Hi @gowthammahes  Are you trying to index this log file in indexer/search head directly OR are you trying to read this file thru Universal Forwarder? ... View more

Sure @IAskALotOfQs .. all are welcome.. as its the virtual event, ALL are welcome, thanks.  ... View more

ofcourse, i am able to do --no-check-certificate, but i thought to report this to Splunk team, thanks.  ... View more

#your base search which produce the logs, ... like index=abc sourcetype=abc index=firewall sourcetype=abc | rex field=_raw "is\s(?P<ip>.*)" | table _raw ip | stats count by ip Hi @nsiva ..  if this search does not work, pls show us a screenshot.. thanks.    ... View more

A bit late to the party 😉 But seriously - getting the size of the index is one thing but before that we need to define what we mean by that. Index can be measured by many different parameters. 1. Cumulative size of all indexed events (that's what license usage counts as well) 2. Size of raw event files (compressed or not) 3. Cumulative size of everything related to just events (raw data, metadata) 4. Cumulative size of data regarding events as well as summaries created for given index. 5. Any of the above points but expressed not in terms of file sizes but in terms of usage of underlying storage (as in block-aligned or similar). ... View more

Hi @inventsekar, I can't reproduce the issue with an ASCII newline:     | makeresults | eval _raw="நாணாமை நாடாமை நாரின்மை யாதொன்றும் பேணாமை பேதை தொழில்".urldecode("%0A") | rex max_match=0 "(?<char>(?=\\S)\\X)" | eval len=mvcount(char) ``` len == 23 ```     What characters are present in char? If you have whitespace characters not included in the class [^\r\n\t\f\v ] (the final character is a space), you may need to replace \S with the class form and include e.g. Unicode newlines:     | rex max_match=0 "(?<char>(?=[^\\r\\n\\t\\f\\v \\x0b\\x85])\\X)"     I don't know if it's perfect, but it works with this:     | makeresults | eval _raw="நாணாமை நாடாமை நாரின்மை யாதொன்றும் பேணாமை பேதை தொழில்".urldecode("%E2%80%A8") | rex max_match=0 "(?<char>(?=[^\\r\\n\\t\\f\\v \\x0b\\x85])\\X)" | eval len=mvcount(char) ``` len == 23 ```     Edit: This is simpler and lets PCRE decide what a Unicode newline is:   | rex max_match=0 "\\R|(?<char>(?=\\S)\\X)" | eval len=mvcount(char) But given that optimization, we can just remove the positive lookahead completely for a faster regex: | rex max_match=0 "\\R|\\s|(?<char>\\X)" | eval len=mvcount(char)   ... View more

You might not be explicitly using summaries but it's quite probable that you're using datamodel acceleration. And that's nothing other than summaries built on datamodel contents for given indexes. You can read some basic info on summary replication here https://conf.splunk.com/files/2016/slides/replication-of-summary-data-in-indexer-cluster.pdf ... View more

Hi @Bisho-Fouad .. on the DMC / license master.. you can find out the license usage of a specific host.  pls suggest us exactly which step/status you are in..    As you are asking GUI.. the SPL gives more control actually.  ... View more

Hi, were you able to solve this? I need to tag a person(alert specific) in a single channel. ... View more

I thought I would pop in and let you all know the resolution from Splunk. :\d{2}\s+(?P<Successful>\d+)\s+(?P<Failed>\d+)\s+(?P<Percentage>\S+) IN bodyPreview   ... View more

WARNING! This answer is wrong.  The date of this file will be the date of the file when it was packaged in the installer (tgz/rpm). ... View more

Hi @SplunkExplorer  > Where it sends logs? Directly to Indexers? To a HF? A Splunk UF generally will send the logs to indexer. but if your indexer is overloaded and if you want to do some preprocessing beforehand, then you should use a HF(from UF, send the logs to HF.. HF will do some parsing tasks, then it will send the logs to indexer) > A UF is installed on it? If not, how it send logs? WMI? WEF? Other yes, WMI options is available. and if you can not install the UF, then you can use a syslog server to collect the logs from all systems that dont have UF and send it to a HF or indexer..  ... View more

ok something is not clear.  the trigger condition is results count greater than 4, then trigger/run the trigger conditions.  1) do you say that when the results are greater than 4, but still the trigger did not work.  2) on your latest reply, you got only one result, but the trigger condition ran successfully ya? Can you pls attach the trigger conditions screenshot pls.  ... View more

Hi @bhall_2 .. there are two forwarders - Splunk Universal forwarder(UF) and Splunk heavy forwarder(HF). (the old legacy forwarder is called as Splunk Light forwarder). maybe if you could update us more details about the requirement( more details about "you can control through biometics the flow of data" ), we can suggest you better. thanks   Best Regards Sekar ... View more

Yes, I opened a support case with Splunk and as per the support  I upgraded the Splunk, it worked. Thanks! ... View more

Hi Some comments even this is a old post. DMC/MC (if you have configured forwarders there) shows all nodes which have sent any _internal log events to indexers were MC will look those periodically and create a lookup file for them. Basically this means that until those events are in _internal log you will see those in MC forwarder dashboard. I think that DS's forwarder management use REST request from clients (DC) to keep book what DCs are active. Actually this means that until DC make a poll DS didn't know it. This same will happen always after you 1) reboot splunk and/or you reload deploy-config after changes. The "missing time" will depends on how often your clients are polling DS. Default is 1min phoneHomeIntervalInSecs = <decimal> * How frequently, in seconds, this deployment client should check for new content. * Fractional seconds are allowed. * Default: 60. Depending on your environment you could/should increase this to e.g. 5min. Another thing. You should never use system/local to store any configuration (there are some exceptions). Especially for DC configurations should be under own app. That way you can manage those via DS instead of managing those locally. r. Ismo ... View more

on that same link, they have given a good search explanation. may i know if you read it.. may i know what confusion you have after reading that, thanks.  ... View more

it is totally unnecessary to install a UF on a SH ->Requirements are determined by policies, so if policy says that it is required to forward all Splunk components to central Splunk for monitoring, then it is necessary.   We have a use-case that also requires us to install Splunk UF in all the components: Indexers, Search Heads, Deployment servers. I believe forwarders itself can dual-pipe, however whether it can choose certain index to pipe, I am not very sure. e.g  Index 1,2,3 only  -pipe to central Splunk All indexes - pipe to local Splunk     ... View more

Drop spath.  Splunk is already giving you field values.  Adding spath as illustrated in your example will only give each field a duplicate value.  When your log source is JSON, spath can be used to extract from a specific field that embeds an escaped JSON, or to extract value of a specific path.  | spath input=_raw does neither. ... View more

Thanks @phanTom. If anyone else comes across this in a search, I created a decision block which checks for container tags: If "tag1": go to the End block If "tag2": Continue to the next block Next block applies the tag "tag1" to the container. Final block removes the tag "tag2" from the container. This design, for better or worse, allows me to run a playbook "on demand" via a Workbook or manual action on the case management side, while keeping automatic capabilities (apply label "tag2" to the container and run) if I decide to use it as say, a child playbook. ... View more

Good to know about the different versions, thanks for the help! ... View more

The answer depends on your usecase. One approach, which you seem to be alluding to, is to run a daily report to populate the summary index (with the results from the search, not the raw events). Your dashboard could then read from the summary index and append results from the raw index to cover the gap between the end of the previous day to the end of your time period. So, to answer your final question, the logs are not saved twice (unless your report which is populating the summary index is saving the raw events - but why would you do that, as it doesn't provide any benefit). ... View more

Hi @MikeWilliams ..  Please check the process here..  https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Addclusterpeer Let us know if any issues, queries.. thanks.  ... View more

Hi @senthild  More details needed from your side..  from AWS Cloud to Splunk Cloud or Splunk Enterprise? any recent changes to the HEC inputs?  get details from the user that which timeframe or logs are missing exactly.. pls check these logs yourself..   (may times the developers simply "think" something is missing) maybe, pls check these troubleshooting steps..  https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Data/TroubleshootHTTPEventCollector   ... View more

Hi @splunkN00b  Pls copy paste the props.conf .. something got messaged up there..  Pls provide us some more details.. may we know what logs are these..  did you upload the logs manually or do you read these logs thru UF ... View more