@devsru wrote: Thanks for the query. I need to send an alert a day before daylight savings in europe i.e Sun, Mar 30, 2025 – Sun, Oct 26, 2025 Could you please tell me how to update this query. Lets say run at 2 PM the day before with the message. Ok - so am I to assume the rule is the 4th Sunday of those months or is this more difficult like the last Sunday of those months.  There needs to be a rule or common theme to identify each year in the future, unless a governing body just randomly decides each year then I can't script for that. | eval Sunday=strftime(relative_time(strptime(FirstOfMonth, "%Y-%m-%d"),"+2w@w0"), "%Y-%m-%d") | eval Match=if((Sunday=DayOfYear AND (strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%m")=="03" OR strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%m")=="11") ),"TRUE","FALSE") The eval for Sunday=... contains '+2w@w0' which indicates the second week @ weekday of 0 which in this case is Sunday (1=Monday, etc....). The eval for Match= has many AND OR statements but the '==03' and '==11' just needs to be updated to match your month in question. The entire search I gave you will only identify the two days where DST changes occur.  You need to add an additional calculation to say is today or now() the day before either of the DST change results.  If TRUE then result == 1, if FALSE then result == 0 (result being any variable name of your choosing).  Once you have that search working and verified you can setup an Alert action that results in email delivery if result value > 0.  That alert action search can be schedule to run every Saturday for every week. Set it once and forget about it as it should work year after year.  That said good maintenance is to on a reoccurring bases verify the search still matches your local DST rules and that destination mailing list still exists and contains the appropriate user base. ... View more

| makeresults count=365 | streamstats count | eval DayOfYear=strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%Y-%m-%d") | eval FirstOfMonth=strftime(strptime(DayOfYear, "%Y-%m-%d"),"%Y-%m-01") | eval Sunday=strftime(relative_time(strptime(FirstOfMonth, "%Y-%m-%d"),"+2w@w0"), "%Y-%m-%d") | eval Match=if((Sunday=DayOfYear AND (strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%m")=="03" OR strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%m")=="11") ),"TRUE","FALSE") | table _time DayOfYear FirstOfMonth Sunday Match | search Match=TRUE This search will find the second Sunday of every March and November for the current year.  You actually need to identify if today is the day before in order to trigger an alert which you can program to send an email. There might be easier methods to identify the DST change but my research has not found it yet this morning.  Also this assumes the DST change is for the Americas, other portions of the globe may not share the same DST days. ... View more

By default the Splunk server receiving HEC is set to only log INFO and above.  If you have a very limited number of receiving end points you can temporarily increase to DEBUG and above for logging.  If you have a small number of HF's or IDX tier then this is feasible, if you have a large IDX tier then it's not so easy. The debug will be specifically helpful in identifying the source of bad connection attempts.  I don't recall the token being visible and since any invalid token has no categorization with internal input configurations some real advanced answers are unlikely.  I also don't recall any capability to receive and process data without a valid token as it would create data poisoning issues along with license capacity issues to do so. UPDATE Sorry, it just dawned on me this was for OTEL not Splunk receiving.  ... View more

I'm not 100% sure what you are looking for, some of your sample search is hidden behind macros making it harder for me to decipher.  Can you provide the raw search and sampling of expected outcomes? ... View more

I've been researching this for the last 30 minutes and can't find anything to let you read that file.  Everything is around the conf files only, so not even scripts or such.  You could look into a dashboard with a custom javascript call maybe but that is outside my wheelhouse to even know if that is possible. ... View more

I agree about recommending to avoid using UF even if technically possible.  HEC should be protected by certificates which HF can do very easily.  The UF was designed with the thought(assumption) it would read from local storage and forward. The HF and previously intermediate forwarder (which was just HF lite) was designed to receive and forward. Because of the design intent I am assuming a more robust secure testing would occur at the HF than the UF for any issues. ... View more

Try this from the documentation. https://splunk.github.io/splunk-connect-for-syslog/main/sources/#filtering-events-from-output https://splunk.github.io/splunk-connect-for-syslog/main/sources/#another-example-to-drop-events-based-on-src-and-action-values-in-message   ... View more

The indexer and the new CM will have logs to help indicate what is happening, something to point you in the right direction.  Please look there and post anything of interest if you still need help after reviewing. As for the webURL on the indexer, IMO from a security stance should always be disabled.  Your environment so hopefully there is a good reason for that. Knowing that the webURL availability turns on and off does tell me that your old CM has a custom app that enables webURL, the new CM likely does not so when the new CM pushes a bundle the indexer removes the oldCM custom app and disables the webURL. ... View more

in props.conf [tenable:sc:vuln] TRANSFORMS-Removetenable_remove_logs = tenable_remove_logs transforms.conf [tenable_remove_logs] SOURCE_KEY = _raw REGEX = ABCSCAN DEST_KEY = queue FORMAT = nullQueue     Do you have any other TRANSFORMS-<class> or REPORTS-<class> statements in this props?  The order of processing could be creating issues.  I'm throwing hail marys since I'm at a loss. ... View more

In a past environment I ran isolated HF's specifically for HEC with no other purpose.  I was able to tune them up on HEC processing cause there was no conflicting use cases for the compute power.  I had 2 sites with 2 HF's per site all acting in full HA behind site LB and local LB configurations.  The HF's were pointed to the Deployment Servers so the HEC inputs and config could be updated in a central location with auto distribution. To size up I would only have to stand up another HF in either location one at a time or in bulk.  Have them point to the DS and confirm the local logs were found at the indexers.  Then I could add the new server addresses to the server class for the HEC inputs/config to upload.  Then update the LB to include the new server(s) in the pool for that particular site. Very convenient and not difficult once setup - although not for novice users though.  Plugging an HF to a DS can come with issues if not 100% aware of how apps are named. ... View more

That's the best method I know of.  There is an app for Apple devices but it's just desktop sized viz so might as well stick with what you have now. ... View more

If you are not familiar with changing depth_limit check out this material. https://docs.splunk.com/Documentation/Splunk/9.3.0/Admin/Limitsconf depth_limit = <integer> * Limits the amount of resources that are spent by PCRE when running patterns that will not match. * Use this to limit the depth of nested backtracking in an internal PCRE function, match(). If set too low, PCRE might fail to correctly match a pattern. * Default: 1000 Your match is 1500+ characters into your event.  I know you have sanitized it so you need to check your true data to get the right count. ... View more

@PickleRick is correct if the data is not in the logs you can't eval from nothing. That said one way we have combated down time in the past is calculating the duration since the last anything log entry from the host.  This is never really 100% because it could be a transport issue but the asset is still alive, or any number of other things where the asset is alive but not 'logging'.  However, any calculation of x>acceptable duration of the last log is always a good thing to know.  Pair that up with a good CMDB record to prevent tracking decommissioned assets. There are many alternatives to lack of quality data, but they each come with pros and cons to be accounted for. ... View more

I mean the default value option is literally right at the bottom of the image you posted.  So that is how you set the default value of that token before any event can manipulate the expected outcome value. I'm hoping you are actually experiencing something more complicated and that maybe I don't fully understand your use case yet.  But really any other outcome means the value is conditionally set due to some other event occurring so I don't know how to advise. ... View more

I agree.  My last environment I managed had UF versions ranging from high 6.x to low 9.1.x.  Any upgrade readiness scans would lite up like a Christmas tree looking at the DS folder. ... View more

@PickleRick wrote: @dural_yyzYou're quoting from the monitor input spec, @NoSpaces is asking about batch input. Yes - admittedly I'm not as familiar with batch so I verified with the docs where I found this under batch.  I guess they did not write out the config definitions twice but just did a reference back to how it works with monitor. # The following settings work identically as for [monitor::] stanzas, # documented previously host_regex = <regular expression> host_segment = <integer> crcSalt = <string> recursive = <boolean> whitelist = <regular expression> blacklist = <regular expression> initCrcLength = <integer> time_before_close = <integer>  @PickleRick answers are more likely a good place to start.  It's possible you can did into the default debug logging levels at the UF but I wouldn't start with trying to increase logging until exhausting all other options first. ... View more

Is this an XML or Studio dashboard example?  What viz are you using? custom vs OOTB? ... View more

https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTcluster#cluster.2Fmanager.2Finfo   ... View more

If this is a report then put both inside the same timechart and trellis the results to get your 2 graphics.  If this is a dashboard then create a base search and then 2 viz that pull from the same base search but augment each with a unique timechart command. ... View more

time_before_close = <integer> * The amount of time, in seconds, that the file monitor must wait for modifications before closing a file after reaching an End-of-File (EOF) marker. * Tells the input not to close files that have been updated in the past 'time_before_close' seconds. * Default: 3 Is it possible that the file is not producing an EOF marker? or that something keeps chatting to the file? ... View more

| timechart count(field) as TotalVolume, dc(field) as UniqueFieldValues Depending on what you need the above might not be it, it was a little confusing so the other option from what I speculate you need is. Do the timechart to 'count by field' and then eventstats to calculate the total. ... View more

I hope I can find this trick in the future if I ever need this. ... View more

In my experience XML dashboards wont let you do scrolling for a single viz.  I just played around with Dashboard Studio and I can force a space between the lines but it just squeezes the lines.  There is no scrolling on the viz no matter the size of the panel.  I don't believe the behavior you want is possible. ... View more

\"webaclId\":\s\"[^:]+:[^:]+:[^:]+:[^:]+:[^:]+:regional\/webacl\/([^\/]+)\/ Your example data has a space "webaclId": " Verified from regex101   ... View more

Ok that's way too much logic for me to follow on a Monday morning before I have even had coffee.  I would split the fields into mv unique options.  Then start evaluating a new field based upon your logic flow.  Anything with a TRUE outcome can be your final results. ... View more