Try this query that does not use appends or transpose. (index=fortinet dlpextra IN (WatermarkBlock1,Log_WatermarkBlock2,Log_WatermarkBlock3,Log_WatermarkBlock4)) OR (index=035 "Common.DeviceName"="p151.d.com" OR Common.DeviceName="p1p71.c.com" "SensitiveInfoTypeData{}.SensitiveInfoTypeName"=*) OR (index=iron AutomaticClassification) OR (index=testing sourcetype="net:alert" dlp_rule="AZ C*") | eval type = case(index=fortinet, "Proxy", index=iron, "Email", index=035, "SFTP", index=testing, "Netskope", 1==1, "Unknown") | stats count by type ... View more

Each command works only with the results from the previous command. If the most recent event from each host is SESSION_STATE_UP then your job is done since there are no down hosts.  The where command will find no SESSION_STATE_DOWN events so there are none to display or alert on.  This is the desired state (isn't it?). OTOH, if a host currently is down then dedup host will return SESSION_STATE_DOWN for that host and the where command will decide if the host has been down long enough to worry about. ... View more

Search for up/down events and take the most recent for each host (switch).  Discard all of the up events and anything newer than 60 seconds.  The remainder will be down events at least a minute old without a following up event. index=foo ("SESSION_STATE_DOWN" OR "SESSION_STATE_UP") | dedup host | where match(_raw, "SESSION_STATE_DOWN") AND _time<relative_time(now(), "-60s")   ... View more

The first example will produce a count of destinations, etc, for each hour of the search time window.  Something like this _time Processes.dest count 12:00 foo 2 12:00 bar 1 13:00 foo 4 13:00 bar 2   The second example will produce counts by destination, etc.  The counts will not be broken down by time. Processes.dest count foo 6 bar 3   The bin command will have no effect because there is no _time field at that point. Putting span in the tstats command gives you control over the bin sizes.  Without span, tstats will choose a span it thinks best fits the data. ... View more

You can do that with Ingest Actions in either an intermediate HF or the indexers. Go to Settings->Ingest Actions and click the New Ruleset button.  Select the sourcetype to filter and then choose "Filter using Eval Expression" from the Add Rule dropdown.  Enter "len(_raw) > 10000" as the Eval Expression and click Apply to see the effect.  When you're happy with the set-up, click Save. ... View more

Have you checked the search log or splunkd.log on the remote search head? ... View more

@michael_vi wrote: I'm trying to run a search via CLI from federated Splunk instance > Splunk cloud. Everything is configured correctly and I have access to all indexes that on Splunk Cloud from Federated Instance  via web interface But when I'm trying to check connection via CLI on Federated Search instance splunk display app -uri https://<splunk cloud uri>:8089 I get this error:  argument uri is not supported by this handler splunk That's because "-uri" is not an option to the display command.  Run splunk help display app to see the full syntax. ... View more

This query will give the number of warnings for each indexer. index=_internal source=*license_usage.log type=SlaveWarnSummary ... View more

I contend the documentation is incorrect.  LINE_BREAKER and BREAK_ONLY_BEFORE are contradictory and shouldn't be used together.  At the very least, great care should be used to ensure the two settings work properly. ... View more

@hemant_lnu wrote: We have one index os_linux which has 2 source type and i see props and transform is written . can you help me to understand how its working . linux:audit Linux_os_syslog   props.conf [Linux_os_syslog] TIME_PREFIX = ^ Tells Splunk to look for the event timestamp at the beginning of the event TIME_FORMAT = %b %d %H:%M:%S Tells Splunk what a timestamp looks like MAX_TIMESTAMP_LOOKAHEAD = 15 How far from TIME_PREFIX the timestamp is allowed to be SHOULD_LINEMERGE = false Don't combine lines LINE_BREAKER = ([\r\n]+) Events break after a newline (CR and/or LF) TRUNCATE = 2048 Cut off each event after 2048 characters TZ = US/Eastern Event timestamps are expected to be in this time zone Transforms.conf [linux_audit] DEST_KEY = MetaData:Sourcetype REGEX = type=\S+\s+msg=audit FORMAT = sourcetype::linux:audit Look for "type=", some text followed by white space, then "msg=audit".  If it's found, set the sourcetype field to "linux:audit" [auditd_node] REGEX = \snode=(\S+) FORMAT = host::$1 DEST_KEY = MetaData:Host Look for "node=" in each event and set the 'host' field to the word that follows it. ... View more

There are no defaults for charting.fieldColors. ... View more

Try increasing the maxKBps setting in the forwarder's limits.conf file.  It sounds like the default of 256 is not enough.  Try 512 or 0 (unlimited). ... View more

Have you enabled receiving of data in Splunk?  Go to Settings->"Forwarding and Receiving"  to turn on receiving. Does "localhost url" include the port number (9997 by default)? Do your firewalls allow connections between Mulesoft and Splunk? ... View more

Check out 'charting.fieldColors' in the Dashboards and Visualization manual. ... View more

Example?  Screenshot? ... View more

It's normal to see "splunkd -p 8089 restart" in the process list because that is the command that launched Splunk.  I'm not sure, however, about why it appears so many times.  AIUI, there should be a single "splunkd -p 8089 restart" process and additional "splunkd" processes for running searches.  I could be mistaken, however. ... View more

It sounds like you've settled on what might be a unsuitable solution to the problem.  Tell us more about the problem itself and we may be able to suggest a better solution. Lookup tables are for enriching events with additional fields based one or more fields already in the events.  It's not a conditional-execution mechanism. If this part of a dashboard (or can be made into a dashboard) then you have better options.  You can have inputs the user can select to determine which calculations are made.  That is well-trodden ground so let us know if that path sounds feasible. ... View more

It should be stated up-front that indexes cannot be reduced in size.  You must wait for buckets to be frozen for data to go away.  The best you can do is reduce how much is stored in new buckets. You've already taken a good first step by eliminating duplicate events. Next, look at indexed fields.  Fields are best extracted at search-time rather than at index-time.  Doing so helps indexer performance, saves space in the indexes, and offers more flexibility with fields. Look at the INDEXED_EXTRACTIONS settings in your props.conf files. Each of them will create index-time fields.  JSON data is especially verbose so KV_MODE=json should be used, instead. ... View more

This is an indication of inefficient bucket use, meaning buckets roll `before they fill up.  This can happen when indexers restart often, but in this case I suspect it's just a matter of the main index getting very few events before maxHotSpecSecs is reached and the bucket rolls to warm. The answer for buckets that are known to contain few events is to set maxDataSize to a value that makes the bucket at least 50% full before it rolls.  The default bucket size is 750MB.  The dbinspect command can tell you the current size of buckets to give you an idea of how to set maxDataSize. Best Practice is to not use the main index at all.  All incoming data should go into a custom index, leaving main empty (and not needing to roll). ... View more

There's no need to edit props or transforms for Ingest Actions as they can be configured easily using the UI.  In fact, use of the UI is recommended to avoid errors in the ruleset config.  If you need to edit the config files for Splunk Cloud, do so in a custom app and upload the app to your Splunk Cloud search head. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Data/DataIngest#Deploy_a_ruleset_on_an_indexer_cluster   ... View more

Install the app you cited in the OP on a heavy forwarder and use that to pull data from Azure using API calls.  The HF will forward the data to Splunk. ... View more

@livehybrid's answer is a good one. In general, HEC cannot pull data from any source.  It is merely a receiver for data pushed to Splunk. ... View more

What have you tried so far?  Where did you get stuck? Why check the whole day every hour?  If nothing was found in the 00:00-01:00 period at the 01:00 run then nothing will be found in the same period at the 02:00 run.  Searching the same data repeatedly is a waste of resources. ... View more

Check out the lookup function.  It should do what you want and put the results in a separate JSON array.   ... View more

Don't add to or touch the Python libraries that ship with Splunk as they will be replaced with each upgrade.  Put the required libraries (that Splunk doesn't provide) in your app.  This is the way. ... View more