Hello, we are having repeated issues where forwarders stop sending logs every week or two. Its different systems at different times. These are on Windows hosts. We can go in stop, and restart the service, at which point they will begin working again. Is there anything specific we can do to alleviate this issues. My only plan now is a scheduled task to restart them every few days.  ... View more

I have Splunk in some separate environments. Before i joined the program Splunk was moved from one system to the others probably by cloning the VM. Now these cloned instances have some legacy data in the main index. Is there a way to delete just the legacy data? I would like to completely remove it vs just hiding it from search if possible.  My biggest issue is the forwarders showing missing. I am not to worried about the log entries if i can just remove the missing forwarders.   ... View more

Hello, I am trying to build a search to identify windows user sessions. The main goal was a list/track of users who do not log off of shared systems at the end of the day. There are more use cases I would like to get like identifying concurrent sessions. I think I am close, but I only get open sessions and some weird durations that are not correct. Any suggestions would be appreciated.  index="main" sourcetype=WinEventLog:Security ((EventCode=4624 AND (Logon_Type=2 OR Logon_Type=3 OR Logon_Type=10 OR Logon_Type=11)) OR EventCode=4634 OR EventCode=4647) | eval TargetUserName=coalesce(TargetUserName, Account_Name) | where TargetUserName!="$*" AND TargetUserName!="SYSTEM" AND TargetUserName!="LOCAL SERVICE" AND TargetUserName!="NETWORK SERVICE" | eval EventType = case(EventCode=4624, "Logon", EventCode=4634 OR EventCode=4647, "Logoff") | sort 0 TargetUserName host -_time | streamstats count(eval(EventType="Logoff")) as session_rev by TargetUserName host | stats earliest(eval(if(EventType="Logon", _time, null()))) as firstLogOnEpoch latest(eval(if(EventType="Logoff", _time, null()))) as lastLogOffEpoch min(_time) as SessionStartEpoch max(_time) as SessionEndEpoch count(eval(EventType="Logon")) as LogonCount count(eval(EventType="Logoff")) as LogoffCount by TargetUserName host session_rev | eval SessionDurationSec = SessionEndEpoch - SessionStartEpoch | eval SessionDuration = if(isnull(SessionDurationSec),"N/A", tostring(SessionDurationSec,"duration")) | eval SessionStart = strftime(SessionStartEpoch,"%Y-%m-%d %H:%M:%S") | eval SessionEnd = strftime(SessionEndEpoch,"%Y-%m-%d %H:%M:%S") | eval firstLogOn = if(isnull(firstLogOnEpoch),"", strftime(firstLogOnEpoch,"%Y-%m-%d %H:%M:%S")) | eval lastLogOff = if(isnull(lastLogOffEpoch),"", strftime(lastLogOffEpoch,"%Y-%m-%d %H:%M:%S")) | eval IsOpenSession = if(isnull(lastLogOffEpoch), 1, 0) | eval Notes = case( IsOpenSession=1, "Open session: No logoff found after this logon", firstLogOn==SessionStart, "SessionStart is first event in search window: firstLogOn may precede search window", 1==1, "") | table TargetUserName host firstLogOn lastLogOff SessionStart SessionEnd SessionDuration LogonCount LogoffCount IsOpenSession Notes | sort -SessionStartEpoch ... View more