@gcusellohas provided the solution above. https://docs.splunk.com/Documentation/AWS/6.0.3/Installation/Macros You will need to update the macro definition to describe the index where the data resides. ... View more

These are workload management pools configured for Splunk Cloud customers.  https://www.splunk.com/en_us/blog/platform/splunk-cloud-8-0-new-technology-to-help-you-transform-at-mission-speed.html?locale=en_us The documentation i sent you was for Splunk On Prem. My bad. Take a look at: https://docs.splunk.com/Documentation/SplunkCloud/9.0.2208/Admin/WorkloadManagement   ... View more

You could use the Splunk Stream App, it supports SMB as a filter. https://docs.splunk.com/Documentation/StreamApp/8.1.0/DeployStreamApp/ProtocolDetection The smb.dialect field contains the version. https://docs.splunk.com/Documentation/StreamApp/8.1.0/DeployStreamApp/FileService   ... View more

If it is an on going error message then it could lead to performance problems when searching that index.  It means that all your buckets for a certain index are filling to their max size very quickly. You can change the bucketsize from auto (700MB per bucket) to auto high volume(10GB per bucket) to resolve this. You can use |dbinspect index=<indexName> to inspect the bucket size for the suspect index maxDataSize = auto_high_volume https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Indexesconf   ... View more

It could also be done via the REST API: https://community.splunk.com/t5/Alerting/How-do-you-disable-enable-alerts-via-the-REST-API/m-p/441558 There is also a good suggestion here to group the alerts by app, then disable the app: https://community.splunk.com/t5/Alerting/How-can-we-suppress-a-set-of-alerts/m-p/480144   Need to add more points to this idea:  +4 from me 😁 https://ideas.splunk.com/ideas/PLECID-I-297   ... View more

Hi @phamxuantung , It's because the regex I have you is looking for digits using \d In this example, field F62 is extracted. I used a wildcard so it will catch anything in that field regardless of digit or string match. |rex field=_raw "\"F62\"\:\"(?<F62>.+?)\"" ... View more

Hi @jordilazo  As long as mail_reviewcomment is the last field in all the events, the following regex will work. EXTRACT-mail_reviewcomment = mail_reviewcomment="(?<mail_reviewcomment>.+?)$ If the schema changes, and this field is no longer the last field in the event, this regex will not work, and will require some changes. ... View more

 Hi @jordilazo  This props.conf contains index time and search time instructions (the extraction is search time) You could put this props.conf file on your searchhead, or create a new one with just the extract entry provided.   ... View more

props.conf [INSERT_SOURCETYPE_HERE] EXTRACT-mail_reviewcomment = mail_reviewcomment="(?<mail_reviewcomment>.+?)" No need to modify transforms.conf in this case. ... View more

Here is an example of syslog-ng configuration that stores the data on disk for Splunk to read. You will need to manage the data's retention with something like logrotate. https://www.splunk.com/en_us/blog/tips-and-tricks/using-syslog-ng-with-splunk.html Here is an example that uses syslog-ng and HEC, where no data is stored on the syslog server. https://www.splunk.com/en_us/blog/tips-and-tricks/syslog-ng-and-hec-scalable-aggregated-data-collection-in-splunk.html You could also use the Splunk App for Syslog (SC4S) https://splunkbase.splunk.com/app/4740/ https://splunk.github.io/splunk-connect-for-syslog/main/   ... View more

Login to splunk.com with one of those accounts that should have the support entitlements. You can raise a case via this url: https://splunkcommunities.force.com/customer/s/list-views/cases Just incase you have not already, try clearing the browser cache and login to see if its any different. If all else fails, contact the partner or Splunk rep who is assigned to your account.    ... View more

Hi @benedict  Follow this document to backup the KVStore. https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/BackupKVstore Here is the upgrade document for KV store for V8.0. Change version to match your exact point release. ... View more

Hi @benedict  Can you describe the exact problem you are having? V9 does make some upgrades to the KV Store, you may need to upgrade the storage engine to "WiredTiger" https://docs.splunk.com/Documentation/Splunk/9.0.1/ReleaseNotes/MeetSplunk To take advantage of the most up-to-date KV Store in this latest release, Splunk Enterprise 9.0 comes with a set of tools to guide the upgrade of your KV store server version to v4.2, as well as the migration of your KV Store storage engine. These updates are required in Splunk Enterprise 9.0. See Migrate the KV store storage engine in the Admin manual to plan your migration. http://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/MigrateKVstore   ... View more

This describes where you should install the addon. You should deploy a copy to the UF, with the correct input enabled, as per the link you originally posted. https://docs.splunk.com/Documentation/AddOns/released/MSIIS/Install Also take a look at  this post, which is a similar question to yours. https://community.splunk.com/t5/Getting-Data-In/IIS-Logs/m-p/517651/highlight/true#M87578   ... View more

Hi @dm1  This is possible, but I have not done it before. I can point you in the right direction. Be sure you have read and understood the ES Threat Intel framework: https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/threatintelligenceframework Go to this URL in your ES environment. These are the threat match specifications. Do not modify these, the only field you are interested in is the "Threat matching search specification". You will use this value in your own input. en-US/manager/SplunkEnterpriseSecuritySuite/data/inputs/threatmatch On that same page, click the "New" button. Paste the search specification into the provided field, and set the earliest time and latest time to suit your requirement for retrospective searches" Make sure you tick "More Settings", as you will need to set the index for the threat events to be written to.   Keep in mind the max age of your threat intel and relevance to the age of your data you are comparing with. Hope this helps. ... View more

Hi @kimmyb , The best way to learn is to try it for yourself in your own Splunk test environment. You can test this on the free license or sales trial. Make a query that generates no results: index=bunk sourcetype=bunk  | outputlookup my dummy.cvs Then use inputlookup. If the csv does not exist, you will get an error message. | inputlookup dummy.cvs ... View more

Hi @aznewman , Splunk uses a time series inverted index, in the form of .tsidx files: https://docs.splunk.com/Splexicon:Tsidxfile You can read more about how that index is built/populated here: https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/Abouteventsegmentation   ... View more