@dc17 - I'm not sure what logs you are trying to find in the EventViewer. Is it any known Application logs are you trying to find?? ... View more

@dc17 - Did the solution work for you?? If so, kindly consider accepting the answer for future Splunk users.   ... View more

That's correct because label has to be unique, in this case it will not generate unique label. I would suggest set the label as well with host field, because host name already tells you whether its QA or Prod or Dev.   I hope this helps!!! ... View more

Okay, I guess then nullQueue will even work with /event endpoint.   Thanks @PickleRick  ... View more

@Jasmine - Use like instead of match function. | eval label=case(like(host, "%tv00.test.net"), "Test", like(host, "%qv00.qa.net"), "QA", like(host, "%pv00.prod.net"), "Prod")   I hope this helps!!! ... View more

@PickleRick - You must be right and I know its so complicated for HEC endpoint on what will execute or not, so I would avoid it all together at all and filter it early directly from source when using HEC. ... View more

@dc17  - You need to give full path like:   [WinEventLog://Microsoft-Windows-Sysmon/Operational] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest index = sysmon sourcetype = WinEventLog:Sysmon   In my case, I can see a folder called Micrsoft > Windows > Sysmon folder. In which I can see Operational logs.   You need to give full path, instead of just MyCustomLog. Give full path, which you can find from Event Viewer.   I hope this helps!!! ... View more

@dc18 - If you are on Splunk Cloud try Data Manager - https://docs.splunk.com/Documentation/DM/1.8.3/User/AWSAbout , see if it can help.   If not Splunk Add-on for AWS would be your best bet.   I hope this helps!! ... View more

@rob_gibson - You need to filter on the source which is generating the data. And not send data at all to Splunk HEC.   Alternatively, You can install Splunk HF locally on the service. Create Splunk HEC input locally on Splunk HF. Update your data source to send data to local Splunk HF HEC instead of Splunk Indexers. You must use services/collector/raw endpoint of Splunk HEC for data filtering to work. https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector  Use nullQueue with regex to filter data on from going to Splunk. https://community.splunk.com/t5/Getting-Data-In/Filtering-events-using-NullQueue/m-p/66392  Forward data from Splunk HF to Splunk Indexers.   I would recommend not sending data to Splunk HEC at all directly by Data source would be simple solution. I hope this helps!!!  ... View more

@Markfill - Please describe what do you mean by index rolling (I assume, you mean bucket rolling and not index rolling.) * Warm Bucket to Cold Bucket? OR  * Cold Bucket to Frozen Bucket or being deleted? ... View more

@cmezao - I feel Upgrade Readiness App warnings nowadays generate errors from the internal App as well. I personally feel it's safe to ignore.   ... View more

@karthi2809 - Dashboard filters values shows in the URL, so once you get right URL, that should work.   I hope this helps!!!! ... View more

@marnall  - No external library. Splunk ships this Splunk Python module built in. ... View more

@Prathyusha891 - FYI splunklib doesn't come built in with Splunk. In your App you need to put the Splunklib explicitly, mostly in the bin folder of your App. pip install splunk-sdk --target ./bin   I hope this helps!!! Kindly upvote if it does!!! ... View more

@kidderjc - I'm no Java expert based on my past experience with log4j to Splunk HEC. If Splunk fails for some reason your solution will encounter a memory issue and may crash. My Recommendation: Store logs to log files on the server and use Splunk UF to forward the logs to Splunk indexers.   I hope this helps!!! ... View more

@jasonpeh - Wait and try again. Try different browser. Are usually the solution to these temporary problems.   If not contact education@splunk.com and report the issue. Americas: education_amer@splunk.com  Europe: education_emea@splunk.com  Asia/Japan/Australia: education_apac@splunk.com    I hope this helps!!! ... View more

@newguy2024 - Try username, instead of email. Check your username on Splunk.com.   ... View more

Workaround? - Use Linux if possible.   ... View more

@Sandivsu - Not sure if you can do that with props and transforms. But I'll provide a solution you can apply at the search query level. index=<your-index> ..... | rex field=_raw "\s\w+\[\w+\]:\s(?<json_content>\{.*\})" | spath input=json_content   I hope this helps!!! Kindly upvote if it does!!! ... View more

@bhall_2 - I didn't hear of it. Only Splunk Universal Forwarder (Splunk Agent on the host). ... View more

@avikc100  - You can add custom CSS to your simple XML dashboard to achieve this.   Dashboard XML Source Code   <form> <label>Fixed Column Sticky</label> <row depends="$tkn_never_show$"> <panel> <html> <style> #myTable table td:nth-child(1) { position: fixed !important; } #myTable table th:nth-child(1) { position: fixed !important; } </style> </html> </panel> </row> <row> <panel> <table id="myTable"> <search> ....     If position: fixed doesn't work, you can try with position: sticky;   I hope this helps!! If it does kindly upvote!!! ... View more

@rickymckenzie10 - To simplify your understanding of warm and cold buckets and different parameters. (Only applicable when you are not using volumes)   Warm Buckets -> buckets in /db path Cold Buckets -> buckets in /colddb path Frozen Buckets -> Deleted/Archived data   Warm to Cold Bucket Movement -> when maxWarmDBCount bucket count is reached.   Cold to Frozen (deleting, max age) Bucket Movement -> when all events are older than frozenTimePeriodInSecs   I hope this helps you understand the parameters better. Kindly upvote if it does!!! ... View more

Please copy-paste the search query I gave. Also, put your search query that you are trying to run here, so I can check what's wrong. ... View more

@SplunkUser5 - Yes @jotne is right about transforms.conf issue.   But if you want to exclude at the input level. This is a common issue I come across all the time and I keep forgetting again and again that is Windows path requires extra backslashes in the regex sometimes.   Try: C:\\\Users\\\.*\\\AppData\\\Local\\\Microsoft\\\Teams\\\current   (try the 4 backslash version as well, as I'm not sure which one will work. I always have to do try and error between 2, 3, and 4 backslashes.)   I hope this helps!!! Kindly upvote if it does!!! ... View more

@AL3Z - Sample reference query | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | rename Processes.* as * | eval firstTime = strftime(firstTime, "%F %T") | eval lastTime = strftime(lastTime, "%F %T")   FYI, this is just one sample example to detect lateral movement in powershell. Lateral Movement is broad topic, so please refer to my original answer.   I hope this helps!!! Kindly upvote if it does!!! ... View more