Hi @sandeep_A1997  Pls check the bucket status - indexer clustering > Indexes > Bucket Status Pls update us if you have any bucket issues...    Some docs links: https://help.splunk.com/en/splunk-enterprise/administer/manage-indexers-and-indexer-clusters/9.4/troubleshoot-indexers-and-clusters-of-indexers/bucket-replication-issues https://splunk.my.site.com/customer/s/article/SF-and-RF-is-not-met-on-Cluster-Manager   ... View more

Hi @Andre_  1) after props.conf 's update/creation, did you restart the splunkd on the indexer? 2) if yes for above, then pls use the btool command to check if the props.conf got applied or not(you can search for splunk btool options here in communities).   if any reply helps you in any way, a karma point / upvote would be helpful for the author, thanks.  ... View more

Hi @Andre_  Pls check the MAX_DAYS_AGO option on the props.conf https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Propsconf   MAX_DAYS_AGO = <integer> * The maximum number of days in the past, from the current date as provided by the input layer (For example forwarder current time, or modtime for files), that an extracted date can be valid. * Splunk software still indexes events with dates older than 'MAX_DAYS_AGO' with the timestamp of the last acceptable event. * If no such acceptable event exists, new events with timestamps older than 'MAX_DAYS_AGO' uses the current timestamp. * For example, if MAX_DAYS_AGO = 10, Splunk software applies the timestamp of the last acceptable event to events with extracted timestamps older than 10 days in the past. If no acceptable event exists, Splunk software applies the current timestamp. * If your data is older than 2000 days, increase this setting. * Highest legal value: 10951 (30 years). * Default: 2000 (5.48 years).   ... View more

Hi @SR .. may i know if you get results for the first search.. if no, pls understand that Application= may be service= or something else(depends on your logs).  if your search fails, then pls check the search below: do you get results for index="Nex" Application="Pe***g.Ne**s.Platform.Host" OR the better do this search index="Nex" "Pe***g.Ne**s.Platform.Host" maybe pls send me a direct msg here in my profile, i can try to help you further. thanks.   ... View more

Hi @sivaranjiniG Pls update us if you are able to check your certificate.. if still any issues, we can help you out.  if the issue resolved, could you pls do the accept as solution, thanks.  ... View more

Maybe one idea to Splunk Dev team...  if a user uploading an excel file, the Splunk can create a warning msg saying that,... "the excel file is a proprietary filetype used on Windows OS,  pls consider converting the file to a csv file and then upload it to the Splunk, thanks". ... View more

Hi @arunkuriakose  >>> i am trying to visualise this in such a way that i have a live dashboard which shows me which users are passing through which gate  "visualizing" this thru a "live dashboard".... i understand this requirement but it may be difficult to implement.  maybe, reconsider like this: 1. have a basic dashboard with two panels 2. one panel, simple in design, for the gate1, this panel will show you which emp_id crosses this gate1 at what time time   emp_id 9am    1234 9:05am 2383 3. and have another panel for gate2 in the same design logic.  4. auto-refresh this dashboard for every, say 30 sec (increase or decrease this depending on ur requirement) 5. you can have more panels, like missing person (emp_id who entered thru gate1 but not existed thru gate2, etc)   Pls add karma / upvote to any post which helped you in any way, thanks.  ... View more

Hi @BRFZ  (As others have not mentioned it yet) maybe pls have a look at this doc,.. it got pretty good details: https://docs.splunk.com/Documentation/Splunk/9.4.0/Security/WhatyoucansecurewithSplunk   ... View more

Hi @arunkuriakose  Good day to you. may I ask you to provide more details pls.  1) what kinds of data you have ingested into Splunk so far 2) what details about the employees are already available inside the Splunk? 3) is it the employee id card login and logout details are already available inside the Splunk? ... View more

Hi @PolarBear01 i am not sure how to help on this, but thought to ask you: 1) did you enter only one site or multiple sites? 2) as shown on that error text, may i know, if had a chance to check the python.log for more details ... View more

Thanks  for your detailed reply. Created the python script, added the transforms.conf file, added the lookup definition, updated the meta file, and restarted Splunk and then ran: | makeresults | eval data="இடும்பைக்கு" | lookup test_lenlookup data Still the error:  Error in 'lookup' command: Could not construct lookup 'test_lenlookup, data'. See search.log for more details. Could not find 'lenlookup.py'. It is required for lookup 'test_lenlookup'. The search job has failed due to an error. You may be able view the job in the - job inspector.   looks like the issue is solved 90%, but some basic issues here, but not sure of what. ok, let me revisit the whole issue tomorrow, thanks a lot for your help.  ... View more

Hi @Brelove818 , as you are a student, maybe pls check: https://www.splunk.com/en_us/about-us/splunk-pledge/academic-license-application.html   not sure of what to suggest for the first question, lets wait for other's reply, thanks.  ... View more

Thanks @PickleRick for the detailed ideas. 1) one issue - the transforms conf file was saved as transforms.conf.txt (thanks to windows ! ), corrected it.  2) now the search query is:    | makeresults | eval _raw="இடும்பைக்கு" | lookup ucd_category_lookup _raw output count   3) and the result is:  Error in 'lookup' command: Cannot find the source field '_raw' in the lookup table 'ucd_category_lookup'. The search job has failed due to an error. You may be able view the job in the Job Inspector. 4) by that "Cannot find the source field '_raw' in the lookup table 'ucd_category_lookup',  i believe, the _raw field should be embedded inside the python script, but i am not sure.  Any help appreciated, karma points for sure. thanks.      ... View more

Hi @pwoehl welcome to the community.  1) This app S3SPL Add-on for Splunk is a new app (at least for me), not sure how to help you.  2) whatever happens, Splunk should update something to the internal logs. As you say no internal logs, in this case, looks like something wrong from your configs end.  3) if i am in your place, best idea i would do is to get some ideas/support from datapunctum directly: https://docs.datapunctum.com/s3spl/s3spl-faq 4) lets wait for other Splunkers to provide some more ideas, thanks.      ... View more

both @PickleRick and @andrewb_splunk given good details to this query. so i dont know which one to "accept as answer".. so i am accepting my own 😉   thanks.  ... View more

able to get rid of one error:   ... View more

Thanks @PickleRick for your reply.  Hello Everyone.. i am pretty new for App dev, so pardon me, let me explain you step by step: 1) the external_cmd ---- ucd_category_lookup.py script is present...screenshot: 2) the lookup definition was not created previously, so just i created one. given permissions to search app, selected the ucd_category_lookup.py as the external command, added and verified the fields properly 3) lookup definition done, restart splunk done, but still same error.  4) i thought automatic lookups is what needed, created one: 5) restart Splunk done, still the same error.    ... View more

>>> Giving users the default ability to email alerts or reports to any destination is a massive Data Loss Protection issue. Precisely @dural_yyz .  Giving the easy and quick installation methods, proving direct options to upload a log file, assigning default indexes options are too good. The first timers will really like these features. But, for the "email" functionality with the "default settings" such as "send anything anywhere"... looks bit odd. It should be like, by default, you can not send anything to any domain.  The informational note should say that, if you like to send email alerts to outside domain, pls request the Splunk Admins/power users to update the config file abcd.conf thru x y z methods. Thanks for reading, have a great day 👍🙏🤝 ... View more

Sure, thanks for your reply @marnall  >> Yes, this is a security recommendation added recently   May i know if you or anybody got some more details about this security recommendation pls, thanks.  ... View more

Sure @PickleRick  just asked on #docs and waiting with fingers crossed 😉 ... View more

Thanks @tscroggins for your upvote and karma points, much appreciated! last few months i was busy, could not spend time for this one.  May I know what would be your suggestions about these points pls: 1) I have been thinking to create an app as your suggestion listed below. would you recommend an app or a custom command or simply all important languages unicodes lookup(tamil_unicode_block.csv) uploading to Splunk | makeresults | eval _raw="இடும்பைக்கு" | rex max_match=0 "(?<char>.)" | lookup tamil_unicode_block.csv char output general_category | eval length=mvcount(mvfilter(NOT match(general_category, "^M")))   2) i assume that if i encapsulate his below listed python script in that app should be the work-around for this issue in a language agnostic way(this app should work for Tamil or Hindi or Telegu, etc) 3) or any other suggestions pls, thanks.     the app idea (your script from previous reply): $SPLUNK_HOME/etc/apps/TA-ucd/bin/ucd_category_lookup.py (this file should be readable and executable by the Splunk user, i.e. have at least mode 0500) #!/usr/bin/env python import csv import unicodedata import sys def main(): if len(sys.argv) != 3: print("Usage: python category_lookup.py [char] [category]") sys.exit(1) charfield = sys.argv[1] categoryfield = sys.argv[2] infile = sys.stdin outfile = sys.stdout r = csv.DictReader(infile) header = r.fieldnames w = csv.DictWriter(outfile, fieldnames=r.fieldnames) w.writeheader() for result in r: if result[charfield]: result[categoryfield] = unicodedata.category(result[charfield]) w.writerow(result) main()  $SPLUNK_HOME/etc/apps/TA-ucd/default/transforms.conf [ucd_category_lookup] external_cmd = ucd_category_lookup.py char category fields_list = char, category python.version = python3 $SPLUNK_HOME/etc/apps/TA-ucd/metadata/default.meta [] access = read : [ * ], write : [ admin, power ] export = system   With the app in place, we count 31 non-whitespace characters using the lookup: | makeresults | eval _raw="இடும்பைக்கு இடும்பை படுப்பர் இடும்பைக்கு இடும்பை படாஅ தவர்" | rex max_match=0 "(?<char>.)" | lookup ucd_category_lookup char output category | eval length=mvcount(mvfilter(NOT match(category, "^M")))   Since this doesn't depend on a language-specific lookup, it should work with text from the Kural or any other source with characters or glyphs represented by Unicode code points. We can add any logic we'd like to an external lookup script, including counting characters of specific categories directly: | makeresults | eval _raw="இடும்பைக்கு இடும்பை படுப்பர் இடும்பைக்கு இடும்பை படாஅ தவர்" | lookup ucd_count_chars_lookup _raw output count If you'd like to try this approach, I can help with the script, but you may enjoy exploring it yourself first. $SPLUNK_HOME/etc/apps/TA-ucd/bin/ucd_category_lookup.py (this file should be readable and executable by the Splunk user, i.e. have at least mode 0500) #!/usr/bin/env python import csv import unicodedata import sys def main(): if len(sys.argv) != 3: print("Usage: python category_lookup.py [char] [category]") sys.exit(1) charfield = sys.argv[1] categoryfield = sys.argv[2] infile = sys.stdin outfile = sys.stdout r = csv.DictReader(infile) header = r.fieldnames w = csv.DictWriter(outfile, fieldnames=r.fieldnames) w.writeheader() for result in r: if result[charfield]: result[categoryfield] = unicodedata.category(result[charfield]) w.writerow(result) main()  $SPLUNK_HOME/etc/apps/TA-ucd/default/transforms.conf [ucd_category_lookup] external_cmd = ucd_category_lookup.py char category fields_list = char, category python.version = python3 $SPLUNK_HOME/etc/apps/TA-ucd/metadata/default.meta [] access = read : [ * ], write : [ admin, power ] export = system   With the app in place, we count 31 non-whitespace characters using the lookup: | makeresults | eval _raw="இடும்பைக்கு இடும்பை படுப்பர் இடும்பைக்கு இடும்பை படாஅ தவர்" | rex max_match=0 "(?<char>.)" | lookup ucd_category_lookup char output category | eval length=mvcount(mvfilter(NOT match(category, "^M")))   Since this doesn't depend on a language-specific lookup, it should work with text from the Kural or any other source with characters or glyphs represented by Unicode code points. We can add any logic we'd like to an external lookup script, including counting characters of specific categories directly: | makeresults | eval _raw="இடும்பைக்கு இடும்பை படுப்பர் இடும்பைக்கு இடும்பை படாஅ தவர்" | lookup ucd_count_chars_lookup _raw output count   ... View more

Hi @tscroggins and all, Could you pls check this: the file http_error_code.csv StatusCode,Meaning 100,Continue 101,Switching protocols 403,Forbidden 404,Not Found the file http_error_codes_400.csv StatusCode,Meaning 400,Bad Request 401,Unauthorized 402,Payment Required 403,Forbidden 404,Not Found   ... View more