built-in local admin account that was created when you installed Splunk. See (for example): Install on Windows - Splunk Documentation ... View more

Can you provide feedback on Rich's suggestion: Use the dbinspect command to examine your buckets.  Make sure the oldest ones don't have an earliest_time that is newer than the frozenTimePeriodInSecs setting.  Buckets will not age out until *all* of the events in the bucket are old enough. ... View more

A few questions: Do you have a TA for the logs you are ingesting and are they set-up on all the needed Splunk components, check your DOCs? Looking at the _internal logs, do you see that Splunk has ingested them? Can you do a search for a string that exists in your logs across all you indexes and find any responsive logs, in the time you verified that the data was ingested?   Also, for syslog data in general it is simpler and more durable to forward data to a syslog server and have a UF monitor relevant files and then you set-up monitoring stanzas per host/data source. [monitor://var/log...whatever] whitelist = regex blacklist = regex host_segment = as needed crcSalt = <SOURCE> {as needed} sourcetype = syslog {or whatever you want} index = yourIndex   Consult also: How the Splunk platform handles syslog data over the UDP network protocol - Splunk Documentation ... View more

These might be useful: https://community.splunk.com/t5/All-Apps-and-Add-ons/parsing-log-text-to-get-a-specific-info/m-p/484283 https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-properly-parse-logs-that-contain-one/m-p/200151 Also see if an app helps, the extractions and such like are useful to inspect and use as needed:  https://splunkbase.splunk.com/app/3186#/overview (from https://community.splunk.com/t5/Getting-Data-In/How-to-parse-Apache-access-logs-in-Splunk/m-p/266983) ... View more

Hi, Did you consult this page?  https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Downloadthreatfeed   ... View more

Hello refahiati, Have you verified with a manual inspection of the conf files on the weblogic server that the desired changes were made? If so, restart the agent on the weblogic server again. Othrewise, revalidate that you deployed the configs correctly. Inspecting the splukd.log in var/log folder is also useful for gathering more details about what might be going wrong.   ... View more

This may also be useful, you can let the already logged files remain and just refine the inputs conf to exclude the logs you don't want monitored and ingested. https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-inputs-conf/td-p/598999 In addition to PickleRick's DOC suggestion:  https://docs.splunk.com/Documentation/Splunk/latest/Admin/InputsConf#MONITOR:     ... View more

Just some quick points: --fields are specific to the index they are apart of, they may not exist across indexes (though this is less problematic if your data is properly normalized.) --have you done the queries to interrogate the data, as it exists, in your environment and identified which indexes and fields you want exist as needed (cf. PickleRick's comment about use case)? Some other, hopefully relevant, thoughts (and which, from my experience, are sometimes useful in providing food for thought and context--especially for greener admins like me.) To add to the other relevant responses, and more generally in working with Splunk, and this does depend on whether you are a user or an admin (and even here this may mean different things depending on your organization) and trying to craft queries about data in your environment, it matters how you are configuring the ingestion (including, depending, the related architecture, like if there is a syslog server, or some TA needed), setting up the indexes, configuring what counts as a source (a hint that there is a ton of customizability to Splunk), setting a schema for hostnames , either auto-extracted during ingestion or otherwise configured in a CONF or using a look-up. Because there is a fairly large degree of customizability and arbitrariness in configurations (which may simply more reflect your environment (and its architecture), what your business wants/needs, etc.), what is being ingested, how it is labeled (are you specifying this, setting a schema, or just letting a TA or Splunk figure it out), whether there are standards for anything (internal to your organization or company policy etc.), it can sometimes be hard to give specific advice outside of you spelling out all of the particulars. In your case, some better sense of what is indexed, tagged and what fields are available, per index, since the fields exist inside of the index, per source, rather than necessarily being standard (which is helped by following CIM normalization best practices), will help you enormously in taking care of tasks like this. The larger idea here is to be kind to your future self and to others who have to interact and admin your Splunk environment, follow best practices that make these tasks easier. REFs: https://docs.splunk.com/Documentation/CIM/5.3.2/User/UsetheCIMtonormalizedataatsearchtime https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Getstartedwithgettingdatain https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Data/Aboutindexedfieldextraction https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-use-splunk-to-create-a-CMDB-like-table-of-asset-info/m-p/657338 https://splunkbase.splunk.com/     ... View more

Hi haleyh44, You might consult the following: https://docs.splunk.com/Documentation/Splunk/9.3.0/Deploy/Distributedoverview https://docs.splunk.com/Documentation/SVA/current/Architectures/About?301=/pdfs/technical-briefs/splunk-validated-architectures.pdf   ... View more

You may find something helpful here:  Solved: Pie chart max value - Splunk Community ... View more

...does a visualization for pie chart render when you click on the visualizations tab? ... View more

Please make sure you're accepting a resolution as an answer. ... View more