Hi @harishlnu  One of the ways is using Rest API - /rest/health of SOAR - status field contains all the daemons health information and additional info on resource utilization. https://docs.splunk.com/Documentation/SOAR/current/PlatformAPI/RESTInfo#.2Frest.2Fhealth To monitor I would run an external script or if you are using Splunk Enterprise - by using | restsoar command you can call the above Rest API and create an alert.  You should install official  https://splunkbase.splunk.com/app/6361 Splunk App for SOAR to use  | restsoar command. -------- Srikanth Yarlagadda   ... View more

Hi @VK18 , If the notable is new and not being worked on by analysts/concerned team then you would find empty results. Check for notable that has been changed from New to other status such as 'In progress' or closed. You should be able to find the history. ----- Srikanth Yarlagadda     ... View more

Hi @prashant5847 , Splunk is good at auto extracting the JSON event if it is well formatted. Did you search it on Search head and saw the fields not being extracted correctly? Choose search mode - Smart/Verbose. If you still can not find it, you don't need to extract it on Heavy forwarder. Search head will do the extractions for you. Either you could use spath command - Example  <your search return json event> | spath  - This is inline search. Or update source type settings (props.conf) on search head to include following config- [<sourcetype-name-of-json-events>] AUTO_KV_JSON = true KV_MODE = json Hope this helps! ------------------------------ Srikanth Yarlagadda. ... View more

Hi @Murali  If you can't find Type/ OS in Windows Security Event logs that are ingested to Splunk, that is likely due to the source windows machines do not have such information exist in event logs. You could talk to Windows Administrator to include the desired details on Windows machine that you wanted for Splunk to collect and ingest. Hope this helps!  ------------------------- Srikanth Yarlagadda. ... View more

Hi @mark-jones  https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/FormateventsforHTTPEventCollector#Event_metadata You could take a look at this link and there are examples deep links to follow inside. -- Hope it helps! ... View more

@fajri1203  Try search-time approach, UF is a universal forwarder not applicable for your case. I wonder Add-on Microsoft Cloud Services don't have the extraction by default.  You have to configure props.conf, and transforms.conf on search-head (SH) under $SPLUNK_HOME/etc/<app_name>/local OR  $SPLUNK_HOME/etc/system/local. If you are having SH cluster and using SH deployer you must know how to bundle push or contact your splunk admin.  In standalone splunk SH the restart is required post changes. [mscs:storage:blob] REPORT-extract-csv-fields = extract-csv-fields [extract-csv-fields] DELIMS="," FIELDS = "pluginid","alertRef","alert","name","riskcode","confidence","riskdesc","confidencedesc","desc","instances","count","solution","otherinfo","reference","cweid","wascid","sourceid" ... View more

@gordenkem  you need to elaborate a bit more, extractions can be done both at index and search-time. the extractions are set at spec level with combination of props & transforms (optional in some cases). the spec you could set is source, host, sourcetype... if you have them common across the said index, sourcetype yes it is otherwise you have to clone the config. https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Propsconf#GLOBAL_SETTINGS - Read <spec> For example - I have index= a , index = b they both having a sourcetype = web:logs, if you set extraction to [web:logs] that applies to both indexes. if both indexes having common sources [source::/log/webserver/logs/web.log], then setting extraction at source level apply to both indexes... you have to me mindful about source, sourcetype and host combo while setting. As long as the data follow same structure that should be fine otherwise you will end-up seeing inconsistent values in extracted fields. ... View more

Hi @fajri1203  You don't need a regex you could do it two ways if .csv is being forwarded from UF then set inside props.conf [sourcetypename] INDEXED_EXTRACTIONS = csv At search-time, on search-head you shall do following https://www.splunk.com/en_us/blog/tips-and-tricks/quick-n-dirty-delimited-data-sourcetypes-and-you.html?301=/blog/2013/03/11/quick-n-dirty-delimited-data-sourcetypes-and-you.html&_gl=1*1q6w3af*_ga*NDMxNjgzMDU4LjE2Mjc2MDY0MDg.*_gid*NDUyOTcwODc3LjE2NjM1NDI5NDI.&_ga=2.10800753.452970877.1663542942-431683058.1627606408&locale=en_us ... View more

@rockzers you might need to install this add-on and enable required inputs, follow the instructions - https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows --- Srikanth Yarlagadda ... View more

@cybersej  Another great place to find AWS use cases - https://research.splunk.com/ , search AWS you will find already curated security detection details!   --- Srikanth Yarlagadda   ... View more

@cybersej  Perhaps you could start with this list to get an understanding! - https://docs.splunk.com/Documentation/AddOns/released/AWS/DataTypes If you are not going to use AWS add-on for ingestion of logs the will be different. -- Srikanth Yarlagadda ... View more

@jason0  - https://community.splunk.com/t5/Deployment-Architecture/Using-Deployment-Server-as-Search-Head-Deployer/m-p/345844  You can certainly do it, SH requires deploymentclient.conf file pointing to (deployment server)DS.  I never tested after the first-time deployment of apps  from DS --> SH, the subsequent changes to the apps done locally by user will stay on SH.. however if you push the same app once again from  DS might get override the app on SH which might remove the local changes. Where as with SH deployer they get merged with local changes! ... View more

Hi @VijaySrrie  You shall elaborate it for better understanding.  What is the source? What do you want to achieve? What is OCI? ... View more

Did you check forwarders are active? There must be at least one active forwarder (aka indexer from HF).   ./splunk list forward-server    restarting should clear the queues temporarily they may get blocked again if indexers are busy receiving data. https://wiki.splunk.com/Community:TroubleshootingBlockedQueues Make sure your forwarders are monitoring correctly and connected to HF.  (HF must be under active forwarder list when you execute same command on UF) ... View more

tstats only for indexed fields. rex is a search-time. Refer - https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Configureindex-timefieldextraction after successful creation you can use the field in tstats. -- Hope it helps! ... View more

Your TIME_PREFIX = ^ that means starting of the event, what you have highlighted is not being considered as _time for that reason. When you set TIME_PREFIX alone, starting of the event is 4/5/2022 9:02 PM assuming line_breaking is fine. you should look at TIME_FORMAT and set the TIME_PREFIX correctly for the timestamp you want to consider for _time. The screenshot and events pasted looks completely different. ... View more

Hi @loloffs  You can try setting up Splunk add-on for salesforce - https://docs.splunk.com/Documentation/AddOns/released/Salesforce/Sourcetypes -- Hope this helps! ... View more

if the event doesn't have the bytes associated to the file splunk can not provide that detail. for example if the event is, file: temp.txt, 45 bytes, created today, file closed. Then in this scenario that contains knowledge about file temp.txt of size 45 bytes and it's closed. Then Splunk can retrieve and Alert/report etc can be created. What we need to retrieve in this case bytes must exist in 'events' / _raw data. Hope this clarifies. ... View more

@blbr123  Here is the tested settings, they need to be split among Uf/HF if you have intermediate forwarder (HF). Copy these settings to both UF and HF, if no intermediate forwarder copy it to Indexer. There are some settings don't need to be on HF however no harm it just ignores! I would recommend to test the CSV with 'Add Data' option in dev and load to see with props settings changing  to get the desired output.  Field names might be different in your case,  ## props.conf [set-csv-test] INDEXED_EXTRACTIONS = CSV TIMESTAMP_FIELDS = Datetime FIELD_NAMES = Units,Variable_code,Variable_name,Variable_category, Datetime HEADER_FIELD_LINE_NUMBER = 1 TIME_FORMAT = %d/%m/%Y %H:%M:%S TRANSFORMS-remove-header= Testing-header-removal-csv # transforms.conf [Testing-header-removal-csv] REGEX = ^Units\, DEST_KEY = queue FORMAT = nullQueue CSV sample tested: Units,Variable_code,Variable_name,Variable_category,Datetime Dollars (millions),H01,Total income,Financial performance, 05/04/2022 11:00:00 Dollars (millions),H04,Sales, government funding grants and subsidies Financial performance, 05/04/2022 11:00:01 Dollars (millions),H05,Interest, dividends and donations Financial performance, 05/04/2022 11:00:02 Dollars (millions),H07,Non-operating income,Financial performance, 05/04/2022 11:00:03 Dollars (millions),H08,Total expenditure,Financial performance, 05/04/2022 11:00:04 Dollars (millions),H09,Interest and donations,Financial performance, 05/04/2022 11:00:05 Dollars (millions),H10,Indirect taxes,Financial performance, 05/04/2022 11:00:06 Dollars (millions),H11,Depreciation,Financial performance, 05/04/2022 11:00:07 Dollars (millions),H12,Salaries and wages paid,Financial performance, 05/04/2022 11:00:08 Dollars (millions),H13,Redundancy and severance,Financial performance, 05/04/2022 11:00:09 Dollars (millions),H14,Salaries and wages to self employed commission agents,Financial performance, 05/04/2022 11:00:10 Dollars (millions),H19,Purchases and other operating expenses,Financial performance, 05/04/2022 11:00:11 Dollars (millions),H20,Non-operating expenses,Financial performance, 05/04/2022 11:00:12   Tested final look, no header and timestamp parsed and header being extracted as fields. Hope this helps!   ... View more

java server log doesn't have bytes related to .imp file so Splunk can not find that to Alert. Splunk can only query the data exist in logs . ... View more

How is file.log contents look like? redact the ip's username etc before posting. Paste few sample events. ... View more

series="*.imp" might work , you have to find out what else been included here. There could be other files with same name.  ... View more

Hi @Vin  You could try this. Restrict the timerange to the window that you want to check the log file size. index=_internal sourcetype=splunkd Metrics host="<your_host>" group=per_source_thruput series="<your_log_path_or_name>" | stats sum(kb) as total_kbytes | where (total_kbytes*1000) < 10   ... View more

Hi @sahuask  You shall be bit more specific, the SH automatically extract the JSON fields automatically if props.conf having correct settings. What you mentioned was about python code,  meaning how you going to read the data in python code?  probably API? ... View more