All the settings you need are in the "Universal Forwarder" app on your cloud instance.  Open that app, click the green Download button, then install the downloaded file in the Universal Forwarder on your Windows server. ... View more

This can be achieved using props.conf.  Try these settings to start with [mysourcetype] ```The "Great Eight" settings``` SHOULD_LINEMERGE = false ```Break lines only between a line ending and a date (year)``` LINE_BREAKER = ([\r\n]+)\d{4} TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S.%4N MAX_TIMESTAMP_LOOKAHEAD = 30 TRUNCATE = 10000 ```Two settings for UFs``` EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+)\d{4} ... View more

What is your question?  Have you checked mongod.log and splunkd.log?  What did they say? ... View more

Easy-peasy index=_internal host=* component=Metrics name=thruput earliest=-24h | stats sum(total_k_processed) as "total data transfer" by host ```Convert KB to GB``` | eval "total data transfer" = 'total data transfer'/1024/1024 ... View more

Perhaps this will help index=_internal host=<<forwarder name>> component=Metrics name=thruput earliest=-24h | stats sum(total_k_processed) as "total data transfer" ... View more

I don't see why you cannot set repFactor in [default].  homePath also is listed as a per-index option, but I put it in the default stanza all the time (successfully). Try it and let us know how it works. ... View more

Where did you install the custom app?  It must be installed on the indexer(s) to create the index, but it must also be installed on the search head(s) for the index to appear in the GUI. ... View more

Open a case with Splunk Support. ... View more

The Splunkbase page for that app (you linked to it in your OP) will take you to the documentation.  Login to Splunkbase and the page will have a "Visit site" link. ... View more

Generally, speaking, Splunk processes events one at a time with no concept of "previous" or "next" events.  We can work around that using an aggregation command.  Try this <<your existing search>> ``` Check if the count for all sources of a transaction_id is zero``` | eventstats sum(count) as tx_count by transaction_id | eval Status=if(tx_count=0, "Missing in both sources", "Missing in source " + source) | stats values(Status) as Status by transaction_id ... View more

The dispatch endpoint launches a new search so that will not get what you're looking for.  Try the search/v2/jobs/export endpoint (https://docs.splunk.com/Documentation/Splunk/9.4.0/RESTREF/RESTsearch#search.2Fv2.2Fjobs.2Fexport) ... View more

Documentation for props.conf is in props.conf.spec.  Documentation of props for Palo Alto is in the add-on.  I've attached props.conf from the TA for your reference. ... View more

First, Splunk indexers should not be used as syslog servers.  They will lose syslog data during restarts and cannot monitor port 514 (unless running as root, which is another no-no).  Instead, use a dedicated syslog receiver (syslog-ng or SC4S) and forward data from there to Splunk. Second, Splunk apps are not software so they should not be subject to software download restrictions.  Splunk apps are (mostly) just bundles of config files.  Yes, some contain executable code (usually open Python), but you don't have to download those. That said, you need neither app nor add-on to ingest PA Firewall data.  Open a TCP port on the indexer and point PA to that port.  Without an add-on, Splunk will guess at the how to process the data and may (probably will) guess incorrectly.  You likely will need to define props.conf settings that tell Splunk the best way to onboard events from PA. ... View more

What you seek to do is not possible.  The contents of commands.conf apply to all roles. Management of the commands.conf file is not controlled by role.  It is governed by whatever process your organization has for controlling CLI access to the Splunk server(s). ... View more

First, one should not be receiving UDP (or TCP) directly into a Splunk instance.  Instead, use a dedicated syslog receiver (such as syslog-ng) to save the data to disk and monitor the files with a Universal Forwarder. If that's not feasible, try these props to better extract timestamps from the events. [my_sourcetype] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)\< TIME_PREFIX = \>\s TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%z MAX_TIMESTAMP_LOOKAHEAD = 32 EXTRACT-HostName = \b(?P\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+(-\d{2}:\d{2})?) ... View more

Please let me know if any panel needs to be modified or more detailed than this basic ones. Also please suggest if any new panel can be added. Please suggest any drilldowns as well. These are questions only your stakeholders can answer.  If the proposed panels answer the questions they have or solve their problems then modifications may not be necessary. ... View more

If all you want is a single integer that is the total of all file_count values then stats is the way to go. | rex "..." ``` more query stuff ``` | stats sum(file_count) as Total_Count   ... View more

It would help to know what you've tried so far, but getting the other field is just a matter of extending the regex. "Stopping\siteration[\s\-]+(?<stop_reg_id>[^:\s]+):\s*(?<file_count>\d+)" ... View more

Please don't tag uninvolved users.  If someone has an answer, they'll respond. ... View more

That directory probably contains older jQuery files. ... View more

I question the requirement on a few levels.  First, "gather all data" is a huge task.  Presumably, your Splunk environment has ingested multiple terabytes of data over time.  Gathering it all is impractical. Second, "visually readable format".  It's not only somewhat redundant, but also very vague.  How should the data be presented?  A text dump of every event ever received by Splunk would comply with the requirement, but probably would not be well received by executives. Third, this sounds like a typical management directive where those asking don't know what they want. Push back and ask for more information.  What problem are they trying to solve?  Do executives really care about (or even understand) indexes and sourcetypes?  They probably don't and are more interested in high-level metrics like storage cost trends or number of incidents detected. ... View more

Try counting the number of indexes for each EventId. index=index1 | rename Number__c as EventId | append [search index=index2 sourcetype="api" ] | stats count, dc(index) as indexCount by EventId | search count < 2 OR indexCount=1 Also, the append command is inefficient and not necessary in this case.  Try this index=index1 OR (index=index2 sourcetype="api") | rename Number__c as EventId | stats count, dc(index) as indexCount by EventId | search count < 2 OR indexCount=1   ... View more