All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, I have a challenge, which i after many considerations have made a decision to, which indeed also have some consequences.   I’m a (Splunk) consultant for a company who have hundreds of of... See more...
Hi All, I have a challenge, which i after many considerations have made a decision to, which indeed also have some consequences.   I’m a (Splunk) consultant for a company who have hundreds of of customers around the world, whom I finally convinced to get a dedicated Logging & Monitoring system - and long story short, after a longer PoC, Splunk was chosen.   Now to the challenge with all these customers, who pretty much all use more or less the same SW platform created by the company i work for, and which produces both Events and Metrics (why your app is in the picture).   To limit the massive amount of App management, along with GDPR and what not, each customer get ONE index defined as default, but each have 4 indexes, a set of summary indexes and likewise ordinary indexes - 1 event and 1 metrics in each set.   When installing the UF on each customer, each get one default (event) index set in inputs.conf, this way all Events ends up in the right index, but not Metrics. All indexes are following a strict naming convention in which an <customer id>_e_<some more> indicates ‘Events’ and vise versa _m_ their Metrics index.   So far so good!   Using the great app ‘Multi-Metric Perfmon’, and defining the index on the UF (very unwanted solution) data goes stright through the HF to the IDX server as expected. This solution will demand administration of individual apps per customer, which is a NO-GO.   Now - this raises the challenge, which I basically don’t understand why it becomes a challenge.   What I’ve done to circumvent this issue about multi-management hundreds of apps, is controlling everything by sourcetype, and let the HF do the switching of index between Event/Metrics depending on the incoming sourcetype.   So basically use props.conf to catch any sourcetype with ‘metrics’ in its name, and then use transforms.conf REGEX to change the index name from the default ‘<bla bla>_e_<bla>’ to ‘<bla bla>_m_<bla>’, which works perfect, except I get this error message in Splunk, and NO data in the index, as when the index is set directly on the HF (using the ‘Mutti-metric Parfmon’  inputs.conf to define the index name):   The metric event is not properly structured, source=LogicalDisk, sourcetype=Perfmon, host=w_00001_test_bjd_0001, index=c_00001_no_emea_m_pub. Metric event data without a metric name and properly formated numerical values are invalid and cannot be indexed. Ensure the input metric data is not malformed, have one or more keys of the form "metric_name:<metric>" (e.g..."metric_name:cpu.idle") with corresponding floating point values.   I’m far from a Splunk Metrics expert though I’ve worked intensively with Splunk for 10 years, metrics just never came my way till now.   So I don’t know what happens between the UF and the IDX, except that if (as said) defining the index on the UF in the app inputs.conf all works just fine.  Whereas if I don’t define an index in the apps inputs, it will go with the default index, which is an Event index, why I let the HF change the index name to its corresponding _m_ metrics index.   Using Splunk _internal Metrics I can see the data being transferred to the indexer using the correct index name, but here it stops, and I get above message.   Can you explain this behaviour? And more over how to fix this? What is happening on the HF - that I don’t see, since data is now rejected though pointed to the correct index?   You input and/or help would be most appreciated
I have some html/css like below that sets the width of some single value panels.  In v8.3.1 this worked fine but now in v9.4.0 it does not work and sizes the panels evenly across the row.  IE - two s... See more...
I have some html/css like below that sets the width of some single value panels.  In v8.3.1 this worked fine but now in v9.4.0 it does not work and sizes the panels evenly across the row.  IE - two single value panels, each get 50%.  I have tried using the Developer Tools in Chrome but all the elements I try have no affect.     #panel1 { width: 20% !important } #panel2 { width: 20% !important }     Any thoughts?
I have an error doing my course in Splunk:   This application domain (https://education.splunk.com) is not authorized to use the provided PDF Embed API Client ID.
So jumping into this search  question https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/288845 my search I am using: | rest /servicesNS/-/-/save... See more...
So jumping into this search  question https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/288845 my search I am using: | rest /servicesNS/-/-/saved/searches splunk_server=local | search disabled=0 |table title, disabled, action.hangout_chat_alert, action.email I came a across the question of there is any documentation on what the 1, 0 or Blank means? on some of the fields . I have this alert that only has HangoutChat alert setup when I run this query below It shows title disabled=0  action.hangout_chat_alert=0 and action.email=0 I'm confused as to why email and hangout are returning the value 0 shouldn't it be like. disabled = 0 is returning me all alerts that are active and 1 is alerts that are actually disabled. title disabled=0  action.hangout_chat_alert=0 and action.email=blank my understanding with the 1 , 0 , and blank is 1 is enabled 0 is disabled and blank is that it was not setup with that action. Now on the original post you can see Mr @woodcock is explaining below that alert.track=1 means its a alert and 0 means its a report. with all the other ones I don't believe it works the same . is there a documentation that has this topic covered? and how does my alert above fall into with action.email=0 even though I clearly have not set that action with my alert.  only hangoutchat as the action.   ALL APPS: |rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule Search app only: |rest/servicesNS/-/search/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule  
I'm not seeing any Karpenter logs show up. We're using very basic deployment of Splunk Otel Chart. Any advice on whats needed to get Karpenter logs to show up ?
Hi! This is my first time using Splunk and I am on the free tiral version. I setup an HEC token and ran a test on Windows following this command:   curl -k https://prd-p-n38b3.splunkcloud.com:8088/... See more...
Hi! This is my first time using Splunk and I am on the free tiral version. I setup an HEC token and ran a test on Windows following this command:   curl -k https://prd-p-n38b3.splunkcloud.com:8088/services/collector -H "Authorization: Splunk 78c2aexx-xxxx-xxxxx-xxxx-xxxxx869e53" -d "{\"sourcetype\": \"event\", \"event\": \"Test message\"}"    While the events are being generated, I see 0 bytes. What am I doing wrong? I also see the events in the HEC logs but no data.    
We want to be able to monitor what sources/devices are using what HEC tokens. I know we can use _introspection to retrieve metrics on a HEC token to see if it is being used, but need to know "what" ... See more...
We want to be able to monitor what sources/devices are using what HEC tokens. I know we can use _introspection to retrieve metrics on a HEC token to see if it is being used, but need to know "what" is sending to/using a HEC token.  What sources (IP or host) are sending to a HEC token. We are using Splunk Cloud.       
I am trying to create a search that shows me all users that are searching back 30 days or longer in Splunk. For example, if user123 ran a search of "index = windows" and selected a time picker val... See more...
I am trying to create a search that shows me all users that are searching back 30 days or longer in Splunk. For example, if user123 ran a search of "index = windows" and selected a time picker value of 30 days, i would want the search results to show me the username, the search used, and the time picker used.  I would want to see this for any users searching back 30 days or more in splunk. This is what i have started with to use as a base search, but i am not finding any fields that show a time picker value: index=_audit  action="search" 
Hi  -  Is there a way to Warning the user when try to execute outoutlook up command from front end to avoid deleting accidental records from kvstore.   Thank you
Hello, My use case : Context : On azure, datas from several applications are pushed in a Azure EventHub I need to separate the datas from one application, and put this datas into a new index on Sp... See more...
Hello, My use case : Context : On azure, datas from several applications are pushed in a Azure EventHub I need to separate the datas from one application, and put this datas into a new index on Splunk On Azure, all the resources of this app are in one Ressource Group : TheAppResourceGroupName I used a Heavy Forwarder, and this are my configs : props.conf : [source::eventhub://EVENTHUBAZURE.servicebus.windows.net/app-logs;] TRANSFORMS-route =  routeToNewIndex, discard_original, transforms.conf [routeToNewIndex] REGEX = TheAppResourceGroupName DEST_KEY = _MetaData:Index FORMAT = NewIndex [discard_original] REGEX = TheAppResourceGroupName DEST_KEY = queue FORMAT = nullQueue This config will delete the datas, yes, but in the NewIndex, and not in the original Index, after the routing. I didn't find an answer witch fit with my needs on the commu and the docs, but maybe someone has to face a similar need . Thanks a lot for the help! Nico
Hello, Does anyone know if there are any plans for this app to become compatible with recent versions of Splunk? It claims to be compatible with 9.4 but it is running python 2...   
Over the last week or so one of my dev indexers keeps crashing with a signal 11: How can I start to figure out what's happening?  I know I didn't change anything on the system.  I've attached the ... See more...
Over the last week or so one of my dev indexers keeps crashing with a signal 11: How can I start to figure out what's happening?  I know I didn't change anything on the system.  I've attached the log from the most recent dump.  Page locations vary but the basic fault remains the same: [build 0b8d769cb912] 2025-02-21 12:43:55 Received fatal signal 11 (Segmentation fault) on PID 552462. Cause: No memory mapped at address [0x00007742D7E337C0]. Crashing thread: IndexerTPoolWorker-1 Registers: RIP: [0x00005DA750CCC63E] _ZNK23PipelineDataMetaKeyAtom16asIndexableTokenEP15st_token_answerRK10StrSegmentPK20PipelineInputChannelRK19PipelineDataMetaKeyb + 126 (splunkd + 0x2A7863E) RDI: [0x00007746F1FFE2B8] RSI: [0x00007742D7E337D0] RBP: [0x00007746F1FFE330] RSP: [0x00007746F1FFE290] RAX: [0x00007746F1FFE2B8] RBX: [0x00007746D80B7B08] RCX: [0x000000000000000B] RDX: [0x000000000000000B] R8: [0x00007746D80B7B30] R9: [0x0000000000000001] R10: [0x00007746F1FFDA20] R11: [0x0000000000000004] R12: [0x00007746F1FFE410] R13: [0x00007746F1FFE410] R14: [0x00007746B5A6D968] R15: [0x00007746D80B7B30] EFL: [0x0000000000010246] TRAPNO: [0x000000000000000E] ERR: [0x0000000000000004] CSGSFS: [0x002B000000000033] OLDMASK: [0x0000000000000000] OS: Linux Arch: x86-64 Backtrace (PIC build): [0x00005DA750CCC63E] _ZNK23PipelineDataMetaKeyAtom16asIndexableTokenEP15st_token_answerRK10StrSegmentPK20PipelineInputChannelRK19PipelineDataMetaKeyb + 126 (splunkd + 0x2A7863E) [0x00005DA7506F0599] _ZN10PutterBase7putMetaERK15CowPipelineDataNS_23indexed_fields_policy_tEb + 249 (splunkd + 0x249C599) [0x00005DA7506F0BDC] _ZN14IndexableValue15indexIntoPutterER10PutterBase + 76 (splunkd + 0x249CBDC) [0x00005DA7506F0E0F] _ZN14IndexableValue5indexEPN5STMgr14HandleWritableEPN9Segmenter7ContextE + 191 (splunkd + 0x249CE0F) [0x00005DA7507A1208] _ZN11StreamGroup3runEm + 296 (splunkd + 0x254D208) [0x00005DA7501FBF68] _ZN6Worker4mainEv + 184 (splunkd + 0x1FA7F68) [0x00005DA75343C3AE] _ZN6Thread37_callMainAndDiscardTerminateExceptionEv + 46 (splunkd + 0x51E83AE) [0x00005DA75343C4BB] _ZN6Thread8callMainEPv + 139 (splunkd + 0x51E84BB) [0x000077470029CAA4] ? (libc.so.6 + 0x74AA4) [0x0000774700329C3C] ? (libc.so.6 + 0x101C3C) Linux / splunk / 6.8.0-53-generic / #55-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 17 15:37:52 UTC 2025 / x86_64 /etc/debian_version: trixie/sid MAP: 5da74e254000-5da75487b000 r-xp 00000000 fc:00 793619 /opt/splunk/bin/splunkd MAP: 5da75487b000-5da7549b6000 r--p 06626000 fc:00 793619 /opt/splunk/bin/splunkd MAP: 5da7549b6000-5da7549db000 rw-p 06761000 fc:00 793619 /opt/splunk/bin/splunkd MAP: 5da7549db000-5da754af1000 rw-p 00000000 00:00 0 MAP: 77469a800000-77469b000000 rw-p 00000000 00:00 0 MAP: 77469b000000-77469b001000 ---p 00000000 00:00 0 MAP: 77469b001000-77469b201000 rw-p 00000000 00:00 0 MAP: 77469b400000-7746a7800000 rw-p 00000000 00:00 0 MAP: 7746a7800000-7746a7801000 ---p 00000000 00:00 0 MAP: 7746a7801000-7746a7a01000 rw-p 00000000 00:00 0 MAP: 7746a7c00000-7746b3000000 rw-p 00000000 00:00 0 MAP: 7746b3000000-7746b3001000 ---p 00000000 00:00 0 MAP: 7746b3001000-7746b3201000 rw-p 00000000 00:00 0 MAP: 7746b3400000-7746d6e00000 rw-p 00000000 00:00 0 MAP: 7746d6e00000-7746d6e01000 ---p 00000000 00:00 0 MAP: 7746d6e01000-7746d7001000 rw-p 00000000 00:00 0 MAP: 7746d7200000-7746db400000 rw-p 00000000 00:00 0 MAP: 7746db400000-7746db401000 ---p 00000000 00:00 0 MAP: 7746db401000-7746db601000 rw-p 00000000 00:00 0 MAP: 7746db800000-7746db801000 ---p 00000000 00:00 0 MAP: 7746db801000-7746dba01000 rw-p 00000000 00:00 0 MAP: 7746dbc00000-7746dec00000 rw-p 00000000 00:00 0 MAP: 7746dec00000-7746dec01000 ---p 00000000 00:00 0 MAP: 7746dec01000-7746dee01000 rw-p 00000000 00:00 0 MAP: 7746df000000-7746df200000 rw-p 00000000 00:00 0 MAP: 7746df200000-7746df201000 ---p 00000000 00:00 0 MAP: 7746df201000-7746df401000 rw-p 00000000 00:00 0 MAP: 7746df600000-7746dfa00000 rw-p 00000000 00:00 0 MAP: 7746dfa00000-7746dfa01000 ---p 00000000 00:00 0 MAP: 7746dfa01000-7746dfc01000 rw-p 00000000 00:00 0 MAP: 7746dfe00000-7746dfe01000 ---p 00000000 00:00 0 MAP: 7746dfe01000-7746e0001000 rw-p 00000000 00:00 0 MAP: 7746e0200000-7746e0201000 ---p 00000000 00:00 0 MAP: 7746e0201000-7746e0401000 rw-p 00000000 00:00 0 MAP: 7746e0600000-7746e0601000 ---p 00000000 00:00 0 MAP: 7746e0601000-7746e0801000 rw-p 00000000 00:00 0 MAP: 7746e0a00000-7746e0a01000 ---p 00000000 00:00 0 MAP: 7746e0a01000-7746e0c01000 rw-p 00000000 00:00 0 MAP: 7746e0e00000-7746e0e01000 ---p 00000000 00:00 0 MAP: 7746e0e01000-7746e1001000 rw-p 00000000 00:00 0 MAP: 7746e1200000-7746e1400000 rw-p 00000000 00:00 0 MAP: 7746e1400000-7746e1401000 ---p 00000000 00:00 0 MAP: 7746e1401000-7746e1601000 rw-p 00000000 00:00 0 MAP: 7746e1800000-7746e1c00000 rw-p 00000000 00:00 0 MAP: 7746e1c00000-7746e1c01000 ---p 00000000 00:00 0 MAP: 7746e1c01000-7746e1e01000 rw-p 00000000 00:00 0 MAP: 7746e2000000-7746e2001000 ---p 00000000 00:00 0 MAP: 7746e2001000-7746e2201000 rw-p 00000000 00:00 0 MAP: 7746e2400000-7746e2401000 ---p 00000000 00:00 0 MAP: 7746e2401000-7746e2601000 rw-p 00000000 00:00 0 MAP: 7746e2800000-7746e3200000 rw-p 00000000 00:00 0 MAP: 7746e3200000-7746e3201000 ---p 00000000 00:00 0 MAP: 7746e3201000-7746e3401000 rw-p 00000000 00:00 0 MAP: 7746e3600000-7746e3601000 ---p 00000000 00:00 0 MAP: 7746e3601000-7746e3801000 rw-p 00000000 00:00 0 MAP: 7746e3a00000-7746e3a01000 ---p 00000000 00:00 0 MAP: 7746e3a01000-7746e3c01000 rw-p 00000000 00:00 0 MAP: 7746e3e00000-7746e3e01000 ---p 00000000 00:00 0 MAP: 7746e3e01000-7746e4001000 rw-p 00000000 00:00 0 MAP: 7746e4200000-7746e4201000 ---p 00000000 00:00 0 MAP: 7746e4201000-7746e4401000 rw-p 00000000 00:00 0 MAP: 7746e4600000-7746e4601000 ---p 00000000 00:00 0 MAP: 7746e4601000-7746e4801000 rw-p 00000000 00:00 0 MAP: 7746e4a00000-7746e4a01000 ---p 00000000 00:00 0 MAP: 7746e4a01000-7746e4c01000 rw-p 00000000 00:00 0 MAP: 7746e4e00000-7746e4e01000 ---p 00000000 00:00 0 MAP: 7746e4e01000-7746e5001000 rw-p 00000000 00:00 0 MAP: 7746e5200000-7746e5201000 ---p 00000000 00:00 0 MAP: 7746e5201000-7746e5401000 rw-p 00000000 00:00 0 MAP: 7746e5600000-7746e5601000 ---p 00000000 00:00 0 MAP: 7746e5601000-7746e5801000 rw-p 00000000 00:00 0 MAP: 7746e5a00000-7746e5a01000 ---p 00000000 00:00 0 MAP: 7746e5a01000-7746e5c01000 rw-p 00000000 00:00 0 MAP: 7746e5e00000-7746e5e01000 ---p 00000000 00:00 0 MAP: 7746e5e01000-7746e6001000 rw-p 00000000 00:00 0 MAP: 7746e6200000-7746e6201000 ---p 00000000 00:00 0 MAP: 7746e6201000-7746e6401000 rw-p 00000000 00:00 0 MAP: 7746e6600000-7746e6601000 ---p 00000000 00:00 0 MAP: 7746e6601000-7746e6801000 rw-p 00000000 00:00 0 MAP: 7746e6a00000-7746e6a01000 ---p 00000000 00:00 0 MAP: 7746e6a01000-7746e6c01000 rw-p 00000000 00:00 0 MAP: 7746e6e00000-7746e6e01000 ---p 00000000 00:00 0 MAP: 7746e6e01000-7746e7001000 rw-p 00000000 00:00 0 MAP: 7746e7200000-7746e7201000 ---p 00000000 00:00 0 MAP: 7746e7201000-7746e7401000 rw-p 00000000 00:00 0 MAP: 7746e7600000-7746e7800000 rw-p 00000000 00:00 0 MAP: 7746e7800000-7746e7801000 ---p 00000000 00:00 0 MAP: 7746e7801000-7746e7a01000 rw-p 00000000 00:00 0 MAP: 7746e7c00000-7746e7e00000 rw-p 00000000 00:00 0 MAP: 7746e7e00000-7746e7e01000 ---p 00000000 00:00 0 MAP: 7746e7e01000-7746e8001000 rw-p 00000000 00:00 0 MAP: 7746e8200000-7746e8201000 ---p 00000000 00:00 0 MAP: 7746e8201000-7746e8401000 rw-p 00000000 00:00 0 MAP: 7746e8600000-7746e8c00000 rw-p 00000000 00:00 0 MAP: 7746e8c00000-7746e8c01000 ---p 00000000 00:00 0 MAP: 7746e8c01000-7746e8e01000 rw-p 00000000 00:00 0 MAP: 7746e9000000-7746e9001000 ---p 00000000 00:00 0 MAP: 7746e9001000-7746e9201000 rw-p 00000000 00:00 0 MAP: 7746e9400000-7746e9401000 ---p 00000000 00:00 0 MAP: 7746e9401000-7746e9601000 rw-p 00000000 00:00 0 MAP: 7746e9800000-7746e9801000 ---p 00000000 00:00 0 MAP: 7746e9801000-7746e9a01000 rw-p 00000000 00:00 0 MAP: 7746e9c00000-7746e9c01000 ---p 00000000 00:00 0 MAP: 7746e9c01000-7746ea401000 rw-p 00000000 00:00 0 MAP: 7746ea600000-7746ea601000 ---p 00000000 00:00 0 MAP: 7746ea601000-7746eae01000 rw-p 00000000 00:00 0 MAP: 7746eb000000-7746eb001000 ---p 00000000 00:00 0 MAP: 7746eb001000-7746eb801000 rw-p 00000000 00:00 0 MAP: 7746eba00000-7746eba01000 ---p 00000000 00:00 0 MAP: 7746eba01000-7746ec201000 rw-p 00000000 00:00 0 MAP: 7746ec400000-7746ec401000 ---p 00000000 00:00 0 MAP: 7746ec401000-7746ec601000 rw-p 00000000 00:00 0 MAP: 7746ec800000-7746ec801000 ---p 00000000 00:00 0 MAP: 7746ec801000-7746eca01000 rw-p 00000000 00:00 0 MAP: 7746ecc00000-7746ecc01000 ---p 00000000 00:00 0 MAP: 7746ecc01000-7746ece01000 rw-p 00000000 00:00 0 MAP: 7746ed000000-7746ed001000 ---p 00000000 00:00 0 MAP: 7746ed001000-7746ed201000 rw-p 00000000 00:00 0 MAP: 7746ed400000-7746ed401000 ---p 00000000 00:00 0 MAP: 7746ed401000-7746ed601000 rw-p 00000000 00:00 0 MAP: 7746ed800000-7746ed801000 ---p 00000000 00:00 0 MAP: 7746ed801000-7746eda01000 rw-p 00000000 00:00 0 MAP: 7746edc00000-7746edc01000 ---p 00000000 00:00 0 MAP: 7746edc01000-7746ede01000 rw-p 00000000 00:00 0 MAP: 7746ee000000-7746ee001000 ---p 00000000 00:00 0 MAP: 7746ee001000-7746ee201000 rw-p 00000000 00:00 0 MAP: 7746ee400000-7746ee401000 ---p 00000000 00:00 0 MAP: 7746ee401000-7746ee601000 rw-p 00000000 00:00 0 MAP: 7746ee800000-7746ee801000 ---p 00000000 00:00 0 MAP: 7746ee801000-7746eea01000 rw-p 00000000 00:00 0 MAP: 7746eec00000-7746eec01000 ---p 00000000 00:00 0 MAP: 7746eec01000-7746eee01000 rw-p 00000000 00:00 0 MAP: 7746ef000000-7746f0e00000 rw-p 00000000 00:00 0 MAP: 7746f0e00000-7746f0e01000 ---p 00000000 00:00 0 MAP: 7746f0e01000-7746f1001000 rw-p 00000000 00:00 0 MAP: 7746f1200000-7746f1201000 ---p 00000000 00:00 0 MAP: 7746f1201000-7746f1401000 rw-p 00000000 00:00 0 MAP: 7746f1600000-7746f1601000 ---p 00000000 00:00 0 MAP: 7746f1601000-7746f1801000 rw-p 00000000 00:00 0 MAP: 7746f1a00000-7746f1a01000 ---p 00000000 00:00 0 MAP: 7746f1a01000-7746f1c01000 rw-p 00000000 00:00 0 MAP: 7746f1e00000-7746f1e01000 ---p 00000000 00:00 0 MAP: 7746f1e01000-7746f2001000 rw-p 00000000 00:00 0 MAP: 7746f2200000-7746f2201000 ---p 00000000 00:00 0 MAP: 7746f2201000-7746f2401000 rw-p 00000000 00:00 0 MAP: 7746f2600000-7746f2601000 ---p 00000000 00:00 0 MAP: 7746f2601000-7746f2801000 rw-p 00000000 00:00 0 MAP: 7746f2a00000-7746f2a01000 ---p 00000000 00:00 0 MAP: 7746f2a01000-7746f2c01000 rw-p 00000000 00:00 0 MAP: 7746f2e00000-7746f2e01000 ---p 00000000 00:00 0 MAP: 7746f2e01000-7746f3001000 rw-p 00000000 00:00 0 MAP: 7746f3200000-7746f3400000 rw-p 00000000 00:00 0 MAP: 7746f3400000-7746f3401000 ---p 00000000 00:00 0 MAP: 7746f3401000-7746f3601000 rw-p 00000000 00:00 0 MAP: 7746f3800000-7746f3c00000 rw-p 00000000 00:00 0 MAP: 7746f3c00000-7746f3c01000 ---p 00000000 00:00 0 MAP: 7746f3c01000-7746f3e01000 rw-p 00000000 00:00 0 MAP: 7746f4000000-7746f4001000 ---p 00000000 00:00 0 MAP: 7746f4001000-7746f4201000 rw-p 00000000 00:00 0 MAP: 7746f4400000-7746f4401000 ---p 00000000 00:00 0 MAP: 7746f4401000-7746f4601000 rw-p 00000000 00:00 0 MAP: 7746f4800000-7746f4801000 ---p 00000000 00:00 0 MAP: 7746f4801000-7746f4a01000 rw-p 00000000 00:00 0 MAP: 7746f4c00000-7746f4e00000 rw-p 00000000 00:00 0 MAP: 7746f4e00000-7746f4e01000 ---p 00000000 00:00 0 MAP: 7746f4e01000-7746f5001000 rw-p 00000000 00:00 0 MAP: 7746f5200000-7746f5400000 rw-p 00000000 00:00 0 MAP: 7746f5400000-7746f5401000 ---p 00000000 00:00 0 MAP: 7746f5401000-7746f5601000 rw-p 00000000 00:00 0 MAP: 7746f5800000-7746f6000000 rw-p 00000000 00:00 0 MAP: 7746f6000000-7746f6001000 ---p 00000000 00:00 0 MAP: 7746f6001000-7746f6201000 rw-p 00000000 00:00 0 MAP: 7746f6400000-7746f6600000 rw-p 00000000 00:00 0 MAP: 7746f6600000-7746f6601000 ---p 00000000 00:00 0 MAP: 7746f6601000-7746f6801000 rw-p 00000000 00:00 0 MAP: 7746f6a00000-7746f6c00000 rw-p 00000000 00:00 0 MAP: 7746f6c00000-7746f6c01000 ---p 00000000 00:00 0 MAP: 7746f6c01000-7746f6e01000 rw-p 00000000 00:00 0 MAP: 7746f7000000-7746f7400000 rw-p 00000000 00:00 0 MAP: 7746f7400000-7746f7401000 ---p 00000000 00:00 0 MAP: 7746f7401000-7746f7601000 rw-p 00000000 00:00 0 MAP: 7746f7800000-7746f7801000 ---p 00000000 00:00 0 MAP: 7746f7801000-7746f7a01000 rw-p 00000000 00:00 0 MAP: 7746f7c00000-7746f7e00000 rw-p 00000000 00:00 0 MAP: 7746f7e00000-7746f7e01000 ---p 00000000 00:00 0 MAP: 7746f7e01000-7746f8001000 rw-p 00000000 00:00 0 MAP: 7746f8200000-7746f8400000 rw-p 00000000 00:00 0 MAP: 7746f8400000-7746f8401000 ---p 00000000 00:00 0 MAP: 7746f8401000-7746f8601000 rw-p 00000000 00:00 0 MAP: 7746f8800000-7746f8a00000 rw-p 00000000 00:00 0 MAP: 7746f8a00000-7746f8a01000 ---p 00000000 00:00 0 MAP: 7746f8a01000-7746f8c01000 rw-p 00000000 00:00 0 MAP: 7746f8e00000-7746f8e01000 ---p 00000000 00:00 0 MAP: 7746f8e01000-7746f9001000 rw-p 00000000 00:00 0 MAP: 7746f9200000-7746f9400000 rw-p 00000000 00:00 0 MAP: 7746f9400000-7746f9401000 ---p 00000000 00:00 0 MAP: 7746f9401000-7746f9601000 rw-p 00000000 00:00 0 MAP: 7746f9800000-7746fb000000 rw-p 00000000 00:00 0 MAP: 7746fb000000-7746fb001000 ---p 00000000 00:00 0 MAP: 7746fb001000-7746fb201000 rw-p 00000000 00:00 0 MAP: 7746fb400000-7746fb800000 rw-p 00000000 00:00 0 MAP: 7746fb800000-7746fb801000 ---p 00000000 00:00 0 MAP: 7746fb801000-7746fba01000 rw-p 00000000 00:00 0 MAP: 7746fbc00000-7746fc000000 rw-p 00000000 00:00 0 MAP: 7746fc000000-7746fc001000 ---p 00000000 00:00 0 MAP: 7746fc001000-7746fc201000 rw-p 00000000 00:00 0 MAP: 7746fc400000-7746fec00000 rw-p 00000000 00:00 0 MAP: 7746fec00000-7746fec01000 ---p 00000000 00:00 0 MAP: 7746fec01000-7746fee01000 rw-p 00000000 00:00 0 MAP: 7746fee70000-7746ff000000 rwxp 00000000 00:00 0 MAP: 7746ff000000-7746ff200000 rw-p 00000000 00:00 0 MAP: 7746ff200000-7746ff201000 ---p 00000000 00:00 0 MAP: 7746ff201000-7746ff401000 rw-p 00000000 00:00 0 MAP: 7746ff410000-7746ff600000 rwxp 00000000 00:00 0 MAP: 7746ff600000-7746ffa00000 rw-p 00000000 00:00 0 MAP: 7746ffa09000-7746ffa0c000 r--p 00000000 fc:00 3027055 /usr/lib/x86_64-linux-gnu/libnuma.so.1.0.0 MAP: 7746ffa0c000-7746ffa13000 r-xp 00003000 fc:00 3027055 /usr/lib/x86_64-linux-gnu/libnuma.so.1.0.0 MAP: 7746ffa13000-7746ffa15000 r--p 0000a000 fc:00 3027055 /usr/lib/x86_64-linux-gnu/libnuma.so.1.0.0 MAP: 7746ffa15000-7746ffa16000 r--p 0000b000 fc:00 3027055 /usr/lib/x86_64-linux-gnu/libnuma.so.1.0.0 MAP: 7746ffa16000-7746ffa17000 rw-p 0000c000 fc:00 3027055 /usr/lib/x86_64-linux-gnu/libnuma.so.1.0.0 MAP: 7746ffa17000-7746ffb47000 rwxp 00000000 00:00 0 MAP: 7746ffb47000-7746ffb4b000 r--p 00000000 fc:00 3018177 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 MAP: 7746ffb4b000-7746ffb6f000 r-xp 00004000 fc:00 3018177 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 MAP: 7746ffb6f000-7746ffb73000 r--p 00028000 fc:00 3018177 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 MAP: 7746ffb73000-7746ffb74000 r--p 0002b000 fc:00 3018177 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 MAP: 7746ffb74000-7746ffb75000 rw-p 0002c000 fc:00 3018177 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 MAP: 7746ffb75000-7746ffb76000 ---p 00000000 00:00 0 MAP: 7746ffb76000-7746ffb7f000 rw-p 00000000 00:00 0 MAP: 7746ffb7f000-7746ffb80000 ---p 00000000 00:00 0 MAP: 7746ffb80000-7746ffe00000 rwxp 00000000 00:00 0 MAP: 7746ffe00000-774700200000 rw-p 00000000 00:00 0 MAP: 774700200000-774700228000 r--p 00000000 fc:00 3024032 /usr/lib/x86_64-linux-gnu/libc.so.6 MAP: 774700228000-7747003b0000 r-xp 00028000 fc:00 3024032 /usr/lib/x86_64-linux-gnu/libc.so.6 MAP: 7747003b0000-7747003ff000 r--p 001b0000 fc:00 3024032 /usr/lib/x86_64-linux-gnu/libc.so.6 MAP: 7747003ff000-774700403000 r--p 001fe000 fc:00 3024032 /usr/lib/x86_64-linux-gnu/libc.so.6 MAP: 774700403000-774700405000 rw-p 00202000 fc:00 3024032 /usr/lib/x86_64-linux-gnu/libc.so.6 MAP: 774700405000-774700412000 rw-p 00000000 00:00 0 MAP: 774700413000-7747004e3000 rwxp 00000000 00:00 0 MAP: 7747004e3000-774700518000 rw-p 00000000 00:00 0 MAP: 774700518000-774700528000 r--p 00000000 fc:00 3024035 /usr/lib/x86_64-linux-gnu/libm.so.6 MAP: 774700528000-7747005a7000 r-xp 00010000 fc:00 3024035 /usr/lib/x86_64-linux-gnu/libm.so.6 MAP: 7747005a7000-7747005ff000 r--p 0008f000 fc:00 3024035 /usr/lib/x86_64-linux-gnu/libm.so.6 MAP: 7747005ff000-774700600000 r--p 000e7000 fc:00 3024035 /usr/lib/x86_64-linux-gnu/libm.so.6 MAP: 774700600000-774700601000 rw-p 000e8000 fc:00 3024035 /usr/lib/x86_64-linux-gnu/libm.so.6 MAP: 774700601000-774700603000 rw-p 00000000 00:00 0 MAP: 774700603000-77470060e000 r--p 00000000 fc:00 801871 /opt/splunk/lib/libxslt.so.1.1.34 MAP: 77470060e000-774700648000 r-xp 0000b000 fc:00 801871 /opt/splunk/lib/libxslt.so.1.1.34 MAP: 774700648000-774700655000 r--p 00045000 fc:00 801871 /opt/splunk/lib/libxslt.so.1.1.34 MAP: 774700655000-774700656000 r--p 00051000 fc:00 801871 /opt/splunk/lib/libxslt.so.1.1.34 MAP: 774700656000-774700657000 rw-p 00052000 fc:00 801871 /opt/splunk/lib/libxslt.so.1.1.34 MAP: 774700657000-774700658000 rw-p 00000000 00:00 0 MAP: 774700658000-774700687000 r--p 00000000 fc:00 801162 /opt/splunk/lib/libxml2.so.2.9.10 MAP: 774700687000-7747007c8000 r-xp 0002f000 fc:00 801162 /opt/splunk/lib/libxml2.so.2.9.10 MAP: 7747007c8000-77470080b000 r--p 00170000 fc:00 801162 /opt/splunk/lib/libxml2.so.2.9.10 MAP: 77470080b000-774700813000 r--p 001b2000 fc:00 801162 /opt/splunk/lib/libxml2.so.2.9.10 MAP: 774700813000-774700815000 rw-p 001ba000 fc:00 801162 /opt/splunk/lib/libxml2.so.2.9.10 MAP: 774700815000-774700816000 rw-p 00000000 00:00 0 MAP: 774700816000-7747008c1000 r-xp 00000000 fc:00 801863 /opt/splunk/lib/libarchive.so.13.6.2 MAP: 7747008c1000-7747008c2000 ---p 000ab000 fc:00 801863 /opt/splunk/lib/libarchive.so.13.6.2 MAP: 7747008c2000-7747008c5000 r--p 000ab000 fc:00 801863 /opt/splunk/lib/libarchive.so.13.6.2 MAP: 7747008c5000-7747008c6000 rw-p 000ae000 fc:00 801863 /opt/splunk/lib/libarchive.so.13.6.2 MAP: 7747008c6000-7747008c7000 rw-p 00000000 00:00 0 MAP: 7747008c7000-774700988000 r-xp 00000000 fc:00 809367 /opt/splunk/lib/libpcre2-8.so.0.11.0 MAP: 774700988000-774700989000 ---p 000c1000 fc:00 809367 /opt/splunk/lib/libpcre2-8.so.0.11.0 MAP: 774700989000-77470098a000 r--p 000c1000 fc:00 809367 /opt/splunk/lib/libpcre2-8.so.0.11.0 MAP: 77470098a000-77470098b000 rw-p 000c2000 fc:00 809367 /opt/splunk/lib/libpcre2-8.so.0.11.0 MAP: 77470098b000-7747009a5000 r--p 00000000 fc:00 801865 /opt/splunk/lib/libssl.so.1.0.0 MAP: 7747009a5000-7747009e4000 r-xp 0001a000 fc:00 801865 /opt/splunk/lib/libssl.so.1.0.0 MAP: 7747009e4000-7747009f6000 r--p 00059000 fc:00 801865 /opt/splunk/lib/libssl.so.1.0.0 MAP: 7747009f6000-7747009fa000 r--p 0006a000 fc:00 801865 /opt/splunk/lib/libssl.so.1.0.0 MAP: 7747009fa000-774700a00000 rw-p 0006e000 fc:00 801865 /opt/splunk/lib/libssl.so.1.0.0 MAP: 774700a00000-774700a82000 r--p 00000000 fc:00 801160 /opt/splunk/lib/libcrypto.so.1.0.0 MAP: 774700a82000-774700c10000 r-xp 00082000 fc:00 801160 /opt/splunk/lib/libcrypto.so.1.0.0 MAP: 774700c10000-774700caf000 r--p 00210000 fc:00 801160 /opt/splunk/lib/libcrypto.so.1.0.0 MAP: 774700caf000-774700ccd000 r--p 002af000 fc:00 801160 /opt/splunk/lib/libcrypto.so.1.0.0 MAP: 774700ccd000-774700cdc000 rw-p 002cd000 fc:00 801160 /opt/splunk/lib/libcrypto.so.1.0.0 MAP: 774700cdc000-774700ce0000 rw-p 00000000 00:00 0 MAP: 774700ce0000-774700ce2000 r--p 00000000 fc:00 793681 /opt/splunk/lib/libbz2.so.1.0.3 MAP: 774700ce2000-774700cef000 r-xp 00002000 fc:00 793681 /opt/splunk/lib/libbz2.so.1.0.3 MAP: 774700cef000-774700cf1000 r--p 0000f000 fc:00 793681 /opt/splunk/lib/libbz2.so.1.0.3 MAP: 774700cf1000-774700cf2000 r--p 00010000 fc:00 793681 /opt/splunk/lib/libbz2.so.1.0.3 MAP: 774700cf2000-774700cf3000 rw-p 00011000 fc:00 793681 /opt/splunk/lib/libbz2.so.1.0.3 MAP: 774700cf3000-774700d0d000 r-xp 00000000 fc:00 809363 /opt/splunk/lib/libz.so.1.2.11 MAP: 774700d0d000-774700d0e000 r--p 00019000 fc:00 809363 /opt/splunk/lib/libz.so.1.2.11 MAP: 774700d0e000-774700d0f000 rw-p 0001a000 fc:00 809363 /opt/splunk/lib/libz.so.1.2.11 MAP: 774700d0f000-774700d11000 rw-p 00000000 00:00 0 MAP: 774700d11000-774700d12000 r--p 00000000 fc:00 3024046 /usr/lib/x86_64-linux-gnu/librt.so.1 MAP: 774700d12000-774700d13000 r-xp 00001000 fc:00 3024046 /usr/lib/x86_64-linux-gnu/librt.so.1 MAP: 774700d13000-774700d14000 r--p 00002000 fc:00 3024046 /usr/lib/x86_64-linux-gnu/librt.so.1 MAP: 774700d14000-774700d15000 r--p 00002000 fc:00 3024046 /usr/lib/x86_64-linux-gnu/librt.so.1 MAP: 774700d15000-774700d16000 rw-p 00003000 fc:00 3024046 /usr/lib/x86_64-linux-gnu/librt.so.1 MAP: 774700d16000-774700d17000 r--p 00000000 fc:00 3024034 /usr/lib/x86_64-linux-gnu/libdl.so.2 MAP: 774700d17000-774700d18000 r-xp 00001000 fc:00 3024034 /usr/lib/x86_64-linux-gnu/libdl.so.2 MAP: 774700d18000-774700d19000 r--p 00002000 fc:00 3024034 /usr/lib/x86_64-linux-gnu/libdl.so.2 MAP: 774700d19000-774700d1a000 r--p 00002000 fc:00 3024034 /usr/lib/x86_64-linux-gnu/libdl.so.2 MAP: 774700d1a000-774700d1b000 rw-p 00003000 fc:00 3024034 /usr/lib/x86_64-linux-gnu/libdl.so.2 MAP: 774700d1b000-774700d1c000 r--p 00000000 fc:00 3024044 /usr/lib/x86_64-linux-gnu/libpthread.so.0 MAP: 774700d1c000-774700d1d000 r-xp 00001000 fc:00 3024044 /usr/lib/x86_64-linux-gnu/libpthread.so.0 MAP: 774700d1d000-774700d1e000 r--p 00002000 fc:00 3024044 /usr/lib/x86_64-linux-gnu/libpthread.so.0 MAP: 774700d1e000-774700d1f000 r--p 00002000 fc:00 3024044 /usr/lib/x86_64-linux-gnu/libpthread.so.0 MAP: 774700d1f000-774700d20000 rw-p 00003000 fc:00 3024044 /usr/lib/x86_64-linux-gnu/libpthread.so.0 MAP: 774700d25000-774700d26000 rw-p 00000000 00:00 0 MAP: 774700d26000-774700ea9000 r-xp 00000000 fc:00 809362 /opt/splunk/lib/libsqlite3.so.0.8.6 MAP: 774700ea9000-774700eac000 r--p 00182000 fc:00 809362 /opt/splunk/lib/libsqlite3.so.0.8.6 MAP: 774700eac000-774700eb3000 rw-p 00185000 fc:00 809362 /opt/splunk/lib/libsqlite3.so.0.8.6 MAP: 774700eb3000-774700eb5000 rw-p 00000000 00:00 0 MAP: 774700eb5000-774700ec3000 r--p 00000000 fc:00 793683 /opt/splunk/lib/libxmlsec1-openssl.so.1.2.24 MAP: 774700ec3000-774700efd000 r-xp 0000e000 fc:00 793683 /opt/splunk/lib/libxmlsec1-openssl.so.1.2.24 MAP: 774700efd000-774700f08000 r--p 00048000 fc:00 793683 /opt/splunk/lib/libxmlsec1-openssl.so.1.2.24 MAP: 774700f08000-774700f0b000 r--p 00052000 fc:00 793683 /opt/splunk/lib/libxmlsec1-openssl.so.1.2.24 MAP: 774700f0b000-774700f0c000 rw-p 00055000 fc:00 793683 /opt/splunk/lib/libxmlsec1-openssl.so.1.2.24 MAP: 774700f0c000-774700f0d000 rw-p 00000000 00:00 0 MAP: 774700f0d000-774700f1f000 r--p 00000000 fc:00 809364 /opt/splunk/lib/libxmlsec1.so.1.2.24 MAP: 774700f1f000-774700f71000 r-xp 00012000 fc:00 809364 /opt/splunk/lib/libxmlsec1.so.1.2.24 MAP: 774700f71000-774700f86000 r--p 00064000 fc:00 809364 /opt/splunk/lib/libxmlsec1.so.1.2.24 MAP: 774700f86000-774700f88000 r--p 00079000 fc:00 809364 /opt/splunk/lib/libxmlsec1.so.1.2.24 MAP: 774700f88000-774700f8a000 rw-p 0007b000 fc:00 809364 /opt/splunk/lib/libxmlsec1.so.1.2.24 MAP: 774700f8a000-774700fc2000 r-xp 00000000 fc:00 801862 /opt/splunk/lib/libbson-1.0.so.0.0.0 MAP: 774700fc2000-774700fc3000 ---p 00038000 fc:00 801862 /opt/splunk/lib/libbson-1.0.so.0.0.0 MAP: 774700fc3000-774700fc6000 r--p 00038000 fc:00 801862 /opt/splunk/lib/libbson-1.0.so.0.0.0 MAP: 774700fc6000-774700fc7000 rw-p 0003b000 fc:00 801862 /opt/splunk/lib/libbson-1.0.so.0.0.0 MAP: 774700fc7000-774700fcd000 rw-p 00000000 00:00 0 MAP: 774700fcd000-774701083000 r-xp 00000000 fc:00 809361 /opt/splunk/lib/libmongoc-1.0.so.0.0.0 MAP: 774701083000-774701084000 r--p 000b5000 fc:00 809361 /opt/splunk/lib/libmongoc-1.0.so.0.0.0 MAP: 774701084000-774701087000 rw-p 000b6000 fc:00 809361 /opt/splunk/lib/libmongoc-1.0.so.0.0.0 MAP: 774701087000-7747010ce000 r-xp 00000000 fc:00 801857 /opt/splunk/lib/libjemalloc.so.2 MAP: 7747010ce000-7747010cf000 ---p 00047000 fc:00 801857 /opt/splunk/lib/libjemalloc.so.2 MAP: 7747010cf000-7747010d1000 r--p 00047000 fc:00 801857 /opt/splunk/lib/libjemalloc.so.2 MAP: 7747010d1000-7747010d2000 rw-p 00049000 fc:00 801857 /opt/splunk/lib/libjemalloc.so.2 MAP: 7747010d2000-7747010d5000 rw-p 00000000 00:00 0 MAP: 7747010d5000-7747010d6000 r--p 00000000 fc:00 3024029 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 MAP: 7747010d6000-774701101000 r-xp 00001000 fc:00 3024029 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 MAP: 774701101000-77470110b000 r--p 0002c000 fc:00 3024029 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 MAP: 77470110b000-77470110d000 r--p 00036000 fc:00 3024029 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 MAP: 77470110d000-77470110f000 rw-p 00038000 fc:00 3024029 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 MAP: 7fffa4a7d000-7fffa4a9e000 rw-p 00000000 00:00 0 [stack] MAP: 7fffa4b9b000-7fffa4b9f000 r--p 00000000 00:00 0 [vvar] MAP: 7fffa4b9f000-7fffa4ba1000 r-xp 00000000 00:00 0 [vdso] MAP: ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0 [vsyscall] Last errno: 2 Threads running: 85 Runtime: 19.367557s argv: [splunkd -p 8089 restart] Regex JIT enabled RE2 regex engine enabled using CLOCK_MONOTONIC Thread: "IndexerTPoolWorker-1", did_join=0, ready_to_run=Y, main_thread=N, token=131146591504064 MutexByte: MutexByte-waiting={none} TPool Worker: _isExecutorWorker=N, _id=1 Running TJob: name=TJob x86 CPUID registers: 0: 00000016 756E6547 6C65746E 49656E69 1: 000A0653 01000800 FFFAB223 0F8BFBFF 2: 00000001 00000000 0000004D 002C307D 3: 00000000 00000000 00000000 00000000 4: 00000121 01C0003F 0000003F 00000001 5: 00000000 00000000 00000003 00000000 6: 00000004 00000000 00000000 00000000 7: 00000000 009C47AB 00000004 BC000400 8: 00000000 00000000 00000000 00000000 9: 00000000 00000000 00000000 00000000 A: 07300402 00000000 00000000 00008603 B: 00000000 00000001 00000100 00000001 C: 00000000 00000000 00000000 00000000 0000001F 00000440 00000440 00000000 E: 00000000 00000000 00000000 00000000 F: 00000000 00000000 00000000 00000000 10: 00000000 00000000 00000000 00000000 11: 00000000 00000000 00000000 00000000 12: 00000000 00000000 00000000 00000000 13: 00000000 00000000 00000000 00000000 14: 00000000 00000000 00000000 00000000 15: 00000000 00000000 00000000 00000000 16: 00000000 00000000 00000000 00000000 80000000: 80000008 756E6547 6C65746E 49656E69 80000001: 000A0653 00000000 00000121 2C100800 80000002: 65746E49 2952286C 726F4320 4D542865 80000003: 35692029 3630312D 43203030 40205550 80000004: 332E3320 7A484730 00000000 00000000 80000005: 01FF01FF 01FF01FF 40020140 40020140 80000006: 00000000 42004200 02008140 00808140 80000007: 00000000 00000000 00000000 00000000 80000008: 00003027 0100D000 00000000 00000000 terminating...
This is how our normal raw event looks -- Feb 7 23:59:32 128.160.82.26 [local0.warning] <132>1 2025-02-07T23:59:32.033309Z AviVantage v-wasphictst-wdc.hc.cloud.uk.sony-443 NILVALUE NILVALUE - {"adf"... See more...
This is how our normal raw event looks -- Feb 7 23:59:32 128.160.82.26 [local0.warning] <132>1 2025-02-07T23:59:32.033309Z AviVantage v-wasphictst-wdc.hc.cloud.uk.sony-443 NILVALUE NILVALUE - {"adf":true,"significant":0,"udf":false,"virtualservice":"virtualservice-e52d1117-b508-4a6d-9fb5-f03ca6319af7","report_timestamp":"2025-02-07T23:59:32.033309Z","service_engine":"GB-DRN-AB-Tier2-se-bmqhk","vcpu_id":0,"log_id":89302,"client_ip":"112.12.53.70","client_src_port":37228,"client_dest_port":443,"client_rtt":1,"request_state":"AVI_HTTP_REQUEST_STATE_SSL_HANDSHAKING","significant_log":["ADF_CLIENT_CONNECTION_CLOSED_BEFORE_REQUEST"],"vs_ip":"128.160.71.101","ocsp_status_resp_sent":true,"max_ingress_latency_fe":0,"avg_ingress_latency_fe":0,"conn_est_time_fe":1,"source_ip":"128.12.53.70","vs_name":"v-wasphictst-wdc.hc.cloud.uk.sony-443","tenant_name":"admin"} So what we have does is removed the non-json part from this by using sedcmd and extracted the json events by giving kv_mode=json in SH. Till here it is good. Formatted log sample -  [-]    adf: true    all_request_headers: { [+]    }    all_response_headers: { [+]    }    avg_ingress_latency_fe: 0    cacheable: true    client_dest_port: 443    client_insights:    client_ip: 112.11.227.250    client_rtt: 1    client_src_port: 34057    compression: NO_COMPRESSION_CAN_BE_COMPRESSED    compression_percentage: 0    conn_est_time_fe: 1    host: wasphictst-wdc.hc.cloud.uk.sony    http_version: 1.1    jwt_log: { [+]    }    log_id: 122364    max_ingress_latency_fe: 0    method: GET    report_timestamp: 2025-02-18T16:30:29.084682Z    request_headers: 577    request_id: 6vT-vgq1-nSjL    request_length: 131    request_state: AVI_HTTP_REQUEST_STATE_READ_CLIENT_REQ_HDR    response_code: 403    response_content_type: text/html    response_headers: 12    response_length: 4181    response_time_first_byte: 1    response_time_last_byte: 1    service_engine: GB-DRN-AB-Tier2-se-vxeuz    significant: 0    significant_log: [ [+]    ]    sni_hostname: wasphictst-wdc.hc.cloud.uk.sony    source_ip: 128.11.227.250    ssl_cipher: TLS_AES_256_GCM_SHA384    ssl_session_id: 5032f265bd7d88f768c096bbbf78d4f2    ssl_version: TLSv1.3    tenant_name: admin    udf: false    uri_path: /cmd    user_agent: insomnia/2021.5.3    vcpu_id: 0    virtualservice: virtualservice-e52d1117-b508-4a6d-9fb5-f03ca6319af7    vs_ip: 123.160.71.101    vs_name: v-wasphictst-wdc.hc.cloud.uk.sony-443    waf_log: { [+]    } } We want to re-arrange this fields that is we have some less information strings at the top and more info fields like (waf_log) at the bottom. how to do this re-arranging part? Checked from source end and they can't do anything from their side.  And one more thing, want waf_log to be automatically expanded by default not everytime by clicking + and again + + + in this way. Please help me in these two requirements?
currently we are on-boarded applications like 1,2,3,4..... 100 into default search and reporting app. But we they belongs to different groups and we are in process of dividing each applications to d... See more...
currently we are on-boarded applications like 1,2,3,4..... 100 into default search and reporting app. But we they belongs to different groups and we are in process of dividing each applications to designated group and create an app for it. ABC group has 1,2,3..... 10 applications. DEF group has 10,11.....40 applications. So, what we are expecting is to create an app name called ABC and DEF and want all belonging apps to send into this apps (groups).  As of now, we are restricting users based on their application index. How to start with this requirement? like DEF app should not be visible and accessible to ABC app and vice versa. They should only see their app and their application logs.  
Hello recently I moved ES app from one sh to another non clustered sh . after that this error is coming Error in 'DispatchManager': The user 'admin' does not have sufficient search privileges
so i copied enterprise security app folder from old sh to new but it is showing macro error not found where i can find the macro of this app and how to migrate them also.
Our application, Erasmith Add-on for WMI Exporter, is showing as Pending for both Victoria and Classicon in Splunkbase. Under the details, it indicates 2 failures, but the failure report is not avail... See more...
Our application, Erasmith Add-on for WMI Exporter, is showing as Pending for both Victoria and Classicon in Splunkbase. Under the details, it indicates 2 failures, but the failure report is not available. Additionally, during local cloud vetting, no errors or failures were observed. Could anyone guide me on what steps I should take next to resolve this issue?
Hello,   I am trying to replace the host value that is the UF with event data as the value.   ACME-001 PROD-MFS-003: status="200/0" srcip="1.0.0.1" user="a7bk28" dhost="http://test_web.net/conte... See more...
Hello,   I am trying to replace the host value that is the UF with event data as the value.   ACME-001 PROD-MFS-003: status="200/0" srcip="1.0.0.1" user="a7bk28" dhost="http://test_web.net/contents/content2.jpg?ee=ff&gg=hh" urlp="10" proto="HTTP/http" mtd="GET" urlc="Music" rep="24" mt="image/jpeg" mlwr="-" app="-" bytes="601/274/31302/00012" ua="Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0" lat="0/0/05/14" rule="rule14 bad" url="http://test_web.com/page5/e.jpg?ee=ff&gg=hh"  ACME-001 PROD-POS-006: status="200/0" srcip="1.0.0.13" user="ItsEmeline" dhost="http://test_web.net/users/user2.jpg?ee=ff&gg=hh" urlp="10" proto="HTTP/http" mtd="GET" urlc="Beauty" rep="21" mt="application/xml" mlwr="-" app="-" bytes="534/020/100/130" ua="Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Firefox/7.0a1" lat="0/10/026/105" rule="rule12 bad" url="http://test_web.net/contents/content2.jpg?ee=ff&gg=hh" ACME-001 is what I want to be placed in as the value for the host field. These are teh props and transforms that I am using.  props.conf [mcafee:wg:kv] TRANSFORMS-changehost = changehost SHOULD_LINEMERGE = false DATETIME_CONFIG = current transforms.conf [changehost] DEST_KEY = MetaData:Host REGEX = ^(?P<host>\S+) FORMAT = host::$1 I have also tried  ^(\S+) for the regex I have 1 SH, 1 CM, 2 IDX and 1 UF I have put the props and transforms in app and pushed them to the indexers from the CM. They are on both indexes in /opt/splunk/etc/peer-apps I have a TA that has the same sourcetype that I am using in props in my app. Im wondering if I should add the props and transforms to a local folder in the TA instead of having them in a separate app.  Any suggestions would be much appreciated. 
Hello, I have logs coming in with the host showing as the UF.  I want to replace the host value with some event data. Here is a sample of the data.  ACME-001 HOST-003: status="407/0" srcip="1.... See more...
Hello, I have logs coming in with the host showing as the UF.  I want to replace the host value with some event data. Here is a sample of the data.  ACME-001 HOST-003: status="407/0" srcip="1.0.0.2" user="VeroRivas" dhost="http://test_web.net/contents/content1.jpg?aa=bb&cc=dd" urlp="401" proto="HTTP/https" mtd="CONNECT" urlc="Movie" rep="2" mt="text/html" mlwr="-" app="-" bytes="001/0/0/3180" ua="Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0" lat="0/0/0/3" rule="rule1 ok" url="http://test_web.com/page3/c.jpg?ee=ff&gg=hh"  ACME-001 ops-sys-002: status="407/0" srcip="1.0.0.11" user="roisiningle" dhost="http://test_web.net/contents/content1.jpg?aa=bb&cc=dd" urlp="401" proto="HTTP/https" mtd="CONNECT" urlc="Food" rep="-2" mt="text/html" mlwr="-" app="-" bytes="206/0/0/0040" ua="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1" lat="0/0/0/1" rule="rule1 ok" url="http://test_web.com/page5/e.jpg?ee=ff&gg=hh"  ACME-001 BUSDEV-005: status="200/0" srcip="1.0.0.13" user="roonixr" dhost="http://test_web.net/users/user2.jpg?ee=ff&gg=hh" urlp="10" proto="HTTP/http" mtd="GET" urlc="Advertisement" rep="-3" mt="application/javascript" mlwr="-" app="-" bytes="142/020/032/023" ua="Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Firebird/0.6" lat="0/05/30/53" rule="rule8 good" url="http://test_web.net/users/user2.jpg?ee=ff&gg=hh" ACME-001 is what I want to be used for the for the value of host. I am in a index cluster environment with 1 SH, CM, 2 IDX and 1 UF. I have pushed these props and transforms to the indexers with no success. The UF is still showing as the host value.  Props [mcafee:wg:kv] TRANSFORMS-changehost = changehost SHOULD_LINEMERGE = false DATETIME_CONFIG = current #TIME_PREFIX = #TIME_FORMAT = SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) #MAX_TIMESTAMP_LOOKAHEAD = TRUNCATE = 999999 EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+) Transforms [changehost] DEST_KEY = MetaData:Host REGEX = ^(?P<host>\S+) FORMAT = host::$1 Any help would be much appreciated
Our team looks after 7 applications, we have 5 environments and each application sits on between 2 and 4 servers, depending on the environment. Each app instance has its own dedicated server, so i... See more...
Our team looks after 7 applications, we have 5 environments and each application sits on between 2 and 4 servers, depending on the environment. Each app instance has its own dedicated server, so in other words, given a hostname, you can figure out exactly which application and which environment it is for.   At the moment, if we want to search for the logs of one of the applications (app1) in UAT, and if this app has 4 servers in UAT, the only way we can do this is by using the following search parameters   source=*app1.log host=host1 OR host=host2 OR host=host3 OR host=host4   Sometimes we have a few different applications talking to each other, so we end up having to mention a long list of host names and this gets quite tedious.  We have a separate team that manages Splunk across the organisation.   Is there something we could be asking the Splunk team to do for us to make our searching easier? Is there something they could do that would result in us being able to do something like application=app1 environment=uat    instead of having to specify host names for the environment that we are interested in?   Our team would appreciate any suggestions that can make our work easier.   Thank you