I was told it was possible.  ... View more

Volston, Can you use this link:  https://education.splunk.com/Saba/Web_spf/NA10P2PRD105/app/me/learningeventdetail;spf-url=common%2Fledetail%2Fcours000000000016580%3FfromAutoSuggest%3Dtrue I can see the class. If not, there must be a requirement attached to the class.  I am certified with ES and took the test too.  ... View more

Solved: Install Universal forwarder from Splunk Deployment... - Splunk Community   Here is something that might help. ... View more

Yes.  It's beta.  I took at .conf 24.  I don't have the results yet. ... View more

I don't see the attachment.  Have you looked at the index = _internal for log_level IN (WARN, ERROR) ... View more

Wow!  I've encountered the same.  Thanks for posting. ... View more

So, there is two ways to do this CAC authentication.   SAML or LDAP trusted methods.  Before, I thought PKI was just one option but, SAML open up another option. I hope this helps:  Configure single sign-on with SAML - Splunk Documentation ... View more

Here are the latest props.conf setting at 9.2.1 on the universal forwarder:  (json file parsing works g8 with this option) EVENT_BREAKER_ENABLE = <boolean> EVENT_BREAKER = <regular expression> LB_CHUNK_BREAKER = <regular expression> force_local_processing = <boolean>  * new * Forces a universal forwarder to process all data tagged with this sourcetype locally before forwarding it to the indexers. * Data with this sourcetype is processed by the linebreaker, aggerator, and the regexreplacement processors in addition to the existing utf8 processor. * Note that switching this property potentially increases the cpu and memory consumption of the forwarder. * Applicable only on a universal forwarder. * Default: false ... View more

Additional idea on this thought is based on baseline of probing network.  You can use this information to assign a risk base alert.  Just a thought...  ... View more

Solved: Re: Splunk Education - Splunk Community ... View more

Have you tried Udemy? ... View more

The version doesn't matter for the certification.  You need to able to answer the core concept questions.  Ex:  I study with 7.1 but certified with 9.1 ... View more

Do you have access to the Udemy via company you're working for?    If not, you buy the class I purchased to get my certification in Udemy.  I found it very helpful.  It was rank the highest.   In addition, you can request additional 30 days from education.  But that will be last one.  Hope that was helpful. ... View more

how long was gap between two periods?  If it's more than 30 days, that's your problem.  You have to email education to reset the clock.  They will only do it once. ... View more

It appears the problem still around.  I am upgrading to 7.3.1 and still getting the error.  I had to use the CLI option to upgrade.  ... View more

The value that are return is without quotes.  Hope that helps.  ... View more

I would open a ticket with Splunk Support.  That should be working correctly unless someone did something with the permissions Or validate that you have access to the data overview that creates the dashboard.  What version of ES are you using? ... View more

you have to search and index the json by branch and nodes.  If you need the SPL, let me know. ... View more

Are you ES Admin or Admin?  ... View more

Are you registered with a company email address or gmail.com email address? ... View more

Here are the setting that you can enable on the log.conf to get more detail logging.  $splunk_install_dir$/etc/log.conf category.X509=DEBUG category.UiAuth=DEBUG Post the error message here or call support.  ... View more