All Topics

Top

All Topics

I recently upgraded my search head cluster to 9.x and since then my skipped/deferred searches have sky rocketed.     index=_internal source=*scheduler.log status=* | timechart span=60s count... See more...
I recently upgraded my search head cluster to 9.x and since then my skipped/deferred searches have sky rocketed.     index=_internal source=*scheduler.log status=* | timechart span=60s count by status      
Hello! I'm using a text input box to input a username. If I were to simply put that username into my base search, it works great and is very quick. I have other search input parameters, so my probl... See more...
Hello! I'm using a text input box to input a username. If I were to simply put that username into my base search, it works great and is very quick. I have other search input parameters, so my problem is that if I DON'T specify a username, I want it to include all values. This includes null values. I started by using an asterisk as the default input value, but that doesn't include null values. The only way I've been able to make this partially work is by removing the username from the base search, then using an eval command to give the null entries a value, and then search the base results for either "*" to include everything, or the username I typed in. This is horribly inefficient because I have to search my entire database for every entry before I can filter it. I also think this doesn't work properly because it has a limit on the number of results in the base search.  I've done a lot of searching for doing an eval command BEFORE the base search, but that doesn't seem to be possible. This can't be a unique scenario. How do I search for both "null" and "NOT null" values in the base search without removing my username input box?
Hello, I wonder if somebody can please help me to sort the following data: Into this table: Any ideas are welcome I was trying to run this query but it is not separating the values of... See more...
Hello, I wonder if somebody can please help me to sort the following data: Into this table: Any ideas are welcome I was trying to run this query but it is not separating the values of the fields properly: index=query_mcc | eval data = split(_raw, ",") | eval Date = strftime(_time, "%Y-%m-%d-%H:%M:%S") | eval Category = mvindex(data, 1) | eval Status = mvindex(data, -1) | eval Command = mvindex(data, 0) | table host, Date, Category, Status, Command   but is giving me this , where it only shows the first line..             
Hello,  There must be something `rex` specific with my query below since it is not extracting the fields, while the regex works as expected when I test on regex101 (see https://regex101.com/r/g0TMS4... See more...
Hello,  There must be something `rex` specific with my query below since it is not extracting the fields, while the regex works as expected when I test on regex101 (see https://regex101.com/r/g0TMS4/1)     eventtype="my_event_type" | rex field=responseElements.assumedRoleUser.arn /arn:aws:sts::(?<accountId>\d{12}):assumed_role\/(?<assumedRoled>.*)\/vault-oidc-(?<userId>\w+)-*./ | fields accountId, assumedRole, userId Sample data that fails to match: arn:aws:sts::984086324016:assumed-role/foo-admin-app/vault-oidc-foo-admin-app-1687793763-Qen4JHeRXYlB8Eoplkjs      Thanks Alex.
Hello, I have the following search     index=wineventlog EventCode=4728 OR EventCode = 4731 OR EventCode=4729 OR EventCode=4732 OR EventCode=4756 OR EventCode=4756 NOT src_user=*$ | rename src... See more...
Hello, I have the following search     index=wineventlog EventCode=4728 OR EventCode = 4731 OR EventCode=4729 OR EventCode=4732 OR EventCode=4756 OR EventCode=4756 NOT src_user=*$ | rename src_user as admin, name as action | table admin, Group_Name, user_name     This spits out output like this:   admin Group_Name user_name adminx GroupA UserA adminx GroupB UserA adminx GroupC UserA adminy GroupD UserB adminy GroupE UserB adminy GroupF UserC adminy GroupF UserD     I'm trying to combine them into a single message that looks like this:   admin Group_Name user_name adminx GroupA,GroupB,GroupC UserA adminy GroupD,GroupE UserB adminy GroupF UserC,UserD     What would be the best way to achieve that?
Hi - I would like to join and sum the results and output The searches: index=test_index sourcetype="test_source"  className=export | table message.totalExportedProfileCounter index=test_inde... See more...
Hi - I would like to join and sum the results and output The searches: index=test_index sourcetype="test_source"  className=export | table message.totalExportedProfileCounter index=test_index sourcetype="test_source"  className=export | table message.exportedRecords From above both searches I am looking to add message.totalExportedProfileCounter, message.exportedRecords. For a given call only one of the above search shows up. I am looking for message.totalExportedProfileCounter + message.exportedRecords   Thanks in advance!   Thanks.
We understand that your initial experience with getting data into Splunk Observability Cloud is crucial as it sets you up for success within the product. We’re excited to share that we’ve improved t... See more...
We understand that your initial experience with getting data into Splunk Observability Cloud is crucial as it sets you up for success within the product. We’re excited to share that we’ve improved the OpenTelemetry Collector data setup experience in Splunk Observability Cloud. Now you can follow instructions for installing the Collector on all supported platforms (Linux, Windows, Kubernetes, Amazon ECS Fargate, and Amazon ECS EC2) with a single wizard providing a streamlined, intuitive onboarding experience. We’re also happy to announce a few other important enhancements: Installation instructions for deployment tools such as Ansible, Puppet, Chef, and Salt are provided in the Getting Started steps. Previously, you would need to switch context across wizards and perform multiple steps to instrument your custom services. With Splunk OpenTelemetry Zero Configuration Auto Instrumentation, the Collector can automatically instrument your back-end applications to capture and report distributed traces to Splunk APM in minutes. Simply opt-in as part of this Collector installation wizard, and that’s it! We hope these improvements make your getting started experience easier and smooth!  
      September 2023  Splunk SOAR Version 6.1.1 is Now Available The latest version of Splunk SOAR launched on September 6th. Version 6.1.1 adds some new condition options to the Visua... See more...
      September 2023  Splunk SOAR Version 6.1.1 is Now Available The latest version of Splunk SOAR launched on September 6th. Version 6.1.1 adds some new condition options to the Visual Playbook Editor and also provides users with the ability to convert classic playbooks into the current Visual Playbook Editor format through a new CLI conversion tool. Other updates include support for PostgreSQL version 15 for deployment and standalone, non-clustered environments can now run diagnostic commands and upload the resulting logs directly to Splunk Support. For more information, be sure to check out the latest release notes for the on-prem and cloud versions. Splunk Enterprise Security 7.2 is Now Available In our latest release of Splunk Enterprise Security 7.2, we introduce capabilities that deliver an improved workflow experience for simplified investigations; enhanced visibility and reduced manual workload; and customized investigation workflows for faster decision-making. You can find this version on Splunkbase! Release notes can be found here. Splunk User Behavior Analytics (UBA) 5.3 The latest release of Splunk User Behavior Analytics (UBA) 5.3 introduces three new models and 20 Node XL cluster for extraordinary scale and scope. Read the release blog to learn more about UBA 5.3 and the blog for detecting Lateral Movement Using Splunk User Behavior Analytics Splunk Threat Briefing: Newest Observed TTPs in the Wild  Watch the on demand recording of the Splunk Threat Research Team showcasing the entire exploitation sequence of the latest remote access trojans (RATs), destructive payloads and post-exploitation techniques. The team also highlights related security content developed to enhance your defenses. 2023 Gartner Market Guide for SOAR  If your team is looking to evaluate how security orchestration, automation and response (SOAR) can support and optimize your security operations, download a copy of the 2023 Gartner Market Guide for SOAR.  New blogs to help you make the most of Splunk Security  Key Threat Hunting Deliverables with PEAK Integrated Intelligence Enrichment with Threat Intelligence Management   That Was Easy! Manage Lookup Files and Backups with the Splunk App for Lookup File Editing   Security Content from the Splunk Threat Research Team The Splunk Threat Research Team has had four releases of security content in the last month, which provide 24 new detections, 27 updated detections and 8 new analytic stories. Read the Product News & Announcements post to learn more. Use Case Explorer See and read about our completely updated Use Case Explorer content on Splunk Lantern!  You can find prescriptive guidance from Splunk that will guide you on your digital resilience journey from foundational visibility to optimized experiences.     Platform Updates Flatten the SPL Learning Curve: Introducing Splunk AI Assistant for SPL Learn more about the preview of Splunk’s generative AI offering! Read this blog to discover how the Splunk AI Assistant uses an AI-powered chat experience to help new users quickly get up to speed with SPL and advanced users unlock more out of Splunk by providing query suggestions, explanations, and detailed breakdowns.   Fastest Time-to-Value Anomaly Detection in Splunk: The Splunk App for Anomaly Detection 1.1.0 Brand new to ML and looking for an easy way to get started? Check out the Splunk App for Anomaly Detection to help you find anomalies in your dataset in just a few clicks! You can unlock the power of ML in your everyday workflows, while also simplifying tasks that are historically complex and time consuming.  Looking for more AI and ML content? Check out the new AI and ML tab on the Essentials Board to kickstart your journey.   October 2023 Customer Advisory Boards Sign up and join our October 2023 Customer Advisory Boards! You’ll get access to previews of new products and capabilities, interact with industry experts and provide feedback to influence the future of Splunk products. Use this link to sign up! Contact us at advisoryprograms@splunk.com with any questions.     Tech Talks, Office Hours and Lantern Tech Talks Security Edition | There's No Place Like Chrome...and the Splunk Platform! September 26 at 11 am PT Platform Edition |  Introduction to Splunk AI September 27 at 11 am PT   Security Webinar Build Scalable Security while Migrating to Cloud : Best Practices from Clayton Homes Wednesday, October 11, 11 am PT - 12 pm PT   Community Office Hours Interested in getting live help from technical Splunk experts? Join our upcoming Community Office Hour sessions, where you can ask questions and get guidance on all things OpenTelemetry, Risk-Based Alerting, and Enterprise Security. Limited Spots Available - Register Now! Observability: OpenTelemetry - Wed, Sep 27 at 1pm PT/4pm ET Security: Risk-Based Alerting (RBA) - Wed, Oct 11 at 1pm PT/4pm ET Security: Enterprise Security - Wed, Oct 25 at 1pm PT/4pm ET   Splunk Lantern  Did You Know: Splunk Edge Processor common use cases Use Splunk Edge Processor to accelerate your pre-ingest data transformation capabilities! Let Splunk Lantern walk you step-by-step through two common use cases to help you get started: masking IP addresses and routing designated events to specific indexes.     Education Corner   Cybersecurity Education is a Hot Topic  If you’re in the U.S., you may have heard about the Biden administration’s National Cyber Workforce and Education Strategy announced on July 31, 2023. It’s kind of a big deal. One key objective is to address the shortage of cybersecurity professionals in the U.S., which leans heavily into enhancing cyber skills education. At Splunk, we've had our eyes on this for a while, which is why we continue to offer free cybersecurity and skills training – available and accessible anywhere, anytime. We have a curriculum of over 40 free self-paced courses – including our newest,  “The Cybersecurity Landscape” and “Security Operations and the Defense Analyst.” Plus, an entire catalog of self-paced training with labs and instructor-led courses.    Splunk Education Spans the Globe Have you ever wondered how you can access Splunk Education Training and Certification in your own region, in your own language, with local support? Well wonder no more! The Splunk Authorized Learning Partner (ALP) program is an extension of Splunk Education – offering you access to the quality of education you've come to expect from us. ALPs offer courses that dive into Cloud, Security, and Observability for administrators, architects, and users – in your language, timezone, and location. Find out more about our global learning partners today.      Talk with us about Splunk! The Splunk product design team wants to learn about how you use our products. If you’re interested in contributing, please fill out this quick questionnaire so we can reach out to you. This may take such forms as a survey, receiving an email to schedule an interview session, or some other type of research invitation. We look forward to hearing from you!       Until next month, Happy Splunking  
  September 2023      Session Replay - Now In Splunk RUM Enterprise Edition! We are delighted to announce a significant enhancement to the Splunk Real User Monitoring (RUM) produ... See more...
  September 2023      Session Replay - Now In Splunk RUM Enterprise Edition! We are delighted to announce a significant enhancement to the Splunk Real User Monitoring (RUM) product: the general availability of Browser Session Replay. With Session Replay now at your fingertips, you can bid farewell to guesswork in troubleshooting user journey issues and experience a substantial reduction in the mean time to resolution (MTTR). Session Replay empowers you to witness firsthand what your users experience on your site, paving the way for optimized user experiences and enhanced performance.  Explore the RUM Product Tour to learn more!       Speed up Troubleshooting With The Latest Enhancements To Splunk APM AutoDetect Our new APM Detectors help engineering teams simplify alert creation and effectively detect abnormalities in traffic patterns. In one step, you can create detectors within the context of familiar capabilities like service map, tag spotlight, and APM’s landing page. Additionally, you can now create detectors based on request rate to understand abnormalities in traffic patterns. These innovations build on Splunk’s ability to use ML and AI to deliver more efficient alerting. From measuring sudden changes in your metric time series data with Autodetect for Infrastructure Monitoring, to detecting changes in service health and performance with APM, we’re arming you with the most accurate alerting, with even less manual effort.     ICYMI: Learn How Dynamic Dashboard Analytics Can Help You Simplify Troubleshooting Dynamic Dashboard Analytics makes it easier to troubleshoot issues using Splunk Observability Cloud dashboards. With a simple chart configuration, you can ensure that viewers of your dashboard will be able to find the source of problems faster. Read on.     New Entity Status RCA Remediation Capabilities In ITSI Have you ever wondered why your status in your infrastructure overview page shows “unstable” when you have entities linked? Now, you can identify the root cause and remediate through an in-product experience. With this new remediation capability in ITSI 4.17, you can gain visibility to why it’s marked “unstable” and troubleshoot the issues to ensure the status accurately reflects active or inactive based on its current state. With this new feature, we’ve also added:  new entity_status_tracking property in itsi_import_objects search command  new discovery search cleanup command | cleanupentitydiscovery  Learn more     Catch The State of Observability 2023 Webinar Replay Missed it live? Catch the replay! Hear from ESG’s senior analyst Jon Brown and Splunk’s Observability Practitioner Director Greg Leffler as they discuss what they see in the data from our latest State of Observability research survey and what they are hearing from observability practitioners like you. This session will also cover thematic findings related to cloud usage, hybrid application architectures, AIOps, and the convergence of various monitoring solutions.  Watch here.     Use Case Explorer See and read about our completely updated Use Case Explorer content on Splunk Lantern!  You can find prescriptive guidance from Splunk that will guide you on your digital resilience journey from foundational visibility to optimized experiences.     Platform Updates Flatten the SPL Learning Curve: Introducing Splunk AI Assistant for SPL Learn more about the preview of Splunk’s generative AI offering! Read this blog to discover how the Splunk AI Assistant uses an AI-powered chat experience to help new users quickly get up to speed with SPL and advanced users unlock more out of Splunk by providing query suggestions, explanations, and detailed breakdowns.   Fastest Time-to-Value Anomaly Detection in Splunk: The Splunk App for Anomaly Detection 1.1.0 Brand new to ML and looking for an easy way to get started? Check out the Splunk App for Anomaly Detection to help you find anomalies in your dataset in just a few clicks! You can unlock the power of ML in your everyday workflows, while also simplifying tasks that are historically complex and time consuming.  Looking for more AI and ML content? Check out the new AI and ML tab on the Essentials Board to kickstart your journey.   October 2023 Customer Advisory Boards Sign up and join our October 2023 Customer Advisory Boards! You’ll get access to previews of new products and capabilities, interact with industry experts and provide feedback to influence the future of Splunk products. Use this link to sign up! Contact us at advisoryprograms@splunk.com with any questions.     Tech Talks, Office Hours and Lantern Tech Talks Observability Edition | From Clicks to Conversions: Tune Performance from the User Perspective. Now On-Demand Platform Edition |  Introduction to Splunk AI September 27 at 11 am PT     Community Office Hours Interested in getting live help from technical Splunk experts? Join our upcoming Community Office Hour sessions, where you can ask questions and get guidance on all things OpenTelemetry, Risk-Based Alerting, and Enterprise Security. Limited Spots Available - Register Now! Observability: OpenTelemetry - Wed, Sep 27 at 1pm PT/4pm ET Security: Risk-Based Alerting (RBA) - Wed, Oct 11 at 1pm PT/4pm ET Security: Enterprise Security - Wed, Oct 25 at 1pm PT/4pm ET   Splunk Lantern  Did You Know: Splunk Edge Processor common use cases Use Splunk Edge Processor to accelerate your pre-ingest data transformation capabilities! Let Splunk Lantern walk you step-by-step through two common use cases to help you get started: masking IP addresses and routing designated events to specific indexes.     Education Corner O11y, O11y Oxen Free Today, we’re talking about free O11y education courses! Did you know that Observability is  abbreviated as O11y and is defined as the ability to measure the internal states of a system by examining its outputs? Organizations use observability tools to improve the performance of their distributed IT systems – solutions like the from Splunk designed to help organizations gain insight into and understanding of their applications and infrastructure. If you’re new to Splunk, find out how it works by taking our  free O11y training, including our newest courses:  Introduction to Log Observer Connect and Optimizing Metrics Usage with Splunk Metrics Pipeline Management.     Splunk Education Spans the Globe Have you ever wondered how you can access Splunk Education Training and Certification in your own region, in your own language, with local support? Well wonder no more! The Splunk Authorized Learning Partner (ALP) program is an extension of Splunk Education – offering you access to the quality of education you've come to expect from us. ALPs offer courses that dive into Cloud, Security, and Observability for administrators, architects, and users – in your language, timezone, and location. Find out more about our global learning partners today.      Talk with us about Splunk! The Splunk product design team wants to learn about how you use our products. If you’re interested in contributing, please fill out this quick questionnaire so we can reach out to you. This may take such forms as a survey, receiving an email to schedule an interview session, or some other type of research invitation. We look forward to hearing from you!       Until next month, Happy Splunking
September 2023      Splunk Public Sector continues to support customers and partners at industry events and with education and training. Please stop by and see Splunk at any one of the... See more...
September 2023      Splunk Public Sector continues to support customers and partners at industry events and with education and training. Please stop by and see Splunk at any one of these Civilian, DoD, or State/Local and Educational events. Webinars: FedCiv Success with Splunk User Showcase | October 11, 1:00 - 3:30 ET We are hosting a FedCiv webinar featuring the same content and speakers from our May user program earlier this year! You will have the opportunity to hear directly from users in CMS, IRS, and State Dept who are using Splunk to solve for mission critical initiatives.   Public Sector Multi-Cloud Monitoring - Amazon Web Services On Demand Webinar  Are you looking for better visibility in your multi-cloud environment and want to see how Amazon Web Services (AWS) fits in? Do you need help identifying what needs to be monitored in your AWS cloud environments? Do you have sprawling AWS resources and billing costs you are trying to manage? Join us to hear from a Cloud Expert on all things AWS and Splunk!   Build Scalable Security while Migrating to Cloud : Best Practices from Clayton Homes Wednesday, October 11, 11 am PT - 12 pm PT Workshops: Splunk offers free workshops. Join the top technical experts at Splunk for hands-on learning on Splunk SOAR, Insider Threat, and Enterprise Security.  Times vary and there is no cost to attend. Date Workshop Time 5-Oct SOAR 1:00 - 5:00 ET 26-Oct Insider Threat 1:00 - 4:00 ET 2-Nov Enterprise Security 1:00 - 5:00 ET   Events: .conf Go 2023 | No cost to attend!  This fall Splunk is taking some of the best content from .conf23 on the road to Houston and Denver.  At .conf Go, you’ll explore how Splunk can help you overcome some of the toughest digital challenges, from responding faster to threats to pivoting quickly when the unexpected arises.  10/3 - Westin Galleria, Houston 10/18 - Grand Hyatt, Denver   Booth and Tabletop Events Be sure to stop by and see Splunk to learn about the latest trends at these industry events: 10/4 Colorado Digital Government Summit, Denver, CO 10/4 Oregon Cyber Resilience Summit, Eugene, OR 10/4 NYSLGITDA Fall Conference, New York, NY 10/8 NASCIO, Minneapolis, MN 10/9 Educause, Chicago, IL 10/12 CA Cybersecurity Education Summit, Sacramento, CA 10/14 IACP, San Diego, CA 10/16 Gartner IT Symposium Xpo, Orlando, FL 10/18 Louisiana Digital Government Summit, Baton Rouge, LA 10/22 BlackBaud BBCon, Denver, CO 10/23 Wisconsin Digital Government Summit, Green Bay, WI   Washington DC Splunk User Group: Attention Splunk Users! We are back with another live DC Splunk User Group meetup on October 24th! Join us at the Splunk office to learn about Splunk Connected Experiences. Food and drinks will be provided, and there may also be some cool swag.  Find out more and RSVP here.     Use Case Explorer See and read about our completely updated Use Case Explorer content on Splunk Lantern!  You can find prescriptive guidance from Splunk that will guide you on your digital resilience journey from foundational visibility to optimized experiences.     Platform Updates Flatten the SPL Learning Curve: Introducing Splunk AI Assistant for SPL Learn more about the preview of Splunk’s generative AI offering! Read this blog to discover how the Splunk AI Assistant uses an AI-powered chat experience to help new users quickly get up to speed with SPL and advanced users unlock more out of Splunk by providing query suggestions, explanations, and detailed breakdowns.   Fastest Time-to-Value Anomaly Detection in Splunk: The Splunk App for Anomaly Detection 1.1.0 Brand new to ML and looking for an easy way to get started? Check out the Splunk App for Anomaly Detection to help you find anomalies in your dataset in just a few clicks! You can unlock the power of ML in your everyday workflows, while also simplifying tasks that are historically complex and time consuming.  Looking for more AI and ML content? Check out the new AI and ML tab on the Essentials Board to kickstart your journey.   October 2023 Customer Advisory Boards Sign up and join our October 2023 Customer Advisory Boards! You’ll get access to previews of new products and capabilities, interact with industry experts and provide feedback to influence the future of Splunk products. Use this link to sign up! Contact us at advisoryprograms@splunk.com with any questions.     Tech Talks, Office Hours and Lantern Tech Talks Observability Edition | From Clicks to Conversions: Tune Performance from the User Perspective.  Now On-Demand Platform Edition |  Introduction to Splunk AI September 27 at 11 am PT Security Edition | There's No Place Like Chrome...and the Splunk Platform! September 26 at 11 am PT Community Office Hours Interested in getting live help from technical Splunk experts? Join our upcoming Community Office Hour sessions, where you can ask questions and get guidance on all things OpenTelemetry, Risk-Based Alerting, and Enterprise Security. Limited Spots Available - Register Now! Observability: OpenTelemetry - Wed, Sep 27 at 1pm PT/4pm ET Security: Risk-Based Alerting (RBA) - Wed, Oct 11 at 1pm PT/4pm ET Security: Enterprise Security - Wed, Oct 25 at 1pm PT/4pm ET   Splunk Lantern  Did You Know: Splunk Edge Processor common use cases Use Splunk Edge Processor to accelerate your pre-ingest data transformation capabilities! Let Splunk Lantern walk you step-by-step through two common use cases to help you get started: masking IP addresses and routing designated events to specific indexes.     Education Corner Cybersecurity Education is a Hot Topic  You may have already heard about the Biden administration’s National Cyber Workforce and Education Strategy announced on July 31, 2023. It’s kind of a big deal. One key objective is to address the shortage of cybersecurity professionals in the U.S., which leans heavily into enhancing cyber skills education. At Splunk, we've had our eyes on this for a while, which is why we continue to offer free cybersecurity and skills training – available and accessible anywhere, anytime. We have a curriculum of over 40 free self-paced courses – including our newest,  “The Cybersecurity Landscape” and “Security Operations and the Defense Analyst.” Plus, an entire catalog of self-paced training with labs and instructor-led courses.    Act Now to Preserve Your Splunk Certified Developer Status! Time is running out! Splunk Certified Developer Certification will be retired on September 30, 2023. If you aim to become a certified Splunk Developer and create cutting-edge apps using the Splunk web framework, don't delay. Begin your training with the Developer Track and study the exam guide. Current certification holders can maintain their badge until its expiration, but consider recertifying now to extend its validity for another three years.      Talk with us about Splunk! The Splunk product design team wants to learn about how you use our products. If you’re interested in contributing, please fill out this quick questionnaire so we can reach out to you. This may take such forms as a survey, receiving an email to schedule an interview session, or some other type of research invitation. We look forward to hearing from you!       Until next month, Happy Splunking
in my search I have no lookup command. Anyone knows why I am getting this error.
Hello I am collecting data via AWS add on and what I have found is that my timestamp recognition isn't working properly. I have a single AWS input using the [aws:s3:csv] sourcetype. this then use... See more...
Hello I am collecting data via AWS add on and what I have found is that my timestamp recognition isn't working properly. I have a single AWS input using the [aws:s3:csv] sourcetype. this then uses transforms to update the sourcetype based on the file name the data comes from. Config snips: props.conf   [aws:s3:csv] LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = true FIELD_DELIMITER = , HEADER_FIELD_DELIMITER = , TRUNCATE = 20000 TRANSFORMS-awss3 =sourcetypechange:awss3-object_rolemap_audit,sourcetypechange:awss3-authz-audit-logs [awss3:object_rolemap_audit] TIME_FORMAT=%d %b %Y %H:%M:%S LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false BREAK_ONLY_BEFORE_DATE = true FIELD_DELIMITER = , HEADER_FIELD_DELIMITER = , FIELD_QUOTE = " INDEXED_EXTRACTIONS = CSV HEADER_FIELD_LINE_NUMBER = 1 [awss3:authz_audit] TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3Q #TZ=GMT FIELD_DELIMITER = , HEADER_FIELD_DELIMITER = , FIELD_QUOTE = " INDEXED_EXTRACTIONS = CSV HEADER_FIELD_LINE_NUMBER = 1   transforms.conf   [sourcetypechange:awss3-object_rolemap_audit] SOURCE_KEY = MetaData:Source REGEX = .*?object_rolemap_audit.csv DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::awss3:object_rolemap_audit [sourcetypechange:awss3-authz-audit-logs] SOURCE_KEY = MetaData:Source REGEX = .*?authz-audit.csv DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::awss3:authz_audit     It seems that the data comes in at indextime from what I can see, even though I set recognition for each sourcetype. I believe that timestamping is happening at the initial pass into Splunk before it gets the transforms applied.   How can i set timestamping via the initial sourcetype if there are multiple formats for the sourcetype depending on the file? Since its not honoring the timestamp recognition setting post-transforms. Thanks for the help.
I try change permission to all app option but I don't see the option. I s anyother way make my macro available for all apps.
Here are three lines of the file to illustrate what I'm going for: Line from file Desired field URI : https://URL.net/token token URI : https://URL.net/rest/v1/check rest/v1/check URI... See more...
Here are three lines of the file to illustrate what I'm going for: Line from file Desired field URI : https://URL.net/token token URI : https://URL.net/rest/v1/check rest/v1/check URI : https://URL.net/service_name/3.0.0/accounts/bah service_name I have successfully extracted the 3rd example using this:  rex field=_raw "URI.+\:\shttp.+\.(net|com)\/(?<URI_ABR>.+)\/\d+\." That does not match the other two though so no field is extracted. Is there a way to say if it doesn't match that regex then capture till the end of line? I've tried this but then the 3rd example also captures everything till the end of the line: rex field=_raw "URI.+\:\shttp.+\.(net|com)\/(?<URI_ABR>.+)(\/\d+\.|\n)"
how to get a list of splunk cloud index restores & time each restore consumed to complete
Hello, is there a way to add a control to a dashboard (in dashboard studio), a dropdown for example, to enable/disable a certain alert? Thanks!
I have the actual list of indexes in a lookup file. I ran below query to find the list of indexes with the latest ingestion time. how to find is there any index which is listed in the lookup, but not... See more...
I have the actual list of indexes in a lookup file. I ran below query to find the list of indexes with the latest ingestion time. how to find is there any index which is listed in the lookup, but not listed from the below query. index=index* | stats latest(_time) as latestTime by index | eval latestTime=strftime(latestTime,"%x %X") Can you please help
Hi, the documentation I found details the update of a two-site cluster in "site-by-site" fashion, which is solid as a rock. We normally go that way, yet w/o taking down one site's the peers at once ... See more...
Hi, the documentation I found details the update of a two-site cluster in "site-by-site" fashion, which is solid as a rock. We normally go that way, yet w/o taking down one site's the peers at once but by updating them one by none. And there is a description of a rolling update, where I did not find any mention of multi-site clusters. I tried a combination of both by rollingly updating one site and then the other, which at the end of the day did not speed up things very much, I still had to wait in the middle for the cluster to recover and become green again. Did I miss a description of the rolling update of a multi-site indexer cluster? What would be the benefit? And what's the difference anyway between going into maintenance mode and a rolling update? Thanks in advance Volkmar
How to onboard cloudwatch data to splunk using HEC
I am unable to create a data collector on my node.js application. I came across this doc " For the Node.js agent, you can create a method data collector only using the addSnapshotData() Node.js API, ... See more...
I am unable to create a data collector on my node.js application. I came across this doc " For the Node.js agent, you can create a method data collector only using the addSnapshotData() Node.js API, not the Controller UI as described here. See Node.js Agent API Reference".  I have 2 questions; how do I determine the value and key to use where do I add addSnapshotData()