@dinesh001kumar  Natively, Splunk Cloud Studio dashboards do not support playing audio alerts. As a workaround you can consider alert actions such as emails, webhooks, or integrations with external systems/scripts to play audio. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Sweets000  Did you remove ES Apps(/etc/apps/) from the CM(deployer in your case) after your deployment to shcluster apps folder, looks like your CM is running all the ES Apps searches(from /etc/apps/) which is causing skipped searches on CM. Remove ES from the CM’s Splunk instance: Stop Splunk on the CM. Remove the ES app directory from $SPLUNK_HOME/etc/apps/ on the CM. Start Splunk on the CM. Verify ES is only on SHC members: Ensure the ES app and its configurations are only present on the SHC members, deployed via the deployer ($SPLUNK_HOME/etc/shcluster/apps/). Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@bakeery  Are you using sysmon add-on? #https://splunkbase.splunk.com/app/5709 Also refer below #https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-the-Sysmon-Technology-Add-on-Parsing-my-Sysmon-Logs/m-p/370757   Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!   ... View more

@Emre  You can use Splunk’s Field Extractions (props/transforms) or rex in your SPL to extract fields at search time For Eg: | rex field=_raw "Module:(?<Module>[^\n]+)" | rex field=_raw "Microflow:\s*(?<Microflow>[^\n]+)" | rex field=_raw "latesteror_message:(?<latesteror_message>[^\n]+)" | rex field=_raw "http status:\s*(?<http_status>\d+)" | rex field=_raw "Http reasonphrase\s*(?<Http_reasonphrase>[^\n]+)" But best practice is to structure the data at source itself. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@sverdhan  Try below with clients, | tstats count WHERE index=* by index sourcetype | rex field=index max_match=0 "(?<clients>\w+)(?<sensitivity>_private|_public)" | lookup appserverdomainmapping.csv clients OUTPUT NewIndex, Domain, Sourcetype | eval NewIndex=NewIndex.sensitivity | table clients, sensitivity, Domain, Sourcetype, NewIndex If you do not need to add clients, and to just display lookup fields you can use appendcols | tstats count WHERE index=* by index sourcetype | rex field=index max_match=0 "(?<clients>\w+)(?<sensitivity>_private|_public)" | appendcols [| inputlookup appserverdomainmapping.csv | fields Domain, Sourcetype, NewIndex] | eval NewIndex=NewIndex.sensitivity | table clients, sensitivity, Domain, Sourcetype, NewIndex Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@sgarcia  Blank h (host) values in license usage logs are due to Splunk's "squashing" process. This occurs to optimize log storage and performance when there are too many unique values to track individually If possible, analyze your actual event data Eg: index=wineventlog | stats sum(len(_raw)) as bytes by host | eval GB=round(bytes/1024/1024/1024, 2) | sort -GB Also check Licensing usage reports and to split by host for last 60 days if available or try from metrics.log to identify which ones have high thruput. index="_internal" source="*metrics.log" group="per_host_thruput" Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Anders333  Is it possible for you to configure the app to use standard log rotation (e.g., rename and create a new file when full, or truncate/append)? If you continue current log rotation, Splunk may miss or duplicate events, and reliable ingestion cannot be guaranteed. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@chrisboy68  If you want the latest cost for each ID per month, try this, index=main | bin _time span=1mon | stats latest(Cost) as Cost latest(bill_date) as bill_date latest(_time) as _time by ID _time | table bill_date ID Cost _time Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@new  You can start with  _internal index, For eg: index=_internal sourcetype=*addon* OR source=*ta_* OR source=*addon* Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@jrodriguezap  Can you try this, | eval pair=mvzip('Instance name', 'Search execution time', "||") | mvexpand pair | eval "Instance name"=mvindex(split(pair,"||"),0), "Search execution time"=mvindex(split(pair,"||"),1) | fields "Domain Name" "Instance name" "Last Phone home" "Search execution time" Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Andre_  Another option you can consider is to change the destination path for the Windows Event Logs in Event Viewer and configure Splunk to monitor this new location. This approach allows you to start collecting only new events, effectively avoiding the indexing of historical data. Additionally, by using the standard Splunk input settings (without current_only = 1), you ensure that no events are missed during restarts, as Splunk will continue to track and ingest all new events from the updated log file. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

With current_only = 1 On first start, the UF reads only new events that arrive after the input is enabled.It skips all historical events present in the log at the time the input is first started. If the UF is stopped and restarted, it will pick up where it left off (using checkpoints), so normally it will ingest events that occurred while it was down. #https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/get-windows-data/monitor-windows-event-log-data-with-splunk-enterprise Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@sawwinnaung  Try below, props.conf [linux_audit] TRANSFORMS-set = discard_proctitle [source::/var/log/audit/audit.log] TRANSFORMS-set = discard_proctitle transforms.conf [discard_proctitle] REGEX = type=PROCTITLE DEST_KEY = queue FORMAT = nullQueue Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@Andre_  You are correct. Unlike file-based inputs, Windows Event Log inputs in Splunk Universal Forwarder (UF) do not provide a built-in option in inputs.conf to exclude events based on their age at collection time. This means you cannot natively configure the UF to only ingest Windows events newer than 7 days during onboarding. But, If you want to ingest only new Windows Event Log events (and skip all historical data), set current_only = 1 in your inputs.conf. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@dinesh001kumar  1-Due to security restriction, normally you can't upload or reference custom js files directly in the cloud. You can raise a support request to include simple xml js extensions for review and to upload it for you. 2-You can use the <html> panel in Simple XML dashboards for custom HTML, but it is limited. Normally you cannot use inline JavaScript, and some HTML elements may be restricted. Alternative - Unfortunately use the built-in features of Dashboard Studio or Simple XML extensions. For specific needs, reach out to Splunk Cloud Support to request a review and upload of vetted JS/CSS files. Audio Support-Dashboard Studio does not natively support embedding or playing audio files. As a workaround, you could set up external alerting (e.g., send a webhook/email to a system that plays audio) Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@Trevorator  I dont think there is any Splunk setting to enable automatic retry or continuation for .tsidx file operations. The only way to ensure all data is accelerated and .tsidx files are preserved is to maintain a healthy infrastructure and address any resource limitations. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@Raghavsri  Whats the version of splunk you are running? Also to start with, check few options. Review logs: Look for errors, warnings, or abnormal behavior in splunkd.log Check destination health: Ensure that SyslogNG and the second indexer cluster are healthy and accepting data efficiently Also If HF2 is not able to forward data fast enough (due to network, destination, or performance issues), the queue fills up, consuming memory Memory upgrade: Increasing memory on HF2 may help if the issue is due to legitimate high data volume and not a leak or misconfiguration. However, if the problem is a memory leak/bandwidth issue, increasing memory will only delay the inevitable crash Load Balancing: Consider load balancing across multiple HFs if possible, to distribute the data load Monitor memory usage: Set up alerts for high memory usage to detect issues early. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@SN1  If you must move indexed data from the indexer to the Search Head, you can copy the data files,  Stop Splunk on both the indexer and the Search Head. Copy the index data directories from the indexer to the Search Head: Example: Copy $SPLUNK_HOME/var/lib/splunk/<index_name> from the indexer to the same path on the Search Head. Ensure file ownership,permissions,storage size,os and splunk versions are correct on the Search Head. Also make sure you have configuration for the indexes.conf for the indexes you have. Start Splunk on the Search Head. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@SN1  To clarify your scenario, You want Search Head to query the indexer for data as needed or having data on the Search Head for  testing/some reason without using the indexer? ... View more

@a1bg503461  The error highlights that, opt_ca_certs_path is not defined in your configuration Are you using SSL/TLS with Elasticsearch? If yes Make sure you mention your .crt path in your config Eg: opt_ca_certs_path = /path/to/your/ca.crt If you are not using SSL/TLS, then try below in your config use_ssl = 0 # opt_ca_certs_path = Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@cdevoe57  As mentioned by @bowesmana  Its not best to use join, as it can sometimes cause fields from lookup to be lost. but anyway can you try below if you still want to use join, | inputlookup system_info.csv | eval System_Name=System | join type=left System_Name [ | search index=servers sourcetype=logs | stats latest(_time) as Time by System_Name | eval mytime=strftime(Time,"%Y-%m-%dT%H:%M:%S") | eval now_time = now() | eval last_seen_ago_in_seconds = now_time - Time ] | stats values(*) as * by System_Name | lookup system_info.csv System_Name OUTPUT Location Responsible | eval MISSING = if(isnull(last_seen_ago_in_seconds) OR last_seen_ago_in_seconds>7200,"MISSING","GOOD") | where MISSING=="MISSING" | table System_Name Location Responsible MISSING or you can also try and check below, without join. index=servers sourcetype=logs | stats latest(_time) as Time by System_Name | eval last_seen_ago_in_seconds = now() - Time | eval MISSING = if(isnull(last_seen_ago_in_seconds) OR last_seen_ago_in_seconds>7200, "MISSING", "GOOD") | where MISSING=="MISSING" | lookup system_info.csv System_Name OUTPUT Location Responsible | table System_Name Location Responsible MISSING last_seen_ago_in_seconds | sort -last_seen_ago_in_seconds Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@caschmid  \d+ matches only digits, not any word. If "This is my" is always constant, you can try below rex field=_raw "This is my (?<string>\w+)" | stats count by string Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more