Is the | history command supposed to include details of scheduled searches as well? It's not clearly mentioned in the documentation, so I'm asking for clarification. ... View more

I think your whitelist setting should be correctly formatted; try using whitelist = 4624,4625 to ensure proper filtering and, confirm whether renderXml=false is appropriate, as XML-based logs may require renderXml=true for accurate extraction. Next, check if Windows is generating these events by running this command in PowerShell. Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4624 -or $_.Id -eq 4625 } | Select-Object -First 10  If no events appear, ensure that Windows auditing policies are correctly configured by navigating to gpedit.msc → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff → Audit Logon, and verifying that success and failure logging is enabled. You can also confirm this by running auditpol /get /subcategory:"Logon" in PowerShell. If you see errors like - It could indicate a misconfiguration in inputs.conf ERROR ExecProcessor - message from "WinEventLog" The parameter is incorrect. And, perform a Splunk search to confirm if any relevant events have been indexed by running : index=* sourcetype=Security:AD_Sec_entmon EventCode=4624 OR EventCode=4625. If no results appear, try searching with index=* EventCode=4624 OR EventCode=4625 OR check index metadata with | metadata type=sourcetypes index=wineventlog. If data is still missing, it’s worth testing with the default Splunk sourcetype by modifying inputs.conf to use sourcetype=WinEventLog:Security instead. [WinEventLog://Security] index = wineventlog sourcetype=WinEventLog:Security disabled = 0 start_from = oldest current_only = 1 evt_resolve_ad_obj = 1 checkpointInterval = 300 whitelist = 4624,4625 After making any configuration changes, restart the Splunk Universal Forwarder using splunk restart or Restart-Service SplunkForwarder on Windows.  ... View more

Don't know If I am correct but - As your business day starts at 5 PM (D) and ends at 5 PM (D+1), you need to adjust _time accordingly and you should extract the latest execution time for Job1, Job2, and Job3 within this custom day window. Based on the current time, determine whether a job is PLANNED or EXECUTED. | makeresults count=1 | eval now=relative_time(now(), "@d+17h") # Adjusting the custom day window (5 PM as the start of the day) | append [search index=your_index sourcetype=your_sourcetype earliest=-1d@d+17h latest=@d+17h | eval job_status=if(_time <= now, strftime(_time, "Executed at %H:%M"), "PLANNED") | stats latest(_time) as job_time latest(job_status) as job_status by job_name ] | eval job_status=if(isnull(job_status), "PLANNED", job_status) | table job_name job_status   If _time is stored in epoch format, no need to convert it. Adjust the @d+17h if your business day has different start hours. Note: Please use the above query using your own index and sourcetype name.   ... View more

To offer a more precise answer to this question for anyone referencing it in the future. First, download the Splunk package to your local system. Next, open the command prompt, PowerShell, or any terminal you prefer. Use the 'cd' command to navigate to the directory where the Splunk package is located. After reaching the correct directory, execute the following command: cd .\Downloads\ For Linux and macOS: sha256sum splunk*.tgz   For Windows (PowerShell): Get-FileHash -Algorithm SHA256 splunk*.tgz   ... View more