Hi All, I've got a generic syslog app which pulls in EVERYTHING in the syslog directory with the sourcetype=syslog-unconfigured inputs.conf     [monitor:///var/log/syslog-ng/*/messages] index = syslog sourcetype = syslog:unconfigured host_segment = 4       This is done so we can catch any new syslog devices that were not configured to go to the correct sourcetype. We have a props.conf that routes data to the right index/sourcetype depending on the hostname. props.conf     # InfoBlox [source::/var/log/syslog-ng/(10.164.55.55|10.9.55.56|prodinfoblox1|prodinfoblox2)/messages] TRANSFORMS-reroute_index = route_to_index_infoblox TRANSFORMS-reroute_sourcetype = route_to_sourcetype_infoblox:file TZ=UTC     transforms.conf     [route_to_index_infoblox] REGEX = . DEST_KEY = _MetaData:Index FORMAT = infoblox [route_to_sourcetype_infoblox:file] REGEX = . DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::infoblox:file     Now the above props.conf with a regex for matching on the host in the source doesn't work. However naming each individually does or with a basic wildcard     # InfoBlox [source::/var/log/syslog-ng/10.164.55.55/messages] TRANSFORMS-reroute_index = route_to_index_infoblox TRANSFORMS-reroute_sourcetype = route_to_sourcetype_infoblox:file TZ=UTC [source::/var/log/syslog-ng/10.9.55.56/messages] TRANSFORMS-reroute_index = route_to_index_infoblox TRANSFORMS-reroute_sourcetype = route_to_sourcetype_infoblox:file TZ=UTC [source::/var/log/syslog-ng/prodinfoblox*/messages] TRANSFORMS-reroute_index = route_to_index_infoblox TRANSFORMS-reroute_sourcetype = route_to_sourcetype_infoblox:file TZ=UTC     I've tried escaping the slashes but that doesn't work either.     # This also doesn't work [source::\/var\/log\/syslog-ng\/(10.164.55.55|10.9.55.56|prodinfoblox1|prodinfoblox2)\/messages]       Anyone have any ideas how to get the regex to work in the source:: stanza? Some of these devices have up to 30 hosts and having it all as a one liner would make things much cleaner. Also I'm aware I can do this in transforms.conf with something like this but then I'd need the source match in two spots which is prone to user error.         [route_to_index_infoblox] SOURCE_KEY = Metadata:Source REGEX = \/var\log\syslog\/(192.168.1.1|192.168.1.2|etc.) DEST_KEY = _MetaData:Index FORMAT = infoblox [route_to_sourcetype_infoblox:file] SOURCE_KEY = Metadata:Source REGEX = \/var\log\syslog\/(192.168.1.1|192.168.1.2|etc.) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::infoblox:file           There has to be something just slightly off with my regex.

Hello. I'm seeing a lot of articles in web searches about turning on https for HEC, but approximately zilch on turning it off. I did find: Whether the HTTP Event Collector server protocol is HTTP or HTTPS. 1 indicates HTTPS is enabled; 0 indicates HTTP. The default value is 1. HTTP Event Collector shares SSL settings with the Splunk Enterprise instance and can't have enableSSL settings that differ from the settings on the Splunk Enterprise instance.   We need HEC to run without TLS, and can live with the Web UI not having TLS too if that'll help with HEC. But if I toss: [http] disabled = 0 enableSSL = 0 ...into /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf and restart splunk, then HEC continues to demand https, and /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf is rewritten automatically to: [http] disabled = 0 enableSSL = 1 What do I need to do to make HEC use http, not https? (We realize that https is more secure.  For our production splunk we'll use https, but for our team's development environments it just makes more sense to use http.  I've not discussed why, but I suspect https is proxied somehow)  Thanks!

I have a lookup table that lists all users along with their department like so:   email department --------------------------------------- user1@company.com Sales user2@company.com Engineering user3@company.com Accounting user4@company.com Sales user5@company.com HR     I also have an index that list events for a particular application. The index contains lots of fields, but for my purposes, I'm really only interested in _time and actor.email. My goal is to count the number of days per week every user in a given department logs events in the index even if that number is zero.  I can get pretty close to what I want with this search:   index=whatever <base search here> | lookup user.csv email as actor.email OUTPUT department | bin _time span=1d | search department="Sales" | stats count as numEvents by _time, actor.email | eval weekNumber = strftime(_time,"%U") | stats dc(_time) as numDays by actor.email, weekNumber | xyseries actor.email, weekNumber, numDays     The problem with this search is that if there is a user in the lookup table who returned zero events during that time frame, they won't appear in the results.  I considered trying to append [|inputlookup user.csv] to the search, but because my append doesn't include a _time field, I can't get everything to line up correctly.   How do I run a search for every user in the correct department in the lookup table and return zero events per week if they didn't interact with the system?

Hi, I have created a field, "from", which is a concatenation of 2 string fields, as follows: index = ..... | eval time_epoch = strptime('SESSION_TIMESTAMP', "%Y-%m-%d %H:%M:%S") | convert ctime(time_epoch) as hour_minute timeformat="%Y-%m-%d %H:%M" | strcat URL_PATH ":" SEQUENCE from | table  from The "from" field is made up of a URL string , a : character and then a number in string format. I need to create another field "to", so that for each Nth event where the respective "from" value ends in the number N, the corresponding "to" has  the URL for the (N+1) event, : and (N+1)th value. Example: from                                                  to ....:1                                                       ......:2 .....2                                                       .......:3 .....:3                                                      .......:4 ........................................ .........N                                                  <BLANK> In this way, the last value of the "from" field would have a blank "to" value. Essentially, I need to slid the "from" values up by 1 and name this other field as "to". I have tried Regex and different eval combinations but no success. Can you please help? Many thanks, P

Hello my fellow Splunkers, i am trying to use a second index as a lookup for a field in the first index index=products contains the products serialNumbers1 index=inventory contains the products serialNumbersAll and productsNames serialNumbers1 is a subset of serialNumbersAll i need to table serialNumbers1 and the equvelant productsNames example: (index=products OR index=inventory) |table serialNumbers1 serialNumbersAll productsNames we get serialNumbers1 serialNumbersAll productsNames 111 222 333 444                                    111                           apple                                     222                          orange                                     333                          banana                                     444                          kiwi                                     555                                     666                                     777                                     888                                  the desired output is serialNumbers1 serialNumbersAll productsNames 111                                                              apple 222                                                              orange 333                                                              banana 444                                                              kiwi                                111                               apple                                 222                              orange                                333                               banana                                444                               kiwi                                555                               lemon                                666                               vege                                777                               potatoes                                888                               sweet potatoes notes: i have a huge set of data more than 200K so using eventstats is not an option as it hits the limit, increasing the limit is not an option also using a lookup table is not an option for me as well

Have a requirement to get Cisco AMP events into Splunk Cloud.  For Splunk Enterprise, I use python, but with no access to the back-end, how is it done in Cloud?  Their is no "Cisco AMP" TA, so at a loss (for the moment). 

Hello all, We receive the "splunkd.log" from every Universal Forwarder into our "_internal" index.  There are some events with log_level=ERROR that I need to analize, some of them are related to PowerShell script execution errors. The issue with this events is that the script outputs the error in several lines and the event is splitted in multiple events, all of them with the same "_time" (in the image below, the field "a_fechahora" is = _time)   I was able to merge the "a_mensaje" rows by "_time", but there are some issue with the order of the rows: E.g.  As you can see in green, the "Co" statement is incomplete, and it continues some lines below with the "mmandNotFoundException". Same happens with "or if a pat" (...) "h was included" Is this a common / known issue? Is there any way to prevent this messed lines in powershell outputs? Regards,

The advisory (https://www.splunk.com/en_us/product-security/announcements/svd-2022-0502.html) talks about Splunk Enterprise, but makes no mention of the Universal forwarder. Since UF has many of the same API features as Enteprise, and I do see verboseLoginFailMsg = true when running the btool utility, my assumption is that the UF is also vulnerable. Can someone confirm: 1. If my assumption is correct 2. If the same mitigation can be performed (so we can use deployment server to resolve) 3. Which version of UF is not vulnerable.   Thanks, Gord T.