Hello everyone, I am aware that the question was asked several times before, but the last one I found is more than 2 years old, so I wanna give it one more try: We currently try to get all data from FMC to Splunk - the way to do it is the "Cisco eStreamer eNcore for Splunk" App - but our Splunk environment is running on Windows server. So is there any way (without writing all the .sh from scratch in .ps) to get that up and running? Thanks a lot for the Feedback! ... View more

Hey all, Cause of the Y2K bug we recently did an upgrade of our Splunk environment to version 8.0.1 - after this upgrade we do face a strange issue, which does not make any sense for us and maybe looks like a bug or something, let me explain what we have. In one of our Dashboards we do create several timestamps using the eval method, here the code: <eval token="STARTFROMDISPLAY">mvindex(split($click.value$,"-"),0)</eval> <eval token="STARTFROMMACHINE">strptime($STARTFROMDISPLAY$, "%d.%m.%Y %H:%M")</eval> <eval token="STARTFROMADMACHINE">relative_time($STARTFROMMACHINE$, "-0d@d")</eval> <eval token="ENDATADMACHINE">relative_time($STARTFROMMACHINE$, "+1d@d")</eval> After those did run, the variables do have the following values: STARTFROMDISPLAY: 07.01.2020 09:52 STARTFROMMACHINE: 1578387120 (07.01.2020 09:52) STARTFROMADMACHINE: 1578351600 (07.01.2020 00:00) ENDATADMACHINE: 1577833200 (01.01.2020 00:00) So far so good, this is where the issue starts, if you convert these timestamps to actual dates (see above) everything is fine, except for ENDATADMACHINE this is for some reason poiting to the last years end, instead to 08.01.2020 00:00 which it should and would be correct. To make sure there is no error in the code, we did create a small and simple search (not in XML) to reproduce: index=dhcp | eval STARTFROMMACHINE = strptime("07.01.2020 09:52", "%d.%m.%Y %H:%M") | eval STARTFROMADMACHINE = relative_time(STARTFROMMACHINE, "-0d@d") | eval ENDATADMACHINE = relative_time(STARTFROMMACHINE, "+1d@d") | table STARTFROMMACHINE, STARTFROMADMACHINE, ENDATADMACHINE The output values of this search do look like this: STARTFROMMACHINE: 1578387120 (07.01.2020 09:52) STARTFROMADMACHINE: 1578351600 (07.01.2020 00:00) ENDATADMACHINE: 1578438000 (08.01.2020 00:00) So to summarize the issue in one sentence: The relative_time(sometimestring, "+1d@d" does not work while using eval in the XML, but it does work if used within a search. Does anyone have an idea what is going on here? Please let me know if you need any additional information. Thanks. ... View more

Hi all, On our exchange environment we do have the "in-place archvie" function enabled, which does create an additional archive mailbox for each user. Now I am looking for a way to get the mailbox stats for these additonal "mailboxes" - I search the complete exchange index but could not find anything useful, the eventtype "msexchange-mailbox-usage" does not contain those information. If we look at the powershell side, it does look like this: get user mailbox stats Get-MailboxStatistics -Identity USERNAME| Select TotalItemSize get user in-place archive stats Get-MailboxStatistics -Identity USERNAME -Archive | Select TotalItemSize Does have anyone an idea if I can find these data in the Exchange for Splunk app? Or if not how can I add these data to splunk? Thanks a lot! ... View more

Hi all, I do have a log which does look like this: Jul 6 09:31:18.729: %SYS-5-CONFIG_I: Configured from console by username on vty1 (ip-address) This data is received by syslog, but for any reason the internal _time variable does not contain the milliseconds, in this example .729 the _time variable in splunk does look like this: 2018-07-06T09:31:18.000+02:00 So I did some research and started to edit the props.conf for this sourcetyp TIME_PREFIX=^ TIME_FORMAT=%b %d %H:%M:%S.%3N But for any reason this did not impact the _time variable in splunk, can someone may tell me what I do wrong here? Thanks a lot. ... View more

Hi, we just installed the App Template for Citrix XenDesktop 7 to do some monitoring of our Citrix environment. We do have two Broker and about 120 VDA.. For the first test the Broker add-on was deployed to the two brokers, and the VDA app was deployed to one VDA. After a while we did start to receive some data, but it looks like something does not work as it should and maybe someone of you guys can assist here a bit. When I click through the dashboards, the following do not have any data, or data seems to be missing: Environment Overview -> "Popular Applications" does not find any data, the application info in the "Site Details" does show 102 applications Environment Overview -> "Users by Site" here I can see between 2 and 4 users, but the CTX farm is hosting around 800 users Usage Calendar -> Does not show any data User Activity -> just shows a few users, but only the fields "User Name", "Machine Name", "IP Address" and "Client Version" do contain data, the fields Start Time, Session Duration and Application(s) are empty Applications Overview -> does not contain any data Installed Software by Application Name -> does not contain any data When I run the search " xd_index sourcetype=xendesktop::session SiteName=""" I do receive a lot of results, but what seems weird to me is that no field extraction seems to happen, also one result block is containing more then one result I hope someone can tell me what is goind wrong here and provide some help. When I search for ERROR in the splunkd logs everything is OK, no errors found. Thanks a lot for the assistance. UPDATE: In the meantime I found out that there is a similar issue like for the session searches when I run this search: xd_index sourcetype=xendesktop:*:application ... View more

We installed the Splunk App for Microsoft Exchange on both our search heads. On initial start, a screen was shown that there is no license. We entered the credentials of the local Splunk user (admin) from the indexer. It somehow generated a license. We waited 15min but couldn't open the app, because the amount of data we have, already exceeded our licensed volume. We checked the licensing page on our indexer where we could see the Exchange trial for 60 days. But the volume limit shown was 0MB. We waited and tried other things until we ultimately thought, when we delete the trial, the app would give us the opportunity to regenerate a trial. But that wasn't the case. The app is still not working now, but fields are being extracted, though. How can we get the app working? Thanks and best regards, Merbag ... View more