Hi @m92 , I added eariest and latest because you have _time in your searches, but you can ignore them. Ciao. Giuseppe ... View more

Hi @HugheJass , use this field in the conditions status.errorCode=* status.errorCode=0 status.errorCode!=0 or 'status.errorCode'=* 'status.errorCode'=0 'status.errorCode'!=0 Ciao. Giuseppe ... View more

Hi @Amadou, the main issue in developing a Splunk search is to know what to search, then you can use the SPL for searching the rules that you defined in your knowledge of the technology to monitor. I don't know what's your technology to monitor, as I said in my sample: if you are using windows EventCode=4625 menas log fail. So what are the conditions that you need to search? if you need to search a value in a field (e.g. EventCode=4625) you an use this field, if you need to search a string (e.g. "login successful"), you can search for this string. Did you tried to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/8.1.0/SearchTutorial/WelcometotheSearchTutorial) to be guided in the use of SPL? Ciao. Giuseppe ... View more

Hi @Real_captain, this is one the few cases to use transaction command: index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | transaction startswith="IDJO20P" endswith="PIDZJEA" | table _time eventcount Ciao. Giuseppe ... View more

Hi @HugheJass , what's the field you are using for the conditions *, 0 !=0? in the shared code there isn't any field. my_field is a common name that means the field that you're using. Ciao. Giuseppe ... View more

Hi @HugheJass , try adding the field to use in the condition, e.g. All my_field=* Successful my_field=0 Failed my_field!=0 Ciao. Giuseppe ... View more

Hi @m92, with the table command you have many events with the same srcip and dfferent _time. Do you want different lines if you have different _time? if yes, you can add _time to the BY clause (index="index1" Users =* IP=*) OR (index="index2" tag=1 ) | regex Users!="^AAA-[0-9]{5}\$" | eval IP=if(match(IP, "^::ffff:"), replace(IP, "^::ffff:(\d+\.\d+\.\d+\.\d+)$", "\1"), IP) | eval ip=coalesce(IP,srcip) | stats dc(index) AS index_count values(Users) AS Users BY ip _time | where index_count>1 | table Users, ip, _time even if, in this way you could have different _time in the two indexes so it will be difficoult to group by _time. Ciao. Giuseppe ... View more

Hi @AtherAD , We're deploying UBA and we had an instalation with Red Hat 8.8, with some packets in 8.9 and doesn't run! Splunk Support confirmed that you must ne use that (with the present UBA release) all the packets will be the ones in the certified release, e.g. RedHat 8.8 without any update to greater releases. And you must block all the updates, otherwise the installation will stop to run. Ciao. Giuseppe ... View more

Hi @Siddharthnegi , as I said, if you install the above app in your system, there's an example on how to implement the "Null Search Swapper" that's exacly the feature you need. In the example there's the code to use in the dashboard, that you need only to customize for your searches and panels. Ciao. Giuseppe ... View more

Hi @shakti, use faster disks if you're using a physical server or dedicated resources if you're using a virtual server and possible SSD disks. Ciao. Giuseppe ... View more

Hi @Siddharthnegi , please try this https://splunkbase.splunk.com/app/1603 Ciao. Giuseppe ... View more

Hi @Siddharthnegi , see in the Splunk Dashboard Example app (https://splunkbase.splunk.com/app/1603) the example "Null Search Swapper, that describes how to replace a panel with a message when no results. Ciao. Giuseppe ... View more

Hi @LizAndy123 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @munang , retention in indexes is a different (and not related) thing than DM acceleration period: they can be (and usually they are) different: data are stored in indexes for the retention period, instead data in DM are stored for the time of the most searches. Ciao. Giuseppe ... View more

Hi @Amadou, search in aws logs or documentation how to recognize the logfail in aws (e.g. in windows logfail is EventCode=4625) and modify my search. Ciao. Giuseppe ... View more

Hi @m92 , if you want only IPs present in both indexes, you could use this search: (index="index1" Users =* IP=*) OR (index="index2" tag=1 ) | regex Users!="^AAA-[0-9]{5}\$" | eval IP=if(match(IP, "^::ffff:"), replace(IP, "^::ffff:(\d+\.\d+\.\d+\.\d+)$", "\1"), IP) | eval ip=coalesce(IP,srcip) | stats dc(index) AS index_count values(Users) AS Users earliest(_time) AS earliest latest(_time) AS latest BY ip | where index_count>1 | eval earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"), latest=strftime(latest,"%Y-%m-%d %H:%M:%S") | table Users, ip, earliest latest Ciao. Giuseppe ... View more

Hi @jason_hotchkiss , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @Amadou, could you better describe your requirement? in the alert you should insert the conditions to verify. e.g. if you want to chack thet in windows there aren't 10 logfail events (EventCode=4625), you could run: index=wineventlog EventCode=4625 | stats count BY host user | where count>10 As I said, the search depends on the conditions to check. Ciao. Giuseppe ... View more

Hi @m92, Spunk isn't a database, so avoid to use the join command because it's a very slow command, in addition you divided your search in three levels adding more slowness, so try to correlate events using stats BY the correlation key, something like this (to adapt to your use case): (index="index1" Users =* IP=*) OR (index="index2" tag=1 ) | regex Users!="^AAA-[0-9]{5}\$" | eval IP=if(match(IP, "^::ffff:"), replace(IP, "^::ffff:(\d+\.\d+\.\d+\.\d+)$", "\1"), IP) | eval ip=coalesce(IP,srcip) | stats values(Users) AS Users earliest(_time) AS earliest latest(_time) AS latest ip | eval earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"), latest=strftime(latest,"%Y-%m-%d %H:%M:%S") | table Users, ip, earliest latest Ciao. Giuseppe ... View more

Hi @shakti, surely the number of CPUs in one of the root causes of your issue, because Splunk requires at least 12 CPUs for Indexers and 16 if you also have ES. Anyway, check the IOPS (using a tool e.g. like Bonnie++ or FIO), because this is the usual major issue in queue problems. Ciao. Giuseppe ... View more

Hi @shakti , there's a delay between the event timestamp and the indexing timestamp probably caused by the too high data volume. This could be caused by a queue issue on the Forwarder, by a network latency or by a resource provlem (usually storage performance) on your Indexers. You can check queues using a search like the following  index=_internal source=*metrics.log sourcetype=splunkd group=queue | eval name=case(name=="aggqueue","2 - Aggregation Queue", name=="indexqueue", "4 - Indexing Queue", name=="parsingqueue", "1 - Parsing Queue", name=="typingqueue", "3 - Typing Queue", name=="splunktcpin", "0 - TCP In Queue", name=="tcpin_cooked_pqueue", "0 - TCP In Queue") | eval max=if(isnotnull(max_size_kb),max_size_kb,max_size) | eval curr=if(isnotnull(current_size_kb),current_size_kb,current_size) | eval fill_perc=round((curr/max)*100,2) | bin _time span=1m | stats Median(fill_perc) AS "fill_percentage" perc90(fill_perc) AS "90_perc" max(max) AS max max(curr) AS curr by host, _time, name | where (fill_percentage>70 AND name!="4 - Indexing Queue") OR (fill_percentage>70 AND name="4 - Indexing Queue") | sort -_time About resources, did you checked the IOPS of your storage? have the correct number of CPUs? at least, does your network have sufficient bandwidth to support your data volume? Ciao. Giuseppe ... View more

Hi @marco_massari11 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @kranthimutyala2 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @kranthimutyala2 , as also @yuanliu hinted, in Splunk you must use three backslashes instead 2 as in regex101: | rex field=event "{\\\n \\\"Task Name\\\": \\"(?<taskName>[^\"]+)" It's a difference: I opened a casefor a different behavios than the documentation, so the documentation was modified! I don't knw why, Splunk Project doesn't want to solve it! Ciao. Giuseppe ... View more

Hi @munang , answering to your questions: 1) you'll have a 1 year data in your DM, if you have 1 year data in your indexes, you'll load them in the DM, if you have less period data, you'll load all the data and maintain them for 1 year. 2) I don't fully understand your question: you load in the DM the last 5 minutes data every 5 minutes; when your data exceed the retention period, they will be deleted. Ciao. Giuseppe ... View more