Hi, I have some newbie questions. We need to collect Windows/Linux logon events and send them to another system using a forwarder. 1. For Windows, we understand that the options for collecting events logs are: (i) Install a forwarder on each Windows machine (ii) Collect the logs remotely over WinRM using a heavy forwarder. Is this correct or are we missing some options? What is the most common way? In case a forwarder is installed on each machine, each one will send the data to the indexer or is it common to use a central forwarder and send to the indexer from there? 2. Are the options similar in Linux? What the common way? 3. The other system will need to correlate the events with a list of machines it gets from somewhere else, where the machines might appear the IP address or the hostname, and it has no way to perform DNS lookups. Is it possible to configure Splunk to forward both IP and hostname/FQDN as part of the event? Thanks, Gabriel

Hi Splunk experts!! Please tell me about how to bring the deepest data in multiple subsearches. Of course, if there is another way to do it than subsearch, we can use that method as well. I understand that when using multiple subsearches, each subsearch is just passing field results to the top subsearch. But can the data of any field in the first subsearch also be passed to the next subsearch? (same for the second to third subsearch) I am thinking that this is difficult with subsearch because subsearch just passes fields in AND. I believe it can be done with join or stats. But how should I do it?   index=cmdb sourcetype=crm host="fwd-splunk-fwd01a" LogicalName="new_contract" (Attributes.KeyValuePairOfstringanyType{}.new_item_name="DC_Connection" OR Attributes.KeyValuePairOfstringanyType{}.new_circuit.Name="*DC*") [| search index=cmdb sourcetype=crm host="fwd-splunk-fwd01a" LogicalName="new_circuit" FormattedValues.KeyValuePairOfstringstring{}.statecode="active" FormattedValues.KeyValuePairOfstringstring{}.statuscode="active" FormattedValues.KeyValuePairOfstringstring{}.new_circuit_status="contracted" [| search index=cmdb sourcetype=crm host="fwd-splunk-fwd01a" LogicalName="new_circuit_authority" FormattedValues.KeyValuePairOfstringstring{}.statecode="active" FormattedValues.KeyValuePairOfstringstring{}.statuscode="active" FormattedValues.KeyValuePairOfstringstring{}.new_trouble_mail_receive_flag="yes" FormattedValues.KeyValuePairOfstringstring{}.new_valid_flag="yes" [| search index=cmdb sourcetype=crm host="fwd-splunk-fwd01a" LogicalName="new_contactpoint" FormattedValues.KeyValuePairOfstringstring{}.statecode="active" FormattedValues.KeyValuePairOfstringstring{}.statuscode="active" Attributes.KeyValuePairOfstringanyType{}.new_cp_code="CP30058460" | fields Attributes.KeyValuePairOfstringanyType{}.new_contactpointid | stats latest(*) AS * by Attributes.KeyValuePairOfstringanyType{}.new_contactpointid | rename Attributes.KeyValuePairOfstringanyType{}.new_contactpointid AS Attributes.KeyValuePairOfstringanyType{}.new_contactpoint.Id | format ] | fields Attributes.KeyValuePairOfstringanyType{}.new_circuit.Name | stats latest by Attributes.KeyValuePairOfstringanyType{}.new_circuit.Name | rename Attributes.KeyValuePairOfstringanyType{}.new_circuit.Name AS Attributes.KeyValuePairOfstringanyType{}.new_circuit_code | format ] | stats latest by Attributes.KeyValuePairOfstringanyType{}.new_circuit_code | fields Attributes.KeyValuePairOfstringanyType{}.new_circuit_code | rename Attributes.KeyValuePairOfstringanyType{}.new_circuit_code AS Attributes.KeyValuePairOfstringanyType{}.new_circuit.Name ] | fields Attributes.KeyValuePairOfstringanyType{}.new_circuit.Id | stats latest by Attributes.KeyValuePairOfstringanyType{}.new_circuit.Id    

I would like to search for each value in an extracted field. My intial query is as follow:   index=moneta-pro "IPN Post API execution started for the orderRefNo" AND "printOs" | rex field=_raw "(?ms)^(?:[^ \\n]* ){9}(?P<orderId>\\d+)" offset_field=_extracted_fields_boundsd_fields_bounds | table orderId | dedup orderId   which returns following: Now I'd like to use each value in OrderId and use it in search and append to the above table. For example, check the status of the order. Individual query should look like.   index=* " Received response status code as 200 and the message body as" AND orderId=<<each dynamic value from above table>>    

Hi, I have a timeline visualization as a panel for a dashboard. When I run the visualization as a standalone practice dashboard in the Search & Reporting app, it works as expected.   However, when I run the EXACT same query with the same visualization fomat, it doe not show the top of the timeline as required:   The query used in both dashboards is as follows: <panel> <viz type="event-timeline-viz.event-timeline-viz"> <search> <query>index=fraud_glassbox sourcetype="gb:hit" SESSION_UUID="652a0e70-bfdf-11ec-9d96-005056bf9975" | rename URL_PATH as label | eval time_epoch = strptime('SESSION_TIMESTAMP', "%Y-%m-%d %H:%M:%S") | convert ctime(time_epoch) as hour_minute timeformat="%Y-%m-%d %H:%M" | strcat hour_minute ":" SEQUENCE combo_time | rename combo_time as start | eval tooltip = label | table label, start,tooltip</query> <earliest>-7d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="event-timeline-viz.event-timeline-viz.backgroundColor">#ffffff</option> <option name="event-timeline-viz.event-timeline-viz.eventColor">#d5ddf6</option> <option name="event-timeline-viz.event-timeline-viz.maxZoom">3600000</option> <option name="event-timeline-viz.event-timeline-viz.minZoom">60000</option> <option name="event-timeline-viz.event-timeline-viz.orientation">top</option> <option name="event-timeline-viz.event-timeline-viz.stack">true</option> <option name="event-timeline-viz.event-timeline-viz.tokenAllVisible">tok_et_all_visible</option> <option name="event-timeline-viz.event-timeline-viz.tokenData">tok_et_data</option> <option name="event-timeline-viz.event-timeline-viz.tokenEnd">tok_et_end</option> <option name="event-timeline-viz.event-timeline-viz.tokenLabel">tok_et_label</option> <option name="event-timeline-viz.event-timeline-viz.tokenStart">tok_et_start</option> <option name="event-timeline-viz.event-timeline-viz.tooltipDateFormat">DD-MMM-YYYY</option> <option name="event-timeline-viz.event-timeline-viz.tooltipTimeFormat">h:mm:ss A</option> <option name="height">346</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </viz> </panel> What may be the reason for this? Thanks, Patrick

Hi All,   I have setup Splunk behind a reverse proxy and all works fine when the port used by the proxy to receive traffic is 443, however when the host port in docker-compose is changed and a root_endpoint is being used Splunk returns "404 page not found".    Example 1 - Splunk-Traefik-without-Root-Endpoint https://gist.github.com/lluked/771a1f7f9bbd8ef2581e8828f3b25f9e When the proxy (Traefik) host port is mapped to 443, Splunk is accessible at https://localhost:443   ports: - "80:80" - "443:443"   When the proxy (Traefik) host port is mapped to 8443, Splunk is accessible at https://localhost:8443   ports: - "80:80" - "8443:443"   Both of these scenarios work as expected.   Example 2 - Splunk-Traefik-with-Root-Endpoint https://gist.github.com/lluked/438b10a6321ff50feb8d704690a0cafc When the proxy (Traefik) host port is mapped to 443, Splunk is accessible at https://localhost:443/splunk   ports: - "80:80" - "443:443"   When the proxy (Traefik) host port is mapped to 8443, Splunk returns error 404 at https://localhost:8443/splunk   ports: - "80:80" - "8443:443"   When the proxy (Traefik) host port is mapped to 443, but this is on a vm and a port on the host  is mapped to 443 Splunk returns error 404 again (For example using Vagrant and mapping 8443 on the host to 443 on the vm and visiting https://localhost:8443/splunk )   ports: - "80:80" - "443:443" config.vm.network "forwarded_port", id: "traefik_websecure", host: 8443, guest: 443   It's like Splunk is detecting requests are coming from a different port and throwing a 404 but only when  root_endpoint is being used, and I cannot find any documentation relating to this.   Please can anyone help?

Hi, I need to set at the same time in transforms.conf a new index and set a new metadata  based on the host name. New index=switchoob New metadata=tecnologia Like this: [force_IndexVMW] SOURCE_KEY = MetaData:Host REGEX = ^ob\w+ DEST_KEY = _MetaData:Index FORMAT = switchoob [force_tecnologiaVMW] SOURCE_KEY = MetaData:Host REGEX = ^ob\w+ DEST_KEY = _meta FORMAT = NFV_SITE::DC02_MIBER tecnologia::vmw I have tried to find "More than one DEST_KEY" article but the link is wrong. Thank You

Background I would like to create a dashboard with dropdowns that allow underlying queries to create chart to filter differently depending on dropdown values. For performance reasons, I'd also want the dashboard's to be powered by saved searches. Setup: - Drop downs - Saved searches on unfiltered queries, - Chain searches to referencing saved searches and filter by drop down value   Problem:  When I did the chain search with the drop down token value, the token does not get translated into a value. For instance: My dropdown's token is called "dd". When I did my chain search by " | search myfield="$dd$", the query does not return anything. If I open the entire search query, it shows I am trying to do: <saved search query> | search myfield="$dd$" The expectation would be instead <saved search query> | search myfield="<my dd value>" Is this not supported?

Hi Team Currently Splunk offers the 3.3.0 Add on for Symantec Endpoint Protection (aka SEP), this is an onpremise product, but Symantec also has a completely Cloud based solution called Endpoint Security  (aka SES) that requires an integration with an API, I would like to know how Splunk is managing this kind of integration, my questions are: 1. Is there an Add on available that enables Splunk to collect data from the SES Cloud-API? 2. If not,  What is the recommendation from Splunk to address the SES logs into the SIEM? 3. When is going to be available an agent even for a intermediate connection? Best Regards

Hey, I am working on making a dashboard and wanted to know how can I subtract two dates that are in iso 8601 format.  Please refer to the snippet of json below: { "startTime": "2022-04-25T01:02:19.221Z", "endTime": "2022-04-25T01:57:59.417Z"}