Hello, I had to rename a bunch of rules yesterday so I cloned them from the Searches, Reports, and Alerts dashboard. They all have global permissions (all apps). For some reason I can't find none of the rules under the Content Management section. Is there a reason why the cloned rules aren't showing there? Thanks!  

I'm looking to close out (or delete) all notable events that were created prior to a specific date time.  The way they're trying to run reports, it is easier to delete them or close them than it would be to filter them from the reports.  Is there a way to use an eval query (or similar) or would it be best to use the API to close them?  Or am I SOL and I need to filter from the dashboard / report query level?

Hello, I'm am wondering how other security service providers have handled this issue or what is best practice To plan for least privilege, indexes would be separated out by group. We could store all data related to the group in a respective index. Network traffic, network security, antivirus, Windows Event Data, etc all in a single index for the group and give that group permissions to the index. An issue with this scenario is search performance. Searches may be performed on network traffic. Or on host data. Or on antivirus data. But Splunk will have to search the bucket containing all of the other unrelated data. If antivirus data is only producing 5GB a day, but network traffic is producing 10TB a day, this will have a huge negative affect on searches for antivirus data. This will be compounded with SmartStore (S2) where IOPS will be used to write the bucket back to disk. If least privilege isn't an issue, it would be optimal to create a bucket for the specific data. Network traffic would have it's own index. Windows hosts would have their own index. But the crux of architecting in this fashion is how to implement least privilege. One group cannot be able to see the host data of the other group. One idea to get around this is to limit the search capability by host, but that would require much work from the Splunk team and is not 100% certain if wildcards are used. Another idea is to simply create a separate index for each data type for each group. My concern with this is scaling. If we have 10 separate groups that require 10 indexes, that's 100 indexes. If we have 50, that's 500 indexes. 100 is 1000. This does not scale well. Thank you in advance for your help    

Sample data: <?xml version="1.0" encoding="UTF-8" ?> <Results xmlns:xsi="http://www.w3.org"> <Result> <Code>OK</Code> <Details>LoadMessageOverviewData</Details> <Text>Successful</Text> </Result> <Data> <ColumnNames> <Column>Sender&#x20;Component</Column> <Column>Receiver&#x20;Component</Column> <Column>Interface</Column> <Column>System&#x20;Error</Column> <Column>Waiting</Column> </ColumnNames> <DataRows> <Row> <Entry>XYZ</Entry> <Entry>ABC</Entry> <Entry>Mobile</Entry> <Entry>-</Entry> <Entry>3</Entry> </Row> </DataRows> </Data> </Results> Hello, I need to extract fields from the above xml data. I have tried the below props, but still the data is not extracting properly. Props.conf CHARSET=UTF-8 BREAK_ONLY_BEFORE = <\/Row> MUST_BREAK_AFTER = <Row> SHOULD_LINEMERGE  = true KV_MODE = xml pulldown_type = true DATETIME_CONFIG = CURRENT NO_BINARY_CHECK=true TRUNCATE=0 description=describing props config disabled=false How to parse the data.? Thanks in advance

Hi to everyone,  For a project, I need to deploy a test environnement with splunk and I need to capture stream log in order to to analyze it. For this project I have deployed a Splunk enterprise (9.1.2) on an ubuntu 20.04 and on another VM (also ubuntu 20.04) I put my UF (9.1.2). In the UF I put the add-on Splunk Add-on for Stream Forwarders (8.1.1) to capture packet and on my splunk enterprise Splunk App for Stream (8.1.1).  I follow all installations and configurations steps and debug some issues but I still have an error that I don't know how to fix it. In the streamfwd.log files I see this error :  2024-01-24 06:14:03 ERROR [140599052777408] (SnifferReactor/PcapNetworkCapture.cpp:238) stream.NetworkCapture - SnifferReactor unrecognized link layer for device <ens33>: 253 2024-01-24 06:14:03 FATAL [140599052777408] (CaptureServer.cpp:2337) stream.CaptureServer - SnifferReactor was unable to start packet capturesniffer ens33 is the right interface where I want to capture stream packet but I don't understand why it don't recognize it. If you have any idea I will be very gratefull.  

Hey everyone, I am in the situation where I have to provide a solution to a client of mine. Our application is deployed on their k8s and logs everything to stdout, where they take it and put it into a splunk index, let's call the index "standardIndex". Due to a change in legislation and a change in how they operate under this legislation change, we need to log specific logs based on the message content (easiest for us..) to a special index we can call "specialIndex". I managed to rewrite the messages we log, to satisfy their needs in that regard, but now I fail to log those to a separate index. The collectord annotations I put in our patch look like this, and they seem to work just fine:       spec: replicas: 1 template: metadata: annotations: collectord.io/logs-replace.1-search: '"message":"(?P<message>Error while doing the special thing\.).*?"@timestamp":"(?P<timestamp>[^"]+)"' collectord.io/logs-replace.1-val: '${timestamp} message="${message}" applicationid=superImportant status=failed' collectord.io/logs-replace.2-search: '"message":"(?P<message>Starting to do the thing\.)".*?"@timestamp":"(?P<timestamp>[^"]+)"' collectord.io/logs-replace.2-val: '${timestamp} message="${message}" applicationid=superImportant status=pending' collectord.io/logs-replace.3-search: '"message":"(?P<message>Nothing to do but completed the run\.)".*?"@timestamp":"(?P<timestamp>[^"]+)"' collectord.io/logs-replace.3-val: '${timestamp} message="${message}" applicationid=superImportant status=successful' collectord.io/logs-replace.4-search: '("message":"(?P<message>Deleted \d+ of the thing [^\s]+ where type is [^\s]+ with id)[^"]*").*"@timestamp":"(?P<timestamp>[^"]+)"' collectord.io/logs-replace.4-val: '${timestamp} message="${message} <removed>" applicationid=superImportant status=successfull'       My only remaining goal is to send these specific messages to a specific index, and this is where I can't follow the outcold documentation really well. Actually, I am even doubting this is possible but I fail to understand it completely. Does anyone have a hint?

We encounter an issue with our iislogs in an azure storage account. Our logging data becomes duplicated at the end of the hour when the last modified of a closed log file is updated. This is caused by a known bug in the azure extension that we are using and which we cannot update. However the behaviour of the plugin causes the duplication in logs. An example error can be seen below: 2024-01-24 12:03:09,811 +0000 log_level=WARNING, pid=7648, tid=ThreadPoolExecutor-1093_9, file=mscs_storage_blob_data_collector.py, func_name=_get_append_blob, code_line_no=301 | [stanza_name="prd10915-iislogs" account_name="prd10915logs" container_name="iislogs" blob_name="WAD/bd136adb-2f39-4042-94f3-2ac21450cc22/IaaS/_prd10920EOLAUWebNeuVmss_2/u_ex24012410_x.log"] Invalid Range Error: Bytes stored in Checkpoint : 46738047 and Bytes stored in WAD/bd136adb-2f39-4042-94f3-2ac21450cc22/IaaS/_prd10920EOLAUWebNeuVmss_2/u_ex24012410_x.log : 46738047. Restarting the data collection for WAD/bd136adb-2f39-4042-94f3-2ac21450cc22/IaaS/_prd10920EOLAUWebNeuVmss_2/u_ex24012410_x.log  The error happens in the %SPLUNK_HOME%\etc\apps\Splunk_TA_microsoft-cloudservices\lib\mscs_storage_blob_data_collector.py file on line 280. The blob stream downloader expects more bytes than the known checkpoint and produces an exception when the amount of bytes is the same. This exception is then handled by this piece of code: blob_stream_downloader = blob_client.download_blob( snapshot=self._snapshot ) blob_content = blob_stream_downloader.readall() self._logger.warning( "Invalid Range Error: Bytes stored in Checkpoint : " + str(received_bytes) + " and Bytes stored in " + str(self._blob_name) + " : " + str(len(blob_content)) + ". Restarting the data collection for " + str(self._blob_name) ) first_process_blob = True self._ckpt[mscs_consts.RECEIVED_BYTES] = 0 received_bytes = 0 Where the blob is marked as new and fully redownloaded and ingested. Causing our data duplication. We would like to request a change to the addon that prevents this behaviour from happening when the checkpoint byte count is equal to the log file byte count. The addon should not assume that a file has grown in size if the last modified timestamp is changed.