yes, still we observed vulnerability  openssl libraries files having 1.0.2zi FIPS with latest SplunkForwarder 9.2.0.1 as below. # cat /opt/splunkforwarder/etc/splunk.version VERSION=9.2.0.1 BUILD=d8ae995bf219 PRODUCT=splunk PLATFORM=Linux-x86_64 Library files r-xr-xr-x. 1 splunk splunk 475784 Feb 7 00:48 libssl.so.1.0.0 r-xr-xr-x. 1 splunk splunk 2996816 Feb 7 00:48 libcrypto.so.1.0.0 How to mitigate this vulnerability ?

@uagraw01 Hello, All files with the.xml extension, such as /scada_server/walmart_1.xml, /scada_server/walmart_2.xml, /scada_server/walmart_3.xml, and so forth, are matched by /walmart_*.xml. Could you please verify the permissions for every file inside this directory?And also,  You can try to remove the CrCSalt and try.  Check the below document for more examples:  https://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards   

Thanks for your reply. But I have a few questions since I am new to this. 1. In which server should I add the custom Add on (Forwarder or DS?) We have hundreds of forwarders pointing to the indexer right now. Do we need to change all of them? 2. And since you are saying I shall remove the already existing files in $SPLUNK_HOME/etc/system/local folder, what shall be the contents of the newly added custom add on files? 3. Also, the indexer discovery feature needs to be installed in the DS right? 

Hi @uagraw01, sorry but I don't understand your question, anyway, then, why do are using crcSalt=<SOURCE>? please try this: [monitor://D:\scada_server\walmart_*.xml] disabled = false host = WALVAU-VIDI-1 index = 2313917_2797418_scada sourcetype = Scada_walmart_alarm CHECK_METHOD = entire_md5 Then why are you using a so complex index? Ciao. Giuseppe

Hi @himaniarora20, the best approach is to create a custom add-on (called e.g. TA_Forwarders) containing at least three files: app.conf: containing the name and description of the add-on; deploymentclient.conf: containing the address of the Deployment Server; outputs.conf: containing the address of the Indexers. then you should remove the same conf files from $SPLUNK_HOME/etc/system/local folder in each server. In this way you can dinamically manage the indexers and Deployment Server addressing from the DS. For indexers, you could also use the Indexer Discovery feature (https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/indexerdiscovery) pointing to the Cluster Manager instead to the Indexers. Indexers Cluster must be managed by the Cluster Manager not by the DS. Search Head Cluster must be managed by the SHC Deployer not by the DS. Ciao. Giuseppe

Thank you @isoutamo for the response.  Here is more accurate version of payload [ { "Assigned to": "Jones, Francis", "Cost": 3, "Created date": "2024-02-28 12:52:18", "Extraction date": "2024-03-02 13:51:00", "ID": 12345, "Initial Cost": 3, "Location": "Sites", "Path": "Sites\\FY1\\S3", "Priority": 1, "State": "In Progress", "Status Change date": "2024-03-05 16:33:23", "Tags": "Europe; Finance", "Title": "Ensure correct routing of orders", "Updated date": "2024-03-05 16:33:23", "Warranty": false, "Wave Quarter": "Q2 22", "Work Item Type": "Request" }, { "Assigned to": "Jones, Francis", "Cost": 3, "Created date": "2024-02-28 18:59:18", "Extraction date": "2024-03-05 16:31:00", "ID": 12345, "Initial Cost": 3, "Location": "Sites", "Path": "Sites\\FY1\\S3", "Priority": 1, "State": "In Progress", "Status Change date": "2024-03-05 16:33:23", "Tags": "Europe; Finance", "Title": "Ensure correct routing of orders", "Updated date": "2024-03-05 16:33:23", "Warranty": false, "Wave Quarter": "Q2 22", "Work Item Type": "Request" }, { "Assigned to": "Jones, Francis", "Cost": 3, "Created date": "2023-01-28 18:59:18", "Extraction date": "2023-02-05 16:31:00", "ID": 12345, "Initial Cost": 3, "Location": "Sites", "Path": "Sites\\FY1\\S3", "Priority": 1, "State": "In Progress", "Status Change date": "2023-02-05 16:33:23", "Tags": "Europe; Finance", "Title": "Ensure correct routing of orders", "Updated date": "2024-03-05 16:33:23", "Warranty": false, "Wave Quarter": "Q2 22", "Work Item Type": "Request" } ]

Hi @kannu, I understand: there aren't eventtypes.conf and tags.conf, (I don't understand how it was declared CIM compliant!). The only way is consider them as custom and follow the normalization process using the Add-On builder or the SA-CIM Vlaidator. Ciao. Giuseppe

Since this looks like JSON, why not use spath? Try something like this: | spath serviceUserRequests{} output=serviceUserRequests | mvexpand serviceUserRequests Obviously you will have to modify the paths to fit your actual events.

@ITWhisperer  Actually this is my query index=fwdl-meter-batching-agent-logs earliest=-7d@h-5d     | rex field=_raw ""requestId"(?<x>[\w\W]+?)]" max_match=0     | table internalFWDLRequestId x     | mvexpand x     | rex field=x "\"commsHubId\"\s+:\s+(?<CH_ID>\d+)" max_match=0     | rex field=x "^\" : \"(?<suRequestId>.+?)\""     | mvexpand CH_ID     | rename internalFWDLRequestId as requestId     | eval x=requestId."-".CH_ID     | fields x suRequestId

@anooshac  There is 2nd part of this query. In this section based on month selection it will set earliest and latest time in  "start" and "end" token. use these token in respective search. basically these token have earliest and latest time in epoch format for selected month.  PS: I have to use separate sub search because $result.token_name$ only works for 1 entry. <search base="basesearch_time"> <query> | where Month="$month_token$" | table start end </query> <done> <set token="start">$result.start$</set> <set token="end">$result.end$</set> </done> </search>  

Here is a runanywhere example using the example you posted showing the extract working. If the sample data does not match your events sufficiently closely enough, please post a more accurate representation of your raw events, preferably in a code block </> similar to how I have done. | makeresults | fields - _time | eval _raw="{\"batchId\" : \"63361\", \"internalFWDLRequestId\" : \"70-B3-D5-1F-30-5F-30-00:70-B3-D5-1F-30-00-A0-03:519633036\", \"initialJobId\" : 3860464, \"batchCreationDate\" : 1709203012824, \"batchSubmissionDate\" : 1709293013333, \"allowMultipleRequests\" : true, \"abortedCountForDuplicateRepId\" : 0, \"abortedDuplicatesJobId\" : null, \"image\" : { \"approvedFirmwareVersionId\" : \"00070400\", \"fileName\" : \"00070400\", \"imageByteCount\" : 663191, \"mfcImageThumbprint\" : \"663125_675428228_vQhOAh27O+KHxkpO/Qrq0g==\" }, \"serviceUserRequests\" : [ { \"requestId\" : \"70-B3-D5-1F-30-5F-30-00:70-B3-D5-1F-30-00-A0-03:519633036\", \"requestDate\" : 1709203013315, \"imageCRC\" : 2291340038, \"numberOfCommsHubs\" : 3, \"deliveryPoints\" : [ { \"commsHubId\" : 101388585, \"endpointId\" : \"00-1D-24-02-01-0B-11-8E\" }, { \"commsHubId\" : 101762268, \"endpointId\" : \"00-1D-24-02-01-0A-D0-81\" }, { \"commsHubId\" : 102016271, \"endpointId\" : \"00-1D-24-02-01-0A-CF-75\" } ] } ], \"endpointType\" : 1}" | rex field=_raw "\"requestId\"\s:\s\"(?<x>[^\"]+)"