Here are the setting that you can enable on the log.conf to get more detail logging.  $splunk_install_dir$/etc/log.conf category.X509=DEBUG category.UiAuth=DEBUG Post the error message here or call support.  ... View more

Yes.  src is on the by clause, how do you display on the graph above the report & then table of the search results on the bottom for save report? Or Am I not asking the question correctly? ... View more

Here is the SPL index=$masked$_oracle src!=$masked$* dest=$masked$* ACTION_NAME IN ("*CREATE*","*ALTER*","*DROP*","*EXECUTE*") AND SQL_TEXT IN ("*CREATE TABLE*","*DROP TABLE*","*ALTER TABLE*","*TRUNCATE TABLE*","*CREATE FUNCTION*","*ALTER FUNCTION*","*DROP FUNCTION*","*CREATE PACKAGE BODY*","*ALTER PACKAGE BODY*","*DROP PACKAGE BODY*","*CREATE PACKAGE*","*ALTER PACKAGE*","*DROP PACKAGE*") | stats values(user) as user values(ACTION_NAME) as dbSQLCommand, values(CLIENT_PROGRAM_NAME) as dbdlient dc(CLIENT_PROGRAM_NAME) as App_Making_chage_count dc(ACTION_NAME) as distinctSQLCommandsPerformed earliest(_time) as mostRecentTime by src, dest, SQL_TEXT | convert ctime(mostRecentTime) | sort - mostRecentTime  Here is the .conf action.keyindicator.invert = 0 action.makestreams.param.verbose = 0 action.nbtstat.param.verbose = 0 action.notable.param.verbose = 0 action.nslookup.param.verbose = 0 action.ping.param.verbose = 0 action.risk.forceCsvResults = 1 action.risk.param.verbose = 0 action.send2uba.param.verbose = 0 action.threat_add.param.verbose = 0 action.webhook.enable_allowlist = 0 alert.track = 0 auto_summarize = 1 auto_summarize.dispatch.earliest_time = -3mon@d cron_schedule = 0 1 * * 1 description = ```SRB Update: adjusted ACTION_NAME & SQL_TEXT Search Analyst-JYS : A/U-2024/01/10 : R/A-2024/01/12```\ dispatch.latest_time = now display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics enableSched = 1 request.ui_dispatch_view = search search = index=$masked$_oracle src!=$masked$* dest=$masked$* ACTION_NAME IN ("*CREATE*","*ALTER*","*DROP*","*EXECUTE*") AND SQL_TEXT IN ("*CREATE TABLE*","*DROP TABLE*","*ALTER TABLE*","*TRUNCATE TABLE*","*CREATE FUNCTION*","*ALTER FUNCTION*","*DROP FUNCTION*","*CREATE PACKAGE BODY*","*ALTER PACKAGE BODY*","*DROP PACKAGE BODY*","*CREATE PACKAGE*","*ALTER PACKAGE*","*DROP PACKAGE*")\ | stats values(user) as user values(ACTION_NAME) as dbSQLCommand, values(CLIENT_PROGRAM_NAME) as dbdlient dc(CLIENT_PROGRAM_NAME) as App_Making_chage_count dc(ACTION_NAME) as distinctSQLCommandsPerformed earliest(_time) as mostRecentTime by src, dest, SQL_TEXT\ | convert ctime(mostRecentTime) \ | sort - mostRecentTime  I don't see any where the visualization is set.  could you rephase "The x-axis of a chart is usually the first field / column in the result events used for the chart. Check your search query to ensure that the fields are in the correct order."  I don't get it because there is no chart command or setting in the report. ... View more

Monitor Windows data with PowerShell scripts - Splunk Documentation   Here is the update link to docs. ... View more

where able to find anything or build anything?  ... View more

@Stefanie  We configure everything has documented.  I've gotten the cac prompt, pin prompt.  Login with LDAP password but, no pass thru.  Do I need to enable token authentication or is there something on the LDAP that allow CAC login?  Should I login with CAC without any prompting?  We get prompted by the LDAP put the password in.  When we type the password.  We're login.  ... View more

Is this the answer to fixing the issue? ... View more

how do you validate that the setting is working?  do you use BTOOL? ... View more

index = _internal component=Shutdown | stats earliest(_time) as etime latest(_time) as ltime by host | convert timeformat="%Y/%m/%d %T" ctime(etime) ctime(ltime) The SPL above work on version 9.x ... View more

I started having the issue after upgrade 9.0.3.  Did you ever resolve? ... View more

where able to fix? ... View more

Studio is better, correct?  About spent some time learning but, don't wanted to be waste of time. ... View more

where you able to solve the problem?  Have you tried to generate process chain table use process monitor baseline?  have you tried force directed viz?   ... View more

@mayurr98    Here is my search that I want to put into props & transform. index=nsips_horizon sourcetype="vmware:uag:esmanager" | rex "^(?:[^ \n]* ){3}(?P<UAG_hostname>[a-z]+\d+)\s+(?P<app_name>[^:]+)[^:\n]*:\s+\[(?P<thread_id>\S+?)\](?P<log_level>[^ ]+)\s+(?P<file_name>[^\[]+)\[(?P<function_name>[^:]+):\s+(?P<line_num>[^\]]+)[^\[\n]*\[(?P<client_IP>[^\]]+|.?)\]\[(?P<username>.+|.?)\]\[(?P<session_type>.+|.?)\]\[(?P<session_id>[^\]]+)[^\]\n]*\]\s+\-\s+(?P<message>.+)" here is sample log: Sep 9 05:36:55 UAG Name UAG-ESMANAGER: [Curator-QueueBuilder-0]INFO utils.SyslogManager[start: 355][][][][] - Edge Service Manager : started Sep 9 05:36:54 UAG Name UAG-ESMANAGER: [Curator-QueueBuilder-0]INFO utils.SyslogManager[stop: 1071][][][][] - Edge Service Manager : stopped based on what I read the props.conf  [vmware:uag:esmanager] REPORT-esmanager = esmanager Transform.conf [esmanager] REGEX = ^(?:[^ \n]* ){3}(?P<UAG_hostname>[a-z]+\d+)\s+(?P<app_name>[^:]+)[^:\n]*:\s+\[(?P<thread_id>\S+?)\](?P<log_level>[^ ]+)\s+(?P<file_name>[^\[]+)\[(?P<function_name>[^:]+):\s+(?P<line_num>[^\]]+)[^\[\n]*\[(?P<client_IP>[^\]]+|.?)\]\[(?P<username>.+|.?)\]\[(?P<session_type>.+|.?)\]\[(?P<session_id>[^\]]+)[^\]\n]*\]\s+\-\s+(?P<message>.+) FORMAT = $1::$2 Right?  What's $1::$2 doing?   ... View more

Did you fix the issue?  Would like to know what you did other than the blog posted? ... View more

@yuanliu Thanks for quick response.  It make more sense now.  The challenge now is the extract the array value on Tags{Name}.Key bring up the count of the values but, not nested values within the Name Field that has the value We want   index=aws sourcetype="aws:metadata" InstanceId=i-* | spath Tags{}.Value output=Hostname | mvexpand Hostname | fieldsummary | search field = Hostname   Return the results on the screen shot.  Notice that the count of value and field values mixed.  that's the part I don't get and trying to understand.  Hostname only returns the count. "Field name in SPL uses dot (".") to segment data paths in JSON, and curly brackets ({}) to represent a JSON array. "  So, should the path Tags.Key.Name{} return the values for Name array not the count of the values   | spath Tags.Key.Name{} output=Name    Yes.  I am having problem understanding the path logic based on the results.  The question is how do retrieve the values in 3 depth array into muti-value?   index=aws sourcetype="aws:metadata" InstanceId=i-* | spath path="Tags{}.Value" output=Name | mvexpand Name | search Name = I-* | stats count by Name   This get the results in Value but, my understanding of it still rough.  I need extract more tag.values{} in tag.values as fields with value instead of the values to re-do a savesearch that rely tag.$field_name$  Now it's broken out into Value being the field value where key is the field name.  I think, I need to group them.  Right? ... View more

which version of the add-on are you running and Splunk version?  It's not there for AWS 6.x add-on with Splunk 9.x ... View more

regex101: build, test, and debug regex Please take a look at this link.  I suggestion use regex101 before put them into splunk. ... View more