Hi @splunky_diamond , for my knowledhe, the only limit of Splunk is that logs must reach splnk and be searcheable! If you cannot be sure about this there isn't any internal Splunk solution. If the network connection between UF and Splunk is interrupted, UF locally stores logs for some time and, when the connection, is again available, it sends all logs to Splunk, but an attacker could delete also Splunk temp files, so you cannot do nothing.  You can be informed that there could be an attack when the data flow is interrupted and when, after the network connection is again available, windows logs are missed. In other words, Splunk save your data for a while, to avoid data loss during network issue, but these logs could be deleted by an attacker. The only way is to be notices that there could ne an attack. Ciao. Giuseppe ... View more

Hi  @yh , if the receiver is on Windows you cannot use neither rsyslog or SC4S, you should find another syslog receiver server. Ciao. Giuseppe ... View more

Hi @yh , as @deepakc said, it's prefereable to use an rsyslog to take syslogs instead of Splunk, in this way you're sure to save logs even if your Splunk is down or overloaded. Are you receiving many logs? Ciao. Giuseppe ... View more

Hi @yh , I asked because filtering should be applied in the first full Stunk instance that the data pass through, If you don't have an intermediate HF (or another Splunk full instance) and your data directly arrive to your stand alone Splunk server, the conf files are correctly located. Ciao. Giuseppe ... View more

Hi @ArianeSantos , let me understand: your ingestion correcty worked until the 30th of April and stopped from the 1st of May, is it correct? In this case, check the date format of your data and check if the events of the 1st of may was indexed with timestamp 2024-01-05. If you have an european date format (dd/mm/yyyy) and you didn't forced the format (TIESTAMP_FORMAT = %d/%m/%Y), Splunk by default uses the american format (mm/dd/yyyy), so in the first 12 days of the month, you have an error. You can solve the issue forcing the TIME_FORMAT. Ciao. Giuseppe ... View more

Hi @yh , the <189> string isn't relevant. It's relevant only the regex you are using. Anyway, having these logs, you should be able to filter both the logs containing "dstip\=8\.8\.8\.8". Try to add a backslash before "=" event if it shouldn't be the issue. Are you sure that the not filtered events directly arrive to the HF and that there isn't another HF in the middle? Ciao. Giuseppe ... View more

Hi @fde , I'm not sure that's possible to use two IP addresses for each server: in Splunk every hostname has one IP address. Ciao. Giuseppe ... View more

Hi @daniel333 , not all the data source from Azure and Office 365 is free, someone is subject to a fee. Check if the data source you want is one of them. In addition, you could ask help to Splunk Support,, don't ask help to Microsoft Support because they always answer: "ask to splunk", because Splunk is considered a competitor by Microsoft. Ciao. Giuseppe ... View more

Hi @myte , as you like! but scheduling the two searches: |.... main search... | bucket _time span=1h | stats count BY _time | stats avg(count) AS AverageCount max(count) AS MaxCount | eval AverageCount=round(AverageCount,2), MaxCount=round(MaxCount,2), Type="Per Hour" | collect index=my_summary and |.... main search... | bucket _time span=1m | stats count BY _time | stats avg(count) AS AverageCount max(count) AS MaxCount | eval AverageCount=round(AverageCount,2), MaxCount=round(MaxCount,2), Type="Per Minute" | stats values(AverageCount) AS AverageCount values(MaxCount) AS MaxCount BY Type | collect index=my_summary and running this search when you need resuts index=my_summary | table Type AverageCount MaxCount you have the same result in a single search and a quicker search.   let us know if you need more help, and, for the other people of Community, please, accept one answer. Ciao. Giuseppe P.S.: Karma Points are appreciated by al the Contributors 😉 ... View more

Hi @yh , the TRANSFORMS command in the transforms.conf is a regex on the raw data, it doesn't work on fields. Are you sure that in the TCP raw data you have the string you configured? cuold you share some samples of both the events that you want to filter (both UDP and TCP)? Ciao. Giuseppe ... View more

Hi @mshakeb, having an Indexer Cluster, the best solution is adding three new Indexers to the old CM using RF=3 and SF=3, in this way, after some time) in the new three Indexers you will have a complete set of data. When data will be replicated in the new indexers, remove, one by one the three old Indexers, then change RF and SR as original. At least replace the CM following the documentation. Plan with much attention these activities! Ciao. Giuseppe ... View more

Hi @LizAndy123 , et me understand: you want to extract the user fields (that's located at the beginning of the event) and the resource to access (that's located at the end of the event). In  this case you have to use two regexes: | rex "^(?<user>[^ ]+)" | rex "(?<resource>\w+)$" Ciao. Giuseppe ... View more

Hi @karthi2809, you can use % only using the like function otherwise you have to use *: | rename bucketFolder as BucketFolder | eval InterfaceName=case( BucketFolder=searchmatch("inbound") AND searchmatch("epm"), "EPM", BucketFolder=searchmatch("inbound") AND searchmatch("KPIs"), "APEX_File_Upload", BucketFolder=searchmatch("inbound") AND searchmatch("concur"), "ConcurFile_Upload", true(), "Unknown") | stats values(InterfaceName) AS InterfaceName min(timestamp) AS Timestamp values(BucketFolder) AS BucketFolder values(Status) AS Status BY correlationId | table Status InterfaceName Timestamp FileName Bucket BucketFolder correlationId Ciao. Giuseppe ... View more

Hi @kranthimutyala2, what does it happen using only spath: index=abc source="http:clhub-preprod" sourcetype=_json "ct-fin-abc-apps-papi-v1-uw2-ut" "Action Name" | spath | rex field=event "^(?<event_type>\w+)" | where event_type="INFO" Ciao. giuseppe ... View more

Hi @kranthimutyala2, which sourcetype are you using? did you tried json or _json? In this case the INDEXED_EXTRACTIONS=json is enabled Ciao. Giuseppe ... View more

Hi @myte , you could try to schedule the two searches (with the frequency that meets your requirements), separately or together, saving results in a summary index. Then you can run a very efficient search on the summary index. Ciao. Giuseppe ... View more

Hi @kranthimutyala2, did you tried to use the spath command (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath)? It automatically recognize all the fields-value pairs. Ciao. Giuseppe ... View more

Hi @Poojitha, you can see in the Deployment server GUI that there's an option to flag that requires a splunk restart on the client when an app is updated, this is mandatory to reload the configurations on the client. Ciao. Giuseppe ... View more

Hi @Poojitha, at first check if the owner of the app is splunk: if it's root and you are using splunk user to run splunk serveces in the HF you could have problems. Then check if yu flagged the retart Splunk flag for that app. At least check again (even if you already checked) the serverclass: check if the server is inserted in the serverclass. Last check, what kind of app are you depoying, a custom or a splanbase app? Ciao. Giuseppe ... View more

Hi @myte, if your want the format you shared (Per hour and Per minute in different rows) you could use this solution, even if isn't so efficient: |.... main search... | bucket _time span=1h | stats count BY _time | stats avg(count) AS AverageCount max(count) AS MaxCount | eval AverageCount=round(AverageCount,2), MaxCount=round(MaxCount,2), Type="Per Hour" | append [ |.... main search... | bucket _time span=1m | stats count BY _time | stats avg(count) AS AverageCount max(count) AS MaxCount | eval AverageCount=round(AverageCount,2), MaxCount=round(MaxCount,2), Type="Per Minute" ] | stats values(AverageCount) AS AverageCount values(MaxCount) AS MaxCount BY Type Ciao. Giuseppe ... View more

hi @Siddharthnegi , let me know if my hint solve your requirement. If you share your searches I culd help you. Otherwise, please accect one solution for the other people of Community. Ciao. Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @corti77 , you have to reset the mongod.lock: stop splunkd delete $SPLUNK_HOME\var\lib\splunk\kvstore\mongo\mongod.lock" start splunkd I asked to Splunk ideas to create a script od a dedicated solution to this frequent issue, if you think as me that's important, please vote for this idea at https://ideas.splunk.com/ideas/EID-I-2058 Ciao. Giuseppe ... View more

Hi @hazem , when the primary site is down, you can access the secondary site Indexer for searches. But rememeber that using an IDX cluster, you must use a Search Head to search on the two clustered Indexers, it isn't possible to use the same server for searches as a stand-aone server. From version 7 Splunk IDX Cluster is accessible only using a Search Head Ciao. Giuseppe ... View more

Hi @hazem , During DR,  you have primary site and probably also Cluster Manager both down, but you can search on the Indexer in the secondary site, that will have al the data for the replication, for this reason you cannot have a minor retention time in the secondary site. The secondary site continue to work (also without CM) until the primary site and CM will come up again, at this point there will be the data balancing replicating the data indexed during the DR.  Ciao. Giuseppe ... View more