This probably should be a new question. The solution is to add a monitor stanza to an inputs.conf file in the UF. [monitor://C:\Program Files\Thycotic Software\log\xyz.log] index = foo sourcetype = bar

Hi @richgalloway , How we can get logs stored on our Secret Server Distributed Engine servers. They already have the universal forwarder installed on them. We would like these logs to be available in Splunk as well. The logs are stored in the following location: C:\Program Files\Thycotic Software \log and the file is xyz.log. Thanks..

Hi @Splunkerninja , the only way to have different retention policies is to store logs in different indexes. Usually you choose to have different indexes based on two parameters: retention policy and Access Grants. You cannot have different retention policies on data in the same index. This means that you have to create a rule on your Indexers or (if present) on Heavy Forwarders to override the default index value. Ciao. Giuseppe

No, the number after the slash / denotes how many significant bit are to be compared when the addresses are converted to binary. There are 32 bits in the binary representation of an IPv4 address, so, for example, /24 means just compare the first 24 bits of the addresses. This is equivalent to ignoring the last byte or masking with 0xFFFFFF00, or shifting right by 8 bits (32 - 24)

As far as I can tell your configuration checks out. The problem could be that the input for salesforce is over an API/Script. Different types of inputs behave differently with the configurations and some even skip certain parts of the pipeline. If it was a normal Monitoring Input and your mentioned configuration is on the indexer everything should work. I have to gather more info myself regarding the transformation of the API inputs to help you further on this. 

I've tried props.conf and transforms.conf both on Heavy Forwarder where the add-on is installed and on indexers with no succeed, it seems that are ignored anche all the event_type are being collected. This is the splunk doc I've followed: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest transforms.conf   [setnull_EVENT_TYPE] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing_EVENT_TYPE] REGEX = EVENT_TYPE\=\"LightningPageView\" DEST_KEY = queue FORMAT = indexQueue     props.conf   [sfdc:logfile] TRANSFORMS-setEventType = setnull_EVENT_TYPE, setparsing_EVENT_TYPE     This is a sample log:   2023-11-06T22:58:22.108+0000 SFDCLogType="LightningPageView" SFDCLogId="aaaa" SFDCLogDate="2023-11-06T00:00:00.000+0000" EVENT_TYPE="LightningPageView" TIMESTAMP="20231106225822.108" REQUEST_ID="TID:aaaa" ORGANIZATION_ID="aaaa" USER_ID="aaaa" CLIENT_ID="" SESSION_KEY="aaaa" LOGIN_KEY="aaaa/aaaa" USER_TYPE="Standard" APP_NAME="aaaa:aaaa" DEVICE_PLATFORM="SFX:BROWSER:DESKTOP" SDK_APP_VERSION="" OS_NAME="WINDOWS" OS_VERSION="10" USER_AGENT=""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0"" BROWSER_NAME="EDGE" BROWSER_VERSION="119" SDK_VERSION="" DEVICE_MODEL="" DEVICE_ID="" SDK_APP_TYPE="" CLIENT_GEO="Italy/Rome" CONNECTION_TYPE="" UI_EVENT_ID="ltng:pageView" UI_EVENT_SOURCE="" UI_EVENT_TIMESTAMP="1699311501485" PAGE_START_TIME="1699310036553" DURATION="588.0" EFFECTIVE_PAGE_TIME_DEVIATION="false" EFFECTIVE_PAGE_TIME_DEVIATION_REASON="" EFFECTIVE_PAGE_TIME_DEVIATION_ERROR_TYPE="" EFFECTIVE_PAGE_TIME="588.0" DEVICE_SESSION_ID="aaaa" UI_EVENT_SEQUENCE_NUM="22" PAGE_ENTITY_ID="" PAGE_ENTITY_TYPE="Case" PAGE_CONTEXT="force:objectHomeDesktop" PAGE_URL="/lightning/o/Case/list?filterName=Recent" PAGE_APP_NAME="LightningService" PREVPAGE_ENTITY_ID="aaaa" PREVPAGE_ENTITY_TYPE="Case" PREVPAGE_CONTEXT="one:recordHomeFlexipage2Wrapper" PREVPAGE_URL="/lightning/r/Case/aaaa/view" PREVPAGE_APP_NAME="LightningService" TARGET_UI_ELEMENT="" PARENT_UI_ELEMENT="" GRANDPARENT_UI_ELEMENT="" TIMESTAMP_DERIVED="2023-11-06T22:58:22.108Z" USER_ID_DERIVED="aaaa" CLIENT_IP="xxx.xxx.xxx.xxx" UserAccountId="aaaa" SplunkRetrievedServer="https://aaaa.my.salesforce.com"