Hello @smanojkumar , Lookups can have millions of results, especially the KVStore lookup. Looks like the SPL that you wrote, whose' results you're trying to output to the lookup is truncating your results. Can be caused either by using the sort command or append, join or even subsearches. Could you share your SPL, masking sensitive information in it, so that we could try to identify the problem. ... View more

Could you please tell us bit more about what else does that search do apart from looking for LoginLimit > 30? Also, once the said duration is over, would you like to see the output in the form of an email or in a dashboard etc? The reason behind asking these questions is to better understand the requirement. If you'd like to see the output of the search after the duration is over in an email, then just scheduling the search with a targeted time range and cron can help you to run it automatically and the results of each iteration can be put into a static lookup. Then another search can be scheduled and configured after the event is over, which will basically pull the results of the lookup and send it to you over email. If the requirement is to do something else, then a solution for that can be designed accordingly. ... View more

Was this set up working before or did it never work/is this a new Splunk set up? Since there's not much information about your set up, I'd recommend checking the usual suspects like the SMTP server's details put in Splunk. If it's localhost, won't work. If it's a proper set of details, I'd recommend checking your firewall logs to see if the connections are getting denied. You can also always check with your SMTP server team to see if the credentials work or not or do they expect you to use SSL/TLS or no security. Maybe the SMTP server might not be available. You should also check the port that you are attempting to connect to is correct or not. ... View more

Splunk docs specify that you cannot monitor Windows event log (*.evt) files with a [monitor://] stanza as they are in binary format. The splunkd service monitors these binary files by using the appropriate APIs to read and index the data within the files. Not really sure if you can monitor the archived logs, but maybe try modifying the following stanza from the docs for the archived logs and see if it helps.  Use the Full Name log property in Event Viewer to specify complex Event Log channel names properly You can use the Full Name Event Log property in Event Viewer to ensure that you specify the correct Event Log channel in an inputs.conf stanza. For example, to monitor the Task Scheduler application log, Microsoft-Windows-TaskScheduler-Operational, do the following steps: Open Event Viewer. Expand Applications and Services Logs > Microsoft > Windows > TaskScheduler. Right-click Operational and select Properties. In the dialog that appears, copy the text in the Full Name field. Append this text into the WinEventLog:// stanza of inputs.conf as in the following example: [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0 More information on the same: https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/MonitorWindowseventlogdata ... View more

Hello, Thank you for correcting me and letting us know the correct behavior. I didn't know the correct fact here. I've updated the answer as well. 🙂 ... View more

Hello, You are correct in identifying its behavior. When you write earliest=-1@d, it gives you the results on the basis of @d, which is every single result from the beginning of the day. -1 as ITWhisperer correctly pointed out accounts for a second and has no visible impact.    ... View more

What does the following search tell you when you run it for the log source under question? The host value should give you the name of the HF. index=<your_index> sourcetype="your_sourcetype" | dedup host | table host   If this doesn't give you the desired result, then try the following (Ignore the name of the indexers in the search and focus on the others. You'll find the name of the HF): index=_internal "sourcetype_name" | dedup host | table host  ++If this helps, please consider accepting as an answer++ ... View more

Why not simplify by creating two serverclasses in the deployment server. 1. Create a serveclass, let's name it Splunk_TA_nix. You can add all the linux servers there to deploy the app Splunk_TA_nix and put the server serverXX in the blacklist so that this app doesn't reaches there. 2. Create another serverclass, let's call it Splunk_TA_nix_serverXX. You can put the other app Splunk_TA_nix_serverXX_inputs and put the server serverXX in its whitelist. 3. Then reload both the serverclasses using the command "$SPLUNK_HOME/bin/splunk reload deploy-server -class <serverclass_name>" and once all linux servers phone home, they will pick your desired apps from the deployment server and give you the result that you need. ++If this helps, please consider accepting as an answer++ ... View more

My bad. Should have read the question and tags thoroughly. Based on my experience with Splunk, if you just pass along the requirement posted by Zscaler to them by filing a support case as the add-on is Splunk supported, they should be able to provide you the format of the packet that they are sending to the Zscaler API. That would be the best and fastest way to approach this problem. ... View more

Splunk enterprise uses cryptographic functions for many operations rigorously, so firing of these events seems to be an expected activity as you have the FIPS mode crypto selftests turned on. Do you have more Splunk servers which are exhibiting this behavior? I'd recommend filing support case with Splunk and providing the diag of the server where Splunk is installed but pretty sure they'll tell you the same thing.  ... View more

The screenshot itself tells you about point number regarding "Search peer SSL config check". For point number 2, you cannot configure MongoDB TLS on SplunkCloud yourself because you won't have the required access to server.conf to do that. You can open a support case with Splunk for further triaging as only they have the backend access. Same goes for DNS validation. Out of a customer' scope due to no backend access. Support case is the only way to go. ++If this helps, please consider accepting as an answer++ ... View more

Create your cron expression using Crontab guru. There are loads of examples already present to help you understand how it works. Or if you can just tell us as to how frequent do you want the input to run, we can help you make a cron expression. https://crontab.guru/ ++If this helps, please consider accepting as an answer++ ... View more

Which add-on are you using to get the data? As far as I can see, all the apps/add-ons for Zscaler on SplunkBase are built by Zscaler themselves and tagged as developer supported, which means that they should be answering the question about the body of the message that was sent to their API.  ... View more

Are you trying to execute the script remotely or on the server where Splunk resides itself? For executing a script on the server where Splunk resides based off the results of a search, you can create your custom alert action or a custom command, which will accept the output of the search, parse through the results and invoke the required PS script. "Run a script" alert action has officially been deprecated. You can still try and use it, but in the future releases of Splunk, it will be removed. May not even function as you expect.   To execute a script remotely, you are again dependent on a custom alert action or a custom command to invoke a script, which can connect with your remote server and run the PS script on it or perform the operations as per your requirements. ++If this helps, please consider accepting as an answer++ ... View more

Under $SPLUNK_HOME/etc/system/local/web.conf, maybe try using a different port which is free and restart Splunkd. [settings] httpport = <new_port>   ... View more

If you are looking at not ingesting the EventCode 6417 in Splunk, you can always blacklist it in inputs.conf.  In terms of doing something in the event viewer or server level, it is out of scope for Splunk. You can always try out of the box ideas like but not limited to looking at creating exclusion filters or develop a powershell script and have it run every 30 minutes to rotate the .evtx files, granted you have stored/ingested them somewhere like Splunk. ++If this helps, please consider accepting as an answer++ ... View more

Since this is a supported add-on, filing a support case with Splunk would be the best option here and submitting a diag to them of the server where this add-on is installed. You can get a detailed RCA from them with a fix. ... View more

In the app configuration under Forwarder Management, have you selected "Restart Splunkd" option? Configurations will come into place once splunkd is restarted on the servers where this app is being deployed. Select the option if you haven't already and reload the server class using the command "$SPLUNK_HOME/bin/splunk reload deploy-server -class <serverclass_name>" (Remove double quotes and replace $SPLUNK_HOME with your environment variable). Once the forwarders phone home to the DS, they will pick this app again and restart Splunkd on the servers. Also, please check if there are any error messages using the following search by substituting the name of the servers that are supposed to send logs. Also, you can confirm if these servers are actually phoning home to your deployment server or not. The last thing to check once its ensured that the servers are phoning home to DS, app is deployed to the server and splunkd has been restarted on them would be to check if the user which was used to install Splunk UFs on the servers has enough privileges to read the logs.    index=_internal host=<host_name> log_level IN ("ERROR", "WARN")    ++IF it helps, please consider accepting as an answer++ ... View more

Well, for the timezone issues, you can always go to settings -> sourcetypes, find your sourcetype, click on edit and under advanced tab put the following. This will get pushed to your indexers and you would be good in that regard.   TZ = <Your preferred timezone>   Mountain time (MST) is 7 hours behind UTC. And you confirmed that the timezone set in your user' preferred timezone in Splunkcloud is also MST. The timestamp that eventually will show up as _time for you will always be MST. So for the log sources coming via servers in UTC, you'll always see _time being 7 hours behind the time you see in the event. That's not going away. If you want to see _time match with the time present in the events coming from servers in UTC, you need to change your preferred timezone to UTC. Splunk respects the time present in the events, so you'll always see the differences for obvious reasons.  What you can also do is create a props.conf and deploy it to all your servers with your preferred TZ. That will be get applied as metadata and when the data eventually reaches the indexers, you'll always see the _time as your preferred timezone. For the events coming from UTC, you'll see them 7 hours ahead in the events, but _time will always be MST. And as always, the last pass to resolve all of this is to either sync all servers with NTP or set them into the same timezones, which obviously may not be feasible but just putting it out there. ... View more