Unfortunately this doesn't help in this scenario as the issue is Data Model Wrangler seeing the shared knowledge objects of other apps, Not the visibility of Data Model Wrangler shared knowledge objects ... View more

Not that I've seen. I've reached out to the developer and have a case logged with Splunk so I'll post once there's an update ... View more

You are correct. I simplified my initial search. I was using two searches to try to pull the relevant fields from the different entries when really I just needed a broader initial search because all data is in the same index. That was a hang over from trying to use join and transaction. This has meant that when the table is output I now get all values on one row. I also get a lot of rows that have no group name or UPN so I'm just trying to make it so they don't appear but I do now have the information required in the appropriate format.  Really appreciate the help you've given. Thanks ... View more

Thank you. I've checked the search and it's almost what I'm after. It's looking very close. It has definitely sorted out the UPN issue. It does produce the fields but over two lines in the output. I'm hoping for all fields to be returned in one table line. That way it can be sent as a csv output with the data already correlated.  At present one line contains: time, session_id, group_name  The next line returns : time, session_id, User_Name(UPN) Ideally I would like to get a one line output showing time, session_id, group_name, User_Name I would also like to avoid having lines in the table that only contain session_id and time but no group_name  ... View more

Thanks for your response again and sorry for the confusion. My sanitising of logs obviously hasn't helped. The UPN and shortname are the two options for values in the User_Name field. The infrastructure writes both versions (to pass on both credential options). Other than that the two log entries are identical.  I need to create a report for someone analysing the data and they need it to include only the UPN format value and ignore the shortname. The problem being that they are values in the same field in virtually identical log entries. And I should have mentioned that the groupname is pulled out via field extraction from the list of AD groups so is a field in itself. So from the log entries: I need to take the time, session_id and User_Name from the following log entry. Feb 18 08:00:33 #src_ip# hostname="hostname",errdefs_msgno="989898989: 5:",partition_name="ptnname",session_id="00000000",Access_Profile="profile_name",Partition="partition_name",Session_Id="00000000",User_Name="user@domain" I can ignore this entry. It was included just to show the fact that the two log entries are identical except for the field value for User_Name Feb 18 08:00:33 #src_ip# hostname="hostname",errdefs_msgno="989898989: 5:",partition_name="ptnname",session_id="00000000",Access_Profile="profile_name",Partition="partition_name",Session_Id="00000000",User_Name="shortname" I need to correlate the session_id from log entry one and use that to correlate the group_name from this log entry (It is a field extraction so literally group_name=#returned_value#) Feb 18 08:00:33 #src_ip# hostname="hostname",errdefs_msgno="01490113: 5:",partition_name="partition_name",session_id="00000000",Access_Profile="profile_name",Partition="partition_name",Session_Id="00000000",Session_Variable_Name="session.ad.last.attr.memberOf",Session_Variable_Value="| | CN=groupname,OU=OU3,OU=OU2,OU=OU1,DC=domain,DC=com,DC=au |" Which hopefully will end up with a table that has time, session_id, groupname and USer_Name (in UPN format only) ... View more

Hi, Thanks for your response and sorry for the delay getting back. I don't actually want to get the shortname for the username. Just the UPN. The problem is there are two identical log entries created in this process. One includes the shortname and one includes the UPN. They both have the same field name. But I only want to return the UPN format field value. The following are the two main log entries that I have to get the inform out of. The first (and second) is just the connection log with either the UPN or shortname as the User_Name value.  The last  is based on a AD query that returns their group memberships. Feb 18 08:00:33 #src_ip# hostname="hostname",errdefs_msgno="989898989: 5:",partition_name="ptnname",session_id="00000000",Access_Profile="profile_name",Partition="partition_name",Session_Id="00000000",User_Name="user@domain" Feb 18 08:00:33 #src_ip# hostname="hostname",errdefs_msgno="989898989: 5:",partition_name="ptnname",session_id="00000000",Access_Profile="profile_name",Partition="partition_name",Session_Id="00000000",User_Name="shortname" Feb 18 08:00:33 #src_ip# hostname="hostname",errdefs_msgno="01490113: 5:",partition_name="partition_name",session_id="00000000",Access_Profile="profile_name",Partition="partition_name",Session_Id="00000000",Session_Variable_Name="session.ad.last.attr.memberOf",Session_Variable_Value="| | CN=groupname,OU=OU3,OU=OU2,OU=OU1,DC=domain,DC=com,DC=au |"   I just wanted to create a table output showing the time the user connected, session_id, User_Name and UPN. My earlier queries were fairly basic and didn't address the username issue Thanks ... View more

I'm experiencing this also. Will post if i find anything to explain why  ... View more

Sorry for the delay responding. Had to take some time off. It appears the issue i had with values not displaying only relates to one particular service (ironically the one i was using for testing). I was using that as it has some of it's services always in an unknown state at present so a known constant. The other services i have now tested on seem fine. I'll keep looking into it but am happy to say your solution worked. Once again thanks for your help. Greatly appreciated.  ... View more

Thanks very much for your help. That helps a lot but i have noticed that it only gives me results if I query over a short period like the last 30 minutes. If I query for a 24 hour period or for "today" then it gives me no results. I can't see any reason why the timeframe should impact the result based on using latest time. As the service state is only collected once a day this potentially means it is ignored with the shorter time queries. Am I missing something here?  ... View more

I found that also. Half were ok but the other half had issues. At least it's a simple fix ... View more

No worries mate. Hope it helps ... View more

It is already there. It is an inf file so you can right-click it and select install. ... View more

monitorNoHandle didn't work at all for me so i tried MonitorNoHandle. I then got the following errors: GetServiceHandle - OpenService failure for 'SplunkMonitorNoHandle'! Error = 1060 GetServiceHandle - OpenService failure for 'SplunkMonitorNoHandle'! Error = 1060 runWinMonitorNoHandleMon: Could not connect to filter driver 0x80070002 runWinMonitorNoHandleMon: Could not connect to filter driver 0x80070002 runWinMonitorNoHandleMon: Could not connect to filter driver 0x80070002 DisplayError: The system cannot find the file specified.\r\n DisplayError: The system cannot find the file specified.\r\n GetServiceHandle - OpenService failure for 'SplunkMonitorNoHandle'! Error = 1060 GetServiceHandle - OpenService failure for 'SplunkMonitorNoHandle'! Error = 1060 GetServiceHandle - OpenService failure for 'SplunkMonitorNoHandle'! Error = 1060 StopDriver: Failed to get service handle 0x424 StopDriver: Failed to get service handle 0x424 There is a file called SplunkMonitorNoHandledrv.inf in the bin directory. After i installed the file the errors were resolved and i was able to successfully monitor the DNS debug file ... View more

I was getting these errors also. There is a file called SplunkMonitorNoHandledrv.inf in the bin directory. After i installed the file the errors were resolved and i was able to successfully monitor the DNS debug file ... View more