Hi all, I am using Splunk Enterprise Security and having trouble converting the indexes to CIM compliance. One of them is Cloudflare. The JSON data is being ingested via an AWS S3 bucket, and the visualization works fine on the Cloudflare App. However, the CIM Validator doesn't recognize the events and is unable to be used in Splunk ES. Has anyone been able to successfully convert these events to be CIM compliant? Thanks,

Hello I understand that you access the monitoring web through the launch controller button on the account page. I received the license today and proceeded with the installation, but two errors occur as follows. 1. <h1>500 Internal Server Error</h1><br/>Exception <br/> 2. : HttpErrorResponse <html><body><h1>500 Internal Server Error</h1><br/>Exception <br/></body></html> Http failure response for https://chaplinappdynamics.com/controller/restui/containerApp/mainNavConfig: 500 Internal Server Error I didn't click "Use local login", I clicked "Next". Can you tell me what the problem is? Thank you.

I have a field called position that contains integers and a token called position_select that is either a floating point number or a * (=all positions). Now i want to search all positions that match position_select. So i tried something like that: index = index1 | eval position_search = floor($position_select$) | where position = position_search The problem is that you of course can't use * in floor. Another problem is that | where position = * is impossible too. However i cant use | search because | search position = position_search  does not work.   So the question is, is there any way to use something like floor()  on position_select?  

Hi, We receive daily emails with lists of IOC's for malware and phishing alerts, each email may contain multiple ip address, domains and email addresses and we are trying to extract these to run searches against out web and email logs.  I have the regex working for extraction but it will only extract the first match. I've tried multiple ways of achieving this without success, the current config is: Props.conf EXTRACT-IOCURL = (?P<IOCURL>[a-zA-Z0-9][a-zA-Z0-9-]+[a-zA-Z0-9][\[][\.|@][\]][^\s]{2,}|[a-zA-Z0-9][a-zA-Z0-9-]+[a-zA-Z0-9][\[][\.|@][\]][^\s]{2,}|[a-zA-Z0-9]+[\[][\.|@][\]][^\s]{2,}|[a-zA-Z0-9]+[\[][\.|@][\]][^\s]{2,}) EXTRACT-IOCIP = (?P<IOCIP>\d{1,3}\[\.\]\d{1,3}\[\.\]\d{1,3}\[\.\]\d{1,3}+) The indexed email looks like this.... .... Domains comprised[.]site badsite[.]studio malware[.]live IP addresses 192[.]254[.]71[.]78 192[.]71[.]27[.]202 193[.]182[.]144[.]67  ....   but the current config will only extract the first record for each: IOCURL - comprised[.]site and  IOCIP  - 192[.]254[.]71[.]78. Any ideas how to extract all the domains and IP addresses? Thanks