Hi @whitecat001, Assuming your Active Directory logs are being indexed under "index=windows" and you are forwarding the logon events EventCode=4624 (successful logons), you can use the following query:     index=windows* source="WinEventLog:Security" sourcetype=xmlwineventlog host=* user!="*$" EventCode=4624 dest_nt_domain=<your domain name> | stats max(_time) as last_login by index, host, dest, dest_nt_domain, user, src_ip, Logon_Type | eval last_login=strftime(last_logon, "%Y-%m-%d %H:%M:%S")   The EventCode=4624  filters the logs to only include successful logon events. You can use the field "Logon_Type", which points out how the user logged on. There are a total of nine different types of logons, the most common logon types are: logon type 2 (interactive) and logon type 3 (network). Any logon type other than 5 (which denotes a service startup) is a red flag. Logon Type Logon Title Description 0 System Used only by the System account, for example at system startup. 2 Interactive A user logged on to this computer. 3 Network A user or computer logged on to this computer from the network. 4 Batch Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. 5 Service A service was started by the Service Control Manager. 7 Unlock This workstation was unlocked. 8 NetworkCleartext A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). 9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. 10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop. 11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. 12 CachedRemoteInteractive Same as RemoteInteractive. This is used for internal auditing. 13 CachedUnlock Workstation logon.   best regards, P.S.: Karma Points are always appreciated 😉 ... View more

thank you ... View more

Hi this is quite often asked question. You could find answers from community by google. But shortly, you couldn’t find that information from splunk audit logs. Here is couple links to tell more about the reason. https://community.splunk.com/t5/Splunk-Search/Data-used-by-searches/m-p/687785#M234581 https://community.splunk.com/t5/Splunk-Search/How-to-find-which-indexes-are-used/m-p/674510 r. Ismo ... View more

Hi That’s almost mission impossible with standard setup as you could do queries without defining any indexes into it. You could also use eventtypes etc. to hide real index names. If you star to index all your search logs from sh side and look litesearch part then that could give to you more accurate index list? r. Ismo ... View more

Maybe this is what you need. Note, as far as I know there are no fields that show the index used by a search,  that show the index used by searches, so you have to extract that from the SPL code,  and index= can be all over the place in the code and also in macros,  so its tricky, but may be this will work for you. This shows the count of searches by index_used | rest splunk_server=local /services/search/jobs | fields author title, updated, search, runDuration, provenance, latestTime, owner eai:acl.app, diskUsage | rename author AS user eai:acl.app AS app title AS search_code | rex field=search_code "(?<index_used>index\s*=\s*[^ ]+|index\s+IN|search\s*=\s*index=|search\s*=\s*inputlookup\s+in|index\s*=_\*)" | stats count(search_code) AS volume_of_searches_ran BY index_used | sort - volume_of_searches_ran     ... View more

Here's a query that will find most KOs owned by inactive users.  You may want to enhance it to also look for lookups.  Of course, change the '90' to whatever value you deem to be 'inactive'. | rest splunk_server=local /servicesNS/-/-/admin/directory | fields title eai:acl.app eai:acl.owner eai:type eai:acl.sharing | rename eai:acl.* as * | where (owner!="nobody" AND owner!="admin") | search [| rest splunk_server = local /servicesNS/-/-/admin/users | fields title last_successful_login | eval lastLogin = if(isnull(last_successful_login) OR last_successful_login=0,"never", strftime(last_successful_login, "%c")) | eval idleDays = round((now()-last_successful_login)/86400,0) | where (idleDays > 90 OR lastLogin = "never") | fields title | rename title as owner | format] ... View more

It could be a n umber of things as to why the data is not coming through or not showing. 1.Whatever your monitoring does it have read permissions? 2.Check for typos' (index name etc) You can also check the internal logs for clues index=_internal sourcetype=splunkd host=neo log_level=INFO component=WatchedFile | table host, _time, component, event_message, log_level | sort - _time   What is the output of this command - it shows whats being monitored (Assuming its a linux host) /opt/splunk/bin/splunk list inputstatus   Are you able to show us your inputs.conf and describe what you are trying to monitor? ... View more

Hi @whitecat001 , you can use the regex hinted  by @ITWhisperer , but when you ha a pais fieldnem=fieldvalue, as in your case, you could simply use the field for searching your data: index=your_index permission=Permission12345 | ... Ciao. Giuseppe ... View more

First things first - you're talking about deployer. Do you indeed have your apps on the search-head cluster deployer or maybe you meant the deployment server? ... View more

You should find all neccessary information about Splunk TAs and the kv store in your "_internal" index. As a second step you could check the "source" field for the TAs that you want to monitor. Most of the available TAs are writing logs in their own logfile under $SPLUNK_HOME/var/log/splunk.  For the kv store check the mongod.log. More information: What Splunk software logs about itself - Splunk Documentation ... View more

First, it might be better to just share the KO to global permissions so it can be seen by users of both apps, rather than to copy the KO to the other app - depending on your use-case.  In case that is not feasible, to copy a KO to other apps you have a few options: If there are just a few KOs to be copied, you can do this from the GUI: -Click Settings -> Searches, reports and alerts -search for your KO and click Edit -> Clone, then you can select the app to clone to from the App dropdown list. In case you need to copy KOs in bulk, it is easier to copy the config from the .conf file from one app to the other. You can also use REST to POST configs. ... View more

I want a sample query that will guide in creating one for both TA and Kvstore  ... View more

Then you should check this troubleshooting guide... https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/TroubleshootKVstore ... View more

You have two identical questions!  See the answer from that another one. https://community.splunk.com/t5/Alerting/Knowledge-Object/m-p/680852#M15802 ... View more

Hi You could try this https://github.com/harsmarvania57/splunk-ko-change But usually it’s easier and faster to do that via GUI. Just use Settings-> All objects -> Change ownership (or something like those, I can’t remember exact names). If that doesn’t work (there are some cases when this cannot change all KOs), you should use previous script. r. Ismo   ... View more

Yes. Verify your sources and their config in Splunk. Without more information we can't tell you anything more than that. ... View more

The first event that came in doesnt have a timestamp which is the reason for the error but the other events are extracted properly ... View more

Thank you for your response. I will check it out  ... View more