All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

So the time is out by exactly 5 hours which represents your timezone, therefore it is correct. Are there any other discrepancies apart from this (which is now accounted for)?
Wait, but if your local timezone is EST and your profile is configured with EST, that's actually the proper timestamp. The source is reporting 14:15 UTC so it's 9:15 EST
Hold up there. You're mixing different things. 1. Deployment server is a component used to distribute apps to forwarders, sometimes standalone indexers or standalone search heads. It is _not_ used ... See more...
Hold up there. You're mixing different things. 1. Deployment server is a component used to distribute apps to forwarders, sometimes standalone indexers or standalone search heads. It is _not_ used for managing clustered indexers! 2. You don't send data to the CM! CM manages configuration and state of the indexers but isn't involved in indexing and/or processing the incoming data 3. I have no idea why you're extracting the fqdn as indexed field. (true, if you're often doing tstats over it, it can make sense but you also probably normalize your data to CIM so you can do tstats over the dataset). 4. Are you sure you need so many indexes (just asking - maybe you indeed do; but people tend to be "trigger-happy" with creating too many indexes). 5. I think you should overwrite the index field with := rather than simply assign a new value with = 6. You know it will be slow, right? Why not do it one step earlier - on your syslog daemon?  
Dear splunkers, Through tuning Splunk Enterprise, we required to change every connection through Splunk Instances from IP Address to Domain Name. Everything from server.conf are done except this. So... See more...
Dear splunkers, Through tuning Splunk Enterprise, we required to change every connection through Splunk Instances from IP Address to Domain Name. Everything from server.conf are done except this. So, is possible to change these Peers URI from IP Address to Domain Name and where can we find this configuration ? Thanks & best regards, Benny On  
Hi @hahhhaxin , it's really difficoult to red the output of the btool, have this configuration on the UF? I don't see DATATIME_CONFIG = CURRENT in your output on the UF. Ciao. Giuseppe
@PickleRick I already tried and added attribute under props  but this also not working.  "TIMESTAMP_FIELDS = time" and added KV_MODE=json 
Hi @fahimeh , you have to use the add on "CCX Add-on for ManageEngine Products (ADAudit Plus)" (https://splunkbase.splunk.com/app/7004) from splunkbase and follow the instructions. Ciao. Giuseppe
It kinda makes sense. With SAML authentication you don't actually authenticate against the SP but against the IdP and then pass the assertions around. How do you expect it to work when you don't aut... See more...
It kinda makes sense. With SAML authentication you don't actually authenticate against the SP but against the IdP and then pass the assertions around. How do you expect it to work when you don't authenticate against the IdP?
I'm not 100% sure if "normal" time extraction works with indexed extractions. You could try setting TIMESTAMP_FIELDS Also - why indexed extractions? Why not just KV_MODE=json?
@ITWhisperer On EST time the server is .   @bowesmana I have tried below settings but nothings works for me. Is there any workaround I need to apply. CHARSET = UTF-8 #AUTO_KV_JSON = false DATE... See more...
@ITWhisperer On EST time the server is .   @bowesmana I have tried below settings but nothings works for me. Is there any workaround I need to apply. CHARSET = UTF-8 #AUTO_KV_JSON = false DATETIME_CONFIG = #INDEXED_EXTRACTIONS = json KV_MODE = json LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true MAX_TIMESTAMP_LOOKAHEAD = 550 TIME_PREFIX = time:\s+ TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%Z category = Custom pulldown_type = true Example Pattern of event : { [-] classofpayload: com.v.decanter.deca.generic.domain.command.PurgeCommand data: { [-] batchSize: 1000 retentionMinutes: 43200 windowDurationSeconds: 600 } datacontenttype: application/json id: 32e31ec6-2362-4b46-966e-ec4bdbb3llbe messages: [ [-] ] source: decanter-scheduler spanid: 0000000000000000 specversion: 1.0 time: 2024-11-18T04:15:00.057785Z traceid: 00000000000000000000000000000000 type: PurgeEventOutbox }
I want to import Adaudit logs into Splunk but I don't know how The important thing is that I want to do this from the oldest logs, not from now on.
@gcusello here is the btool output PS C:\Program Files\SplunkUniversalForwarder> .\bin\splunk.exe btool props list  --debug | Select-String -Pattern "etc\\apps"   C:\Program Files\SplunkUniversalF... See more...
@gcusello here is the btool output PS C:\Program Files\SplunkUniversalForwarder> .\bin\splunk.exe btool props list  --debug | Select-String -Pattern "etc\\apps"   C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\props.conf [(::)?...] C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\props.conf CHECK_FOR_HEADER = false C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\props.conf priority = 10001 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [20240821_131904] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 41 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-2] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-3] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-4] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-5] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-6] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-7] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-8] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [WindowsUpdate-9] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 48 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [first_install-too_small] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    PREFIX_SOURCETYPE = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    maxDist = 9999 C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [log2metrics_csv] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  DATETIME_CONFIG = C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  INDEXED_EXTRACTIONS = csv C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  LINE_BREAKER = ([\r\n]+) C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  METRIC-SCHEMA-TRANSFORMS = metric-schema:log2metrics_default_csv C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  NO_BINARY_CHECK = true C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  category = Log to Metrics C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  description = Comma-separated value format. Log-to-metrics processing converts the numeric values in csv events into metric data points. C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  pulldown_type = 1 C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [log2metrics_json] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  DATETIME_CONFIG = C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  INDEXED_EXTRACTIONS = json C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  LINE_BREAKER = ([\r\n]+) C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  METRIC-SCHEMA-TRANSFORMS = metric-schema:log2metrics_default_json C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  NO_BINARY_CHECK = true C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  category = Log to Metrics C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  description = JSON-formatted data. Log-to-metrics processing converts the numeric values in json keys into metric data points. C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  pulldown_type = 1 C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [log2metrics_keyvalue] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  DATETIME_CONFIG = C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  LINE_BREAKER = ([\r\n]+) C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  METRIC-SCHEMA-TRANSFORMS = metric-schema:log2metrics_default_keyvalue C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  NO_BINARY_CHECK = true C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-EXTRACT = metrics_field_extraction C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  category = Log to Metrics C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  description = '<key>=<value>' formatted data. Log-to-metrics processing converts the keys with numeric values into metric data points. C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  pulldown_type = 1 C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf                   [scheduler] C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf                   EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*)\s+(?P<component>[^ ]+) - (?P<event_message>.+) C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [source::...\\var\\log\\introspection\\disk_objects.log(.\d+)?] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-diskobjectsclone = introspection_disk_objects_log_clone C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [source::...\\var\\log\\introspection\\resource_usage.log(.\d+)?] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-resourceusageclone = introspection_resource_usage_log_clone C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [source::...\\var\\log\\splunk\\metrics.log(.\d+)?] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-metricslogclone = metrics_log_clone C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [splunk-powershell.ps-2] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    MAX_TIMESTAMP_LOOKAHEAD = 49 C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    [splunk-powershell.ps-too_small] C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    PREFIX_SOURCETYPE = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    SHOULD_LINEMERGE = False C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    is_valid = True C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf                    maxDist = 9999 C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [splunk_intro_disk_objects] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  METRIC-SCHEMA-TRANSFORMS = metric-schema:introspection_disk_objects C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-blah = metrics_index_redirect,introspection_disk_objects_metric_name C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [splunk_intro_resource_usage] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  METRIC-SCHEMA-TRANSFORMS = metric-schema:introspection_resource_usage C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-bloo = metrics_index_redirect,introspection_resource_usage_metric_name C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  [splunk_metrics_log] C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  METRIC-SCHEMA-TRANSFORMS = metric-schema:metrics_dot_log C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf  TRANSFORMS-metricslog = metrics_index_redirect,metrics_field_extraction,metrics_log_metric_name C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf                   [splunk_web_service] C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf                   EXTRACT-useragent = userAgent=(?P<browser>[^ (]+) C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf                   [splunkd] C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf                   EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*)\s+(?P<component>[^ ]+) (?:\[(?P<thread_id>\d+)\s)?(?:(?P<thread_name>[^\]]+)\]\s)?- (?P<event_message>.+)
Hi @hahhhaxin , try to put the props.conf also on the UF. Ciao. Giuseppe
Hello @Meett , Thank you for the quick response! I appreciate your insight. If the Splunk Add-on for Microsoft Office 365 doesn’t natively support Azure China, are there any recommended workarounds... See more...
Hello @Meett , Thank you for the quick response! I appreciate your insight. If the Splunk Add-on for Microsoft Office 365 doesn’t natively support Azure China, are there any recommended workarounds or custom configurations (e.g., modifying inputs.conf or using custom scripts) that could enable data collection for China tenants? Alternatively, are there other Splunk-supported methods or integrations that you’d recommend for ingesting Microsoft Office 365 logs from Azure China tenants? For instance, could a custom API integration with the Graph API endpoint https://microsoftgraph.chinacloudapi.cn be a feasible approach? Looking forward to your thoughts! Regards, Tilakram
Hello @Tilakram Add-on doesn’t support Azure china ByDefault so i am afraid if it will work or not.
thank you for your advice, I did truy but it seem imposible to store data anywhere :<
background - the designed windows log flow is Splunk Agent of Universal forwarder -> Splunk Heavy Forwarder-> Splunk Indexer. the path are monitored with inputs.conf in Universal forwarder like this... See more...
background - the designed windows log flow is Splunk Agent of Universal forwarder -> Splunk Heavy Forwarder-> Splunk Indexer. the path are monitored with inputs.conf in Universal forwarder like this [monitor://D:\test\*.csv] disabled=0 index=asr_info sourcetype=csv source=asr:report crcSalt=<SOURCE> the example content for one of the csv file is like below -  cn,comment_id,asr_number,created_by,created_date zhy,15,2024-10-12-1,cc,2024-10-28 18:10 bj,10,2024-09-12-1,cc,2024-09-12 13:55   for the 2 indexed rows, the field extractions are good except _time.  for the first row, _time is 10/12/24 6:10:00.000 PM, for the second row, _time is 9/12/24 1:55:00.000 PM Question - How to make _time be the real ingested time instead of guessing from the row content? (tried with DATETIME_CONFIG = CURRENT in both HF and index in props like - [source::asr:report] DATATIME_CONFIG = CURRENT but, it does not work ) 
@ww9rivers Did you end up finding a solution for this? We have run into the same issue. We have noticed that once the user has authenticated and the token is active that it only remains active until... See more...
@ww9rivers Did you end up finding a solution for this? We have run into the same issue. We have noticed that once the user has authenticated and the token is active that it only remains active until the "Get User Info time-to-live" timeframe that is located under Attribute Extensions in the SAML Configuration.
Is there any way I can transform these logs once I receive them in Splunk (cloud) ? These are nginx error logs which contains sensitive data, and in nginx we can not sanitize the error_logs. Any su... See more...
Is there any way I can transform these logs once I receive them in Splunk (cloud) ? These are nginx error logs which contains sensitive data, and in nginx we can not sanitize the error_logs. Any suggestions will be highly appreciated.
I'm using a universal forwarder, hence the transforms are not working, appreciate your response.