Hello, I would like to save/dump to a (text or binary) file the network metadata that is forwarded from an endpoint. Does Splunk Stream support such a feature? Checked the documentation and didn't find anything related. Thank you!

At the beginning of February this year we started ingesting events from Autosys prod and non-prd servers.  All was going well until the end of the month.  At 23:59 on 28th Feb, events stopped appearing in the index to which they are being ingested.  A few days later they started again at midnight.  None of the missed events were collected.  The log files for Autosys roll over at midnight so I would not expect events during the missing time period to be collected as the files would have been renamed. This has happened every month since.  In March the events started coming in on 3rd, April it was 4th, May on  5th and June they appeared again on the 6th.  The only pattern I can see is that events reappear on the day of the month that equals the number of the month - ie 3/3, 4/4, 5/5 and 6/6.  If that is the case, then events will not appear in July until 7th. How can this be?  I can see no _internal messages that help. Can someone shed some light on this?  Thanks

Hi, I have installed httpd using the command "yum install httpd" but when i see the status it is showing as not active. ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: inactive (dead) Docs: man:httpd(8) man:apachectl(8). I am not able to start/run apache. How do we configure Apache 2.4.* above version in linux server?

I want to upload several csv files and I hope that each csv file can be a separate chart instead of adding to an existing chart.  Maybe I will upload more csv files later, and I want that each of them can be a separate chart, too. But I can't work out.

Hi Team, Good Day!! Please note that we chose the cluster Architecture for Splunk Phantom SOAR and the components are (3 Nodes- Node1, Node2 & Master Node, HA/Load Balancer, PostgreSQL DB, GlusterFS and Splunk embedded) here my concern is how to carry the installation of Splunk embedded on Splunk Phantom, since it's a separate component in my environment. is there any specific installer(RPM) for this? Could you help me with any docs or any sequence of steps for the initial installation of SOAR on Cluster. Thanks in Advance. Regards, Yeswanth M,

Hello All, I am having an issue where log ingestion have delay for hours after I updated Splunk License. License got expired and after 24 hours we got a renewed license but after updating it the log are coming very late by few hours. Before reaching out to Splunk, I wanted to check if its because of the new License or may

Below is the error I am receiving on my splunkd.log on the Windows Splunk UF. The deployment server functionality is working correctly and able to send apps to the endpoint, just the data from the UF to the indexer is not working. When I do a netstat -ano from the Windows host with the UF, there is a connection that is established (as well as the Splunk Indexer side).  07-04-2021 11:28:56.555 -0400 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.  I have made sure that there is a path from the host to Splunk on the FW and there is no inspection that occurs.  I have a Splunk Index cluster with 3 indexers and a Cluster Master that is also has indexer discovery configured. I thought that there might be something wrong with the clustered setup, but i created a AIO Splunk instance just to test and still get the same message. The deployment server feature is functioning just fine. I am able to push out apps the UF. On the server side I get the following error messages on my indexer: 07-04-2021 11:28:55.535 -0400 ERROR TcpInputProc - Error encountered for connection from src=xxx.xxx.xxx.9:37765. Read Timeout Timed out after 600 seconds. Thanks in advance and looking forward to any help.

which props.conf setting does splunk use to extract interesting fields from _raw field. I am trying to use collect command to get _raw data from one index into another. However, it does not extract interesting fields. If I give sourcetype=splunkd. It extracts interesting fields. I understand using a different sourcetype other than stash will take license usage. So, I should be able to create a custom field extraction for the stash source file paths without taking any license. I did a ./splunk btool props list splunkd and this is what it shows.   [splunkd] ADD_EXTRA_TIME_FIELDS = True ANNOTATE_PUNCT = True AUTO_KV_JSON = true BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE_DATE = True CHARSET = UTF-8 DATETIME_CONFIG = /etc/datetime.xml DEPTH_LIMIT = 1000 DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*)\s+(?P<component>[^ ]+) - (?P<event_message>.+) HEADER_MODE = LB_CHUNK_BREAKER_TRUNCATE = 2000000 LEARN_MODEL = true LEARN_SOURCETYPE = true LINE_BREAKER_LOOKBEHIND = 100 MATCH_LIMIT = 100000 MAX_DAYS_AGO = 2000 MAX_DAYS_HENCE = 2 MAX_DIFF_SECS_AGO = 3600 MAX_DIFF_SECS_HENCE = 604800 MAX_EVENTS = 256 MAX_TIMESTAMP_LOOKAHEAD = 40 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = SEGMENTATION = indexing SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = outer SEGMENTATION-raw = none SEGMENTATION-standard = standard SHOULD_LINEMERGE = false TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z TRANSFORMS = TRUNCATE = 20000 detect_trailing_nulls = false maxDist = 100 priority = sourcetype = termFrequencyWeightedDist = false   for default stanza, it shows :   [default] ADD_EXTRA_TIME_FIELDS = True ANNOTATE_PUNCT = True AUTO_KV_JSON = true BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE_DATE = True CHARSET = UTF-8 DATETIME_CONFIG = /etc/datetime.xml DEPTH_LIMIT = 1000 DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false HEADER_MODE = LB_CHUNK_BREAKER_TRUNCATE = 2000000 LEARN_MODEL = true LEARN_SOURCETYPE = true LINE_BREAKER_LOOKBEHIND = 100 MATCH_LIMIT = 100000 MAX_DAYS_AGO = 2000 MAX_DAYS_HENCE = 2 MAX_DIFF_SECS_AGO = 3600 MAX_DIFF_SECS_HENCE = 604800 MAX_EVENTS = 256 MAX_TIMESTAMP_LOOKAHEAD = 128 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = SEGMENTATION = indexing SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = outer SEGMENTATION-raw = none SEGMENTATION-standard = standard SHOULD_LINEMERGE = True TRANSFORMS = TRUNCATE = 10000 detect_trailing_nulls = false maxDist = 100 priority = sourcetype = termFrequencyWeightedDist = false   I verified the data and it is not in json format. So, AUTO_KV_JSON would not apply to it. The only thing I could find in transforms and props.conf which separate fields based upon "=" is   [ad-kv] CAN_OPTIMIZE = True CLEAN_KEYS = True DEFAULT_VALUE = DEPTH_LIMIT = 1000 DEST_KEY = FORMAT = KEEP_EMPTY_VALS = False LOOKAHEAD = 4096 MATCH_LIMIT = 100000 MV_ADD = true REGEX = (?<_KEY_1>[\w-]+)=(?<_VAL_1>[^\r\n]*) SOURCE_KEY = _raw WRITE_META = False   which is being called by    [ActiveDirectory] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+---splunk-admon-end-of-event---\r\n[\r\n]*) EXTRACT-GUID = (?i)(?!=\w)(?:objectguid|guid)\s*=\s*(?<guid_lookup>[\w\-]+) EXTRACT-SID = objectSid\s*=\s*(?<sid_lookup>\S+) REPORT-MESSAGE = ad-kv # some schema AD events may be very long MAX_EVENTS = 10000 TRUNCATE = 100000    

trying to forward logs from node process that runs on a raspberry pi model 3b the error i get when i try ti run the splunk universal forwarder on my pi running the file command on the splunk executable returns this result:   of course i downloaded the arm version of the universal forwarder. any help will be much appreciated  rpi specs: os details: