I have Splunk 9.4 installed and this is the file in the root $SPLUNK_HOME folder. splunk-9.4.0-6b4ebe426ca6-windows-x64-manifest That file name changes based on the version you have installed.  Inside that file is a list of ~30K files with expected owner and permissions.  The health check verifies against all of the contents but only on Splunk restart. ... View more

https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/Inputsconf interval = [<decimal>|<cron schedule>] * How often, in seconds, to run the specified command, or a valid "cron" schedule. * If you specify the interval as a number, it may have a fractional component; for example, 3.14 * To specify a cron schedule, use the following format: * "<minute> <hour> <day of month> <month> <day of week>" * Cron special characters are acceptable. You can use combinations of "*", ",", "/", and "-" to specify wildcards, separate values, specify ranges of values, and step values. * The cron implementation for data inputs does not currently support names of months or days. * The special value "0" forces this scripted input to be run continuously. As soon as the script exits, the input restarts it. * The special value "-1" causes the scripted input to run once on start-up. * NOTE: when you specify a cron schedule, the input does not run the script on start-up. * Default: 60.0 ... View more

$row.<column-field-name>.value$ Since the token referenced the column field name that is as specific as it gets.  I understand that you want to have multiple columns with unique URL for a reference.  All the documentation at this time points very specifically that you are limited to only one URL per row. ... View more

Can you tell me which format your are ingesting from these examples. https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807(v=vs.90) #Software: Internet Information Services 6.0 #Version: 1.0 #Date: 2001-05-02 17:42:15 #Fields: time c-ip cs-method cs-uri-stem sc-status cs-version 17:42:15 172.16.255.255 GET /default.htm 200 HTTP/1.0 OR 192.168.114.201, -, 03/20/01, 7:55:20, W3SVC2, SALES1, 172.21.13.45, 4502, 163, 3223, 200, 0, GET, /DeptLogo.gif, -, 172.16.255.255, anonymous, 03/20/01, 23:58:11, MSFTPSVC, SALES1, 172.16.255.255, 60, 275, 0, 0, 0, PASS, /Intro.htm, -,   Once you confirm which format someone should be able to provide a recommended props.conf for the ingested sourcetype. Ofcourse you could opt for the app from Splunk base which looks to be very complete for IIS server logs. https://splunkbase.splunk.com/app/3185   ... View more

Sorry are you: 1) Trying to make a single Search Head Deployer serve 2 individual clusters? OR 2) Trying to move a single Search Head Deployer away from Cluster X and now server Cluster Y ... View more

Does the axis show todays date but no data fill? or is it that the axis is cut off as well? ... View more

The regex is simple enough. ^.*\sSetting\sconnector\s(?<connector_event>[^\s]+).*$ ... View more

No matter which version you upgrade to you can always reference the manifest file.  If the manifest does not list the file in the warning then it can be deleted. ... View more

Please keep in mind that Splunk docs no longer specify support for Windows 10/11, only specifically server version.  Something may have impacted the install extraction process. ... View more

The way that hot/warm/cold buckets along with bucket replication works it is in your best interest to make site 1 and site 2 indexing tier identical.  Someone with advanced on prem admin experience would be able to size this but storage becomes you biggest concern with unaligned resources. If you have some sort of business or budget constraints then I get why you would have unaligned sites - however personally I would very strongly suggest that both sites be identical compute and storage capacity at the indexing tier. Your individual indexer CPU count will determine how many concurrent searches can be run.  The compute power of your new machines appears acceptable from the minimal information available.  Keep an eye on skipped searches to confirm - the internal logs will indicate a skip reason.  Ideally SH and IDX should keep similar if not exact same CPU cores. ... View more

Are these values always aligned, or are the values sometimes unaligned and you still want to know if they are in both fields? ... View more

Which Windows OS? ... View more

Your drop down values become literal text replacements inside your SPL powering your dashboard.  You need to account for SPL syntax requirements for your choices and for prefix and suffix like displayed above.  It can take some finesse to get complicated searches to work but yours looks to lean more to the simple side.  Best to trouble shoot by letting the dashboard load/fail, then open panel in a new windows to see what the SPL was published as. ... View more

1) Share which OS version, which UF version, and roughly how many inputs on those hosts 2) Search _internal for your hostname(IP) for error codes 2.1) Is the UF generating errors 2.2) Does the UF get indexing paused/congested reports back from the IDX tier. 2.3) Does the UF show round robin to all IDX elements or is there a discrepancy in outputs.conf? Lets start with these. ... View more

If your indexers and other devices are no longer indexing data then you need to check individual server splunkd.log files.  Tail and grep for details around connections. Any error codes will help you and us in determining the issues. ... View more

@devsru wrote: Thanks for the query. I need to send an alert a day before daylight savings in europe i.e Sun, Mar 30, 2025 – Sun, Oct 26, 2025 Could you please tell me how to update this query. Lets say run at 2 PM the day before with the message. Ok - so am I to assume the rule is the 4th Sunday of those months or is this more difficult like the last Sunday of those months.  There needs to be a rule or common theme to identify each year in the future, unless a governing body just randomly decides each year then I can't script for that. | eval Sunday=strftime(relative_time(strptime(FirstOfMonth, "%Y-%m-%d"),"+2w@w0"), "%Y-%m-%d") | eval Match=if((Sunday=DayOfYear AND (strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%m")=="03" OR strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%m")=="11") ),"TRUE","FALSE") The eval for Sunday=... contains '+2w@w0' which indicates the second week @ weekday of 0 which in this case is Sunday (1=Monday, etc....). The eval for Match= has many AND OR statements but the '==03' and '==11' just needs to be updated to match your month in question. The entire search I gave you will only identify the two days where DST changes occur.  You need to add an additional calculation to say is today or now() the day before either of the DST change results.  If TRUE then result == 1, if FALSE then result == 0 (result being any variable name of your choosing).  Once you have that search working and verified you can setup an Alert action that results in email delivery if result value > 0.  That alert action search can be schedule to run every Saturday for every week. Set it once and forget about it as it should work year after year.  That said good maintenance is to on a reoccurring bases verify the search still matches your local DST rules and that destination mailing list still exists and contains the appropriate user base. ... View more

| makeresults count=365 | streamstats count | eval DayOfYear=strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%Y-%m-%d") | eval FirstOfMonth=strftime(strptime(DayOfYear, "%Y-%m-%d"),"%Y-%m-01") | eval Sunday=strftime(relative_time(strptime(FirstOfMonth, "%Y-%m-%d"),"+2w@w0"), "%Y-%m-%d") | eval Match=if((Sunday=DayOfYear AND (strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%m")=="03" OR strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%m")=="11") ),"TRUE","FALSE") | table _time DayOfYear FirstOfMonth Sunday Match | search Match=TRUE This search will find the second Sunday of every March and November for the current year.  You actually need to identify if today is the day before in order to trigger an alert which you can program to send an email. There might be easier methods to identify the DST change but my research has not found it yet this morning.  Also this assumes the DST change is for the Americas, other portions of the globe may not share the same DST days. ... View more

By default the Splunk server receiving HEC is set to only log INFO and above.  If you have a very limited number of receiving end points you can temporarily increase to DEBUG and above for logging.  If you have a small number of HF's or IDX tier then this is feasible, if you have a large IDX tier then it's not so easy. The debug will be specifically helpful in identifying the source of bad connection attempts.  I don't recall the token being visible and since any invalid token has no categorization with internal input configurations some real advanced answers are unlikely.  I also don't recall any capability to receive and process data without a valid token as it would create data poisoning issues along with license capacity issues to do so. UPDATE Sorry, it just dawned on me this was for OTEL not Splunk receiving.  ... View more

I'm not 100% sure what you are looking for, some of your sample search is hidden behind macros making it harder for me to decipher.  Can you provide the raw search and sampling of expected outcomes? ... View more

I've been researching this for the last 30 minutes and can't find anything to let you read that file.  Everything is around the conf files only, so not even scripts or such.  You could look into a dashboard with a custom javascript call maybe but that is outside my wheelhouse to even know if that is possible. ... View more

I agree about recommending to avoid using UF even if technically possible.  HEC should be protected by certificates which HF can do very easily.  The UF was designed with the thought(assumption) it would read from local storage and forward. The HF and previously intermediate forwarder (which was just HF lite) was designed to receive and forward. Because of the design intent I am assuming a more robust secure testing would occur at the HF than the UF for any issues. ... View more

Try this from the documentation. https://splunk.github.io/splunk-connect-for-syslog/main/sources/#filtering-events-from-output https://splunk.github.io/splunk-connect-for-syslog/main/sources/#another-example-to-drop-events-based-on-src-and-action-values-in-message   ... View more

The indexer and the new CM will have logs to help indicate what is happening, something to point you in the right direction.  Please look there and post anything of interest if you still need help after reviewing. As for the webURL on the indexer, IMO from a security stance should always be disabled.  Your environment so hopefully there is a good reason for that. Knowing that the webURL availability turns on and off does tell me that your old CM has a custom app that enables webURL, the new CM likely does not so when the new CM pushes a bundle the indexer removes the oldCM custom app and disables the webURL. ... View more