All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I want to import Adaudit logs into Splunk but I don't know how The important thing is that I want to do this from the oldest logs, not from now on.
@gcusello here is the btool output PS C:\Program Files\SplunkUniversalForwarder> .\bin\splunk.exe btool props list  --debug | Select-String -Pattern "etc\\apps"   C:\Program Files\SplunkUniversalF... See more...
@gcusello here is the btool output PS C:\Program Files\SplunkUniversalForwarder> .\bin\splunk.exe btool props list  --debug | Select-String -Pattern "etc\\apps"   C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\props.conf [(::)?...] C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\props.conf CHECK_FOR_HEADER = false C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\props.conf priority = 10001 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [20240821_131904] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 41 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-2] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-3] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-4] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-5] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-6] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-7] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-8] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-9] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [first_install-too_small] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    PREFIX_SOURCETYPE = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    maxDist = 9999 C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [log2metrics_csv] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  DATETIME_CONFIG = C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  INDEXED_EXTRACTIONS = csv C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  LINE_BREAKER = ([\r\n]+) C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  METRIC-SCHEMA-TRANSFORMS = metric-schema:log2metrics_default_csv C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  NO_BINARY_CHECK = true C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  category = Log to Metrics C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  description = Comma-separated value format. Log-to-metrics processing converts the numeric values in csv events into metric data points. C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  pulldown_type = 1 C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [log2metrics_json] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  DATETIME_CONFIG = C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  INDEXED_EXTRACTIONS = json C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  LINE_BREAKER = ([\r\n]+) C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  METRIC-SCHEMA-TRANSFORMS = metric-schema:log2metrics_default_json C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  NO_BINARY_CHECK = true C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  category = Log to Metrics C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  description = JSON-formatted data. Log-to-metrics processing converts the numeric values in json keys into metric data points. C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  pulldown_type = 1 C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [log2metrics_keyvalue] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  DATETIME_CONFIG = C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  LINE_BREAKER = ([\r\n]+) C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  METRIC-SCHEMA-TRANSFORMS = metric-schema:log2metrics_default_keyvalue C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  NO_BINARY_CHECK = true C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-EXTRACT = metrics_field_extraction C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  category = Log to Metrics C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  description = '<key>=<value>' formatted data. Log-to-metrics processing converts the keys with numeric values into metric data points. C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  pulldown_type = 1 C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf                   [scheduler] C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf                   EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*)\s+(?P<component>[^ ]+) - (?P<event_message>.+) C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [source::...\\var\\log\\introspection\\disk_objects.log(.\d+)?] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-diskobjectsclone = introspection_disk_objects_log_clone C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [source::...\\var\\log\\introspection\\resource_usage.log(.\d+)?] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-resourceusageclone = introspection_resource_usage_log_clone C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [source::...\\var\\log\\splunk\\metrics.log(.\d+)?] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-metricslogclone = metrics_log_clone C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [splunk-powershell.ps-2] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 49 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [splunk-powershell.ps-too_small] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    PREFIX_SOURCETYPE = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    maxDist = 9999 C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [splunk_intro_disk_objects] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  METRIC-SCHEMA-TRANSFORMS = metric-schema:introspection_disk_objects C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-blah = metrics_index_redirect,introspection_disk_objects_metric_name C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [splunk_intro_resource_usage] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  METRIC-SCHEMA-TRANSFORMS = metric-schema:introspection_resource_usage C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-bloo = metrics_index_redirect,introspection_resource_usage_metric_name C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [splunk_metrics_log] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  METRIC-SCHEMA-TRANSFORMS = metric-schema:metrics_dot_log C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-metricslog = metrics_index_redirect,metrics_field_extraction,metrics_log_metric_name C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf                   [splunk_web_service] C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf                   EXTRACT-useragent = userAgent=(?P<browser>[^ (]+) C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf                   [splunkd] C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf                   EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*)\s+(?P<component>[^ ]+) (?:\[(?P<thread_id>\d+)\s)?(?:(?P<thread_name>[^\]]+)\]\s)?- (?P<event_message>.+)
Hi @hahhhaxin , try to put the props.conf also on the UF. Ciao. Giuseppe
Hello @Meett , Thank you for the quick response! I appreciate your insight. If the Splunk Add-on for Microsoft Office 365 doesn’t natively support Azure China, are there any recommended workarounds... See more...
Hello @Meett , Thank you for the quick response! I appreciate your insight. If the Splunk Add-on for Microsoft Office 365 doesn’t natively support Azure China, are there any recommended workarounds or custom configurations (e.g., modifying inputs.conf or using custom scripts) that could enable data collection for China tenants? Alternatively, are there other Splunk-supported methods or integrations that you’d recommend for ingesting Microsoft Office 365 logs from Azure China tenants? For instance, could a custom API integration with the Graph API endpoint https://microsoftgraph.chinacloudapi.cn be a feasible approach? Looking forward to your thoughts! Regards, Tilakram
Hello @Tilakram Add-on doesn’t support Azure china ByDefault so i am afraid if it will work or not.
thank you for your advice, I did truy but it seem imposible to store data anywhere :<
background - the designed windows log flow is Splunk Agent of Universal forwarder -> Splunk Heavy Forwarder-> Splunk Indexer. the path are monitored with inputs.conf in Universal forwarder like this... See more...
background - the designed windows log flow is Splunk Agent of Universal forwarder -> Splunk Heavy Forwarder-> Splunk Indexer. the path are monitored with inputs.conf in Universal forwarder like this [monitor://D:\test\*.csv] disabled=0 index=asr_info sourcetype=csv source=asr:report crcSalt=<SOURCE> the example content for one of the csv file is like below -  cn,comment_id,asr_number,created_by,created_date zhy,15,2024-10-12-1,cc,2024-10-28 18:10 bj,10,2024-09-12-1,cc,2024-09-12 13:55   for the 2 indexed rows, the field extractions are good except _time.  for the first row, _time is 10/12/24 6:10:00.000 PM, for the second row, _time is 9/12/24 1:55:00.000 PM Question - How to make _time be the real ingested time instead of guessing from the row content? (tried with DATETIME_CONFIG = CURRENT in both HF and index in props like - [source::asr:report] DATATIME_CONFIG = CURRENT but, it does not work ) 
@ww9rivers Did you end up finding a solution for this? We have run into the same issue. We have noticed that once the user has authenticated and the token is active that it only remains active until... See more...
@ww9rivers Did you end up finding a solution for this? We have run into the same issue. We have noticed that once the user has authenticated and the token is active that it only remains active until the "Get User Info time-to-live" timeframe that is located under Attribute Extensions in the SAML Configuration.
Is there any way I can transform these logs once I receive them in Splunk (cloud) ? These are nginx error logs which contains sensitive data, and in nginx we can not sanitize the error_logs. Any su... See more...
Is there any way I can transform these logs once I receive them in Splunk (cloud) ? These are nginx error logs which contains sensitive data, and in nginx we can not sanitize the error_logs. Any suggestions will be highly appreciated.
I'm using a universal forwarder, hence the transforms are not working, appreciate your response.
What time zone are you in? The time shown in the _time field is in your local time zone which appears to be 5 hours different from the time in the log. Is this the discrepancy you are seeing?
Depending on what your _raw event looks like you may have to set MAX_TIMESTAMP_LOOKAHEAD as the default lookahead is only 128 characters. Also make sure the raw event doesn't have any whitespace b... See more...
Depending on what your _raw event looks like you may have to set MAX_TIMESTAMP_LOOKAHEAD as the default lookahead is only 128 characters. Also make sure the raw event doesn't have any whitespace between the JSON name/value - you're not allowing for any whitespace in your regex
See https://www.splunk.com/en_us/partners/become-a-partner.html for how to become a Splunk partner. You are correct, the Developer license applies to Splunk Enterprise only, not Splunk Cloud. You c... See more...
See https://www.splunk.com/en_us/partners/become-a-partner.html for how to become a Splunk partner. You are correct, the Developer license applies to Splunk Enterprise only, not Splunk Cloud. You can get Splunk Cloud for a fee, but I'm not sure how small it would be.  See https://www.splunk.com/en_us/products/pricing/platform-pricing.html for more information and to get an estimate.
Hey @PickleRick  I was testing using this:  curl -k http://splunk-hf-1729440419.us-east-1.alb.amazonaws.com:8088/services/collector -H "Authorization: Splunk ad9fe08e-68fb-4b07-876b-94f00bdd0d91" -... See more...
Hey @PickleRick  I was testing using this:  curl -k http://splunk-hf-1729440419.us-east-1.alb.amazonaws.com:8088/services/collector -H "Authorization: Splunk ad9fe08e-68fb-4b07-876b-94f00bdd0d91" -d '{"event": "Hec Splunk Test"}' -v
1. It's much more convenient (and lets people search the content later) if you copy-paste text instead of posting pictures (structured text is best pasted into a preformatted-style paragraph or a cod... See more...
1. It's much more convenient (and lets people search the content later) if you copy-paste text instead of posting pictures (structured text is best pasted into a preformatted-style paragraph or a code block. 2. Here we only see the result of your action. We have no idea what exactly you did.
Hey, I am facing following issues when sending data using HEC token. Connection has been established with no issue but getting following error message with HEC. Any recommendations to resolve this i... See more...
Hey, I am facing following issues when sending data using HEC token. Connection has been established with no issue but getting following error message with HEC. Any recommendations to resolve this issue will be highly appreciated. Thank you!     [http] disabled = 0 enableSSL = 0 is also there.  
Hi, We’re not currently partners, could you please elaborate on what steps are needed to become one? Additionally, IIUC, the developer license does not provide access to a cloud instance, is that ac... See more...
Hi, We’re not currently partners, could you please elaborate on what steps are needed to become one? Additionally, IIUC, the developer license does not provide access to a cloud instance, is that accurate? Lastly, would it be possible to pay a small fee to obtain a cloud instance specifically for development purposes? Many thanks in advance for your help!  
What exactly do you mean by "Splunk Cloud Stack"? I’ve started a 14-day trial, but it seems that the API is not enabled.
1)  OK, but search is Splunk's app.  Your settings should be in your own app. 2) Is the HEC endpoint on the indexer?  If not, the props are doing anything.  Make sure the props are on the same insta... See more...
1)  OK, but search is Splunk's app.  Your settings should be in your own app. 2) Is the HEC endpoint on the indexer?  If not, the props are doing anything.  Make sure the props are on the same instance as HEC. 4) As Yoda would say, "do or do not, there is no try"
@richgalloway  1. Props is  installed on search app 2. The setting is on Indexer itself and I am using below endpoint. 3. Endpoint is : services/collector/raw 4. I will try and add %Z in my curre... See more...
@richgalloway  1. Props is  installed on search app 2. The setting is on Indexer itself and I am using below endpoint. 3. Endpoint is : services/collector/raw 4. I will try and add %Z in my current props.   Thanks