hi @skasagawa ... Pls run this search with real time..  index=yourindex | eval indexTime = _indextime | table _time, indexTime | convert ctime(indexTime)  the _indextime will be the timestamp at which the event was received at the indexer and the _time is the timestamp of the event.  (at times, the difference between _time and _indextime of few seconds can be accepted. if the difference is like 1 or 2 mins or more, then, you should do some troubleshooting of the host timestamp) so most probably your events have some wrong time settings. pls let us know if you have questions.. thanks.. ... View more

User thellmann , A Splunk Employee wrote this: at: https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-get-a-developer-license-for-Splunk-IT-Service/m-p/210527 Trial/Developer downloads of ITSI and ES are available to customers with paid Splunk entitlements. As per the instructions linked above, please reach out to your Splunk sales representative in order to request either of these products.   ... View more

Hi @neerajs_81 ... if i do a "index=aws" , it shows me various sources and sourcetypes but there isn't any field that has names of these Inputs. The "name of the monitor" is simply a basic property of a log source. we should not use the name of the monitor to identify a log events.  As a new splunk user, i can understand your view, but, splunk provides more clear methods to solve your issue.  As you said, "if i do a "index=aws" , it shows me various sources and sourcetypes".. you should find out which source and sourcetype you are looking for the alerting.  Actually On production systems we will need to use many fields to filter out the log events... for example , the sourcetypes...aws:billing, aws:s3.. and then, we may need to use other fields and create the alert.  On the Splunk_TA_aws, you can select the 4th tab "Health Check", the drop down will list.. Health Overview and S3 Inputs Health Details.. when you select "S3 Inputs Health Details".. it will show you a big dashboard with multiple panels.. the first dashboard panel "SQS-Based S3 Time Lapse between Log Creation and Indexing".. you can click on the "Open in Search".. which will open a search window with the search query pre-loaded .. index="_internal" (datainput="*")(host="*") sourcetype="aws:sqsbaseds3:log" (message="Sent data for indexing.") | eval delay=_time-strptime(last_modified, "%Y-%m-%dT%H:%M:%S%Z") | eval delay = if (delay<0,0,delay) | timechart eval(round(mean(delay),3)) by datainput you can save this as an alert.. so, now you can see that we got many fields like..  index, datainput, host, sourcetype, message.. with these fields, we can pin point the log events and create the alert. hope you got it.. let us know if need more details.. thanks.  ... View more

Hi Priya, with the "Splunk App for Unix and Linux", this will be an easy task.. without this App, you have to everything manually.  ok, first lets try to monitor the folder /var/log/secure (the splunk user should have access to read this folder) and then once the logs reach Splunk, then you can check all details like login successful as well as failures and then you can drill down to the real issue of root user login failures(sudo failures). ... View more