I don't see the attachment.  Have you looked at the index = _internal for log_level IN (WARN, ERROR) ... View more

Wow!  I've encountered the same.  Thanks for posting. ... View more

Where you able to resolve? ... View more

Here are the latest props.conf setting at 9.2.1 on the universal forwarder:  (json file parsing works g8 with this option) EVENT_BREAKER_ENABLE = <boolean> EVENT_BREAKER = <regular expression> LB_CHUNK_BREAKER = <regular expression> force_local_processing = <boolean>  * new * Forces a universal forwarder to process all data tagged with this sourcetype locally before forwarding it to the indexers. * Data with this sourcetype is processed by the linebreaker, aggerator, and the regexreplacement processors in addition to the existing utf8 processor. * Note that switching this property potentially increases the cpu and memory consumption of the forwarder. * Applicable only on a universal forwarder. * Default: false ... View more

Additional idea on this thought is based on baseline of probing network.  You can use this information to assign a risk base alert.  Just a thought...  ... View more

Solved: Re: Splunk Education - Splunk Community ... View more

Have you tried Udemy? ... View more

The version doesn't matter for the certification.  You need to able to answer the core concept questions.  Ex:  I study with 7.1 but certified with 9.1 ... View more

Do you have access to the Udemy via company you're working for?    If not, you buy the class I purchased to get my certification in Udemy.  I found it very helpful.  It was rank the highest.   In addition, you can request additional 30 days from education.  But that will be last one.  Hope that was helpful. ... View more

how long was gap between two periods?  If it's more than 30 days, that's your problem.  You have to email education to reset the clock.  They will only do it once. ... View more

It appears the problem still around.  I am upgrading to 7.3.1 and still getting the error.  I had to use the CLI option to upgrade.  ... View more

The value that are return is without quotes.  Hope that helps.  ... View more

I would open a ticket with Splunk Support.  That should be working correctly unless someone did something with the permissions Or validate that you have access to the data overview that creates the dashboard.  What version of ES are you using? ... View more

you have to search and index the json by branch and nodes.  If you need the SPL, let me know. ... View more

Are you ES Admin or Admin?  ... View more

Are you registered with a company email address or gmail.com email address? ... View more

Here are the setting that you can enable on the log.conf to get more detail logging.  $splunk_install_dir$/etc/log.conf category.X509=DEBUG category.UiAuth=DEBUG Post the error message here or call support.  ... View more

Yes.  src is on the by clause, how do you display on the graph above the report & then table of the search results on the bottom for save report? Or Am I not asking the question correctly? ... View more

Here is the SPL index=$masked$_oracle src!=$masked$* dest=$masked$* ACTION_NAME IN ("*CREATE*","*ALTER*","*DROP*","*EXECUTE*") AND SQL_TEXT IN ("*CREATE TABLE*","*DROP TABLE*","*ALTER TABLE*","*TRUNCATE TABLE*","*CREATE FUNCTION*","*ALTER FUNCTION*","*DROP FUNCTION*","*CREATE PACKAGE BODY*","*ALTER PACKAGE BODY*","*DROP PACKAGE BODY*","*CREATE PACKAGE*","*ALTER PACKAGE*","*DROP PACKAGE*") | stats values(user) as user values(ACTION_NAME) as dbSQLCommand, values(CLIENT_PROGRAM_NAME) as dbdlient dc(CLIENT_PROGRAM_NAME) as App_Making_chage_count dc(ACTION_NAME) as distinctSQLCommandsPerformed earliest(_time) as mostRecentTime by src, dest, SQL_TEXT | convert ctime(mostRecentTime) | sort - mostRecentTime  Here is the .conf action.keyindicator.invert = 0 action.makestreams.param.verbose = 0 action.nbtstat.param.verbose = 0 action.notable.param.verbose = 0 action.nslookup.param.verbose = 0 action.ping.param.verbose = 0 action.risk.forceCsvResults = 1 action.risk.param.verbose = 0 action.send2uba.param.verbose = 0 action.threat_add.param.verbose = 0 action.webhook.enable_allowlist = 0 alert.track = 0 auto_summarize = 1 auto_summarize.dispatch.earliest_time = -3mon@d cron_schedule = 0 1 * * 1 description = ```SRB Update: adjusted ACTION_NAME & SQL_TEXT Search Analyst-JYS : A/U-2024/01/10 : R/A-2024/01/12```\ dispatch.latest_time = now display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics enableSched = 1 request.ui_dispatch_view = search search = index=$masked$_oracle src!=$masked$* dest=$masked$* ACTION_NAME IN ("*CREATE*","*ALTER*","*DROP*","*EXECUTE*") AND SQL_TEXT IN ("*CREATE TABLE*","*DROP TABLE*","*ALTER TABLE*","*TRUNCATE TABLE*","*CREATE FUNCTION*","*ALTER FUNCTION*","*DROP FUNCTION*","*CREATE PACKAGE BODY*","*ALTER PACKAGE BODY*","*DROP PACKAGE BODY*","*CREATE PACKAGE*","*ALTER PACKAGE*","*DROP PACKAGE*")\ | stats values(user) as user values(ACTION_NAME) as dbSQLCommand, values(CLIENT_PROGRAM_NAME) as dbdlient dc(CLIENT_PROGRAM_NAME) as App_Making_chage_count dc(ACTION_NAME) as distinctSQLCommandsPerformed earliest(_time) as mostRecentTime by src, dest, SQL_TEXT\ | convert ctime(mostRecentTime) \ | sort - mostRecentTime  I don't see any where the visualization is set.  could you rephase "The x-axis of a chart is usually the first field / column in the result events used for the chart. Check your search query to ensure that the fields are in the correct order."  I don't get it because there is no chart command or setting in the report. ... View more

Monitor Windows data with PowerShell scripts - Splunk Documentation   Here is the update link to docs. ... View more