I want to install HF or UF on our DMZ environment. The Indexer is on the LAN. I is not allow to communicate from the DMZ to the LAN . I need that the logs from the DMZ will be pulled to the Indexer in the LAN (using HF or any other solution). Please share your insight on how to setup this from your experience . Thanks in advance.

I have duplicate notables/alerts coming in for a specific correlation search I created. I'm sure the problem is within the time ranges of the correlation search but I cannot figure out what it is. I have this AWS Instance Modified By Usual User search that I got from Security Essentials.   This is my search  index=aws sourcetype=aws:cloudtrail eventName=ConsoleLogin OR eventName=CreateImage OR eventName=AssociateAddress OR eventName=AttachInternetGateway OR eventName=AttachVolume OR eventName=StartInstances OR eventName=StopInstances OR eventName=UpdateService OR eventName=UpdateLoginProfile | stats earliest(_time) as earliest latest(_time) as latest by userIdentity.arn, eventName | eventstats max(latest) as maxlatest | where earliest > relative_time(maxlatest, "-1d@d") | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(earliest) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(latest) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(maxlatest)   This is the time range in the search:   Yesterday I logged in to our AWS account for the first time and the alert fired - which is good. But the alert kept firing every hour afterwards. From my understanding the alert should fire once and be over with.   8am, original alert: userIdentity.arn eventName earliest latest maxlatest jim ConsoleLogin 2023-02-08 07:57:11 2023-02-08 07:57:11 2023-02-08 07:57:11   At 9am: userIdentity.arn eventName earliest latest maxlatest bob ConsoleLogin 2023-02-08 08:29:22 2023-02-08 08:29:22 2023-02-08 08:57:55 jim ConsoleLogin 2023-02-08 07:57:11 2023-02-08 07:57:11 2023-02-08 08:57:55   At 10am: userIdentity.arn eventName earliest latest maxlatest bob ConsoleLogin 2023-02-08 08:29:22 2023-02-08 08:29:22 2023-02-08 09:51:21 jim ConsoleLogin 2023-02-08 07:57:11 2023-02-08 09:20:11 2023-02-08 09:51:21   At 11am: userIdentity.arn eventName earliest latest maxlatest bob ConsoleLogin 2023-02-08 08:29:22 2023-02-08 08:29:22 2023-02-08 10:15:26 jim ConsoleLogin 2023-02-08 07:57:11 2023-02-08 09:20:11 2023-02-08 10:15:26   At 12pm: userIdentity.arn eventName earliest latest maxlatest bob ConsoleLogin 2023-02-08 08:29:22 2023-02-08 08:29:22 2023-02-08 11:15:54 jim ConsoleLogin 2023-02-08 07:57:11 2023-02-08 09:20:11 2023-02-08 11:15:54   And what I didn't mention is that, apart from alert repeating itself each hour, there are two alerts created every time due to, I'm assuming, having two users. How can I fix this to alert only once and to also report only once for both users? thanks for any assistance.

Hello all As a splunk in an early station I currently have the following challenge: We have many indexes and we want to do an analysis over all indexes how fast the log data is available in Splunk. As distance should be measured from writing the log (_time) to indexing time (_indextime). Also we want to exclude scatter (e.g. we currently have hosts with wrong time configuration, i.e. something like a Gaussian normal distribution). Here is an example query, which is probably wrong or could be done much better by you: | tstats latest(_time) AS logTime latest(_indextime) AS IndexTime WHERE index=bv* BY _time span=1h | eval delta=IndexTime - logTime | search (delta<1800 AND delta>0) | table _time delta Is the query approx correct so that we can answer the question what kind of deley we have over all? How could one use a Gaussian normal distribution instead of restricting the search manually?

Dear All,   I've got a question regarding syslog host facility information which can be send from a Huawei switch to Splunk.  There is a facility command available on the Huawei switches which is meant for the possibility to categorize outgoing traffic to a remote syslogserver. I would like to know how to detect the facility information coming from the Huawei switch in Splunk and filter this type of information. Does anyone know how to filter the incoming traffic?    Related information:  Facility >  Specifies a syslog server facility that is used to identify the log information source. You can plan a local value for the log information of a specified device, so that the syslog server can handle received log information based on the parameter    In general there are channel groups and there are different log severity levels from 0 to 7  ( 0 = Emergencies 1= Alert , etc)               emergency   alert   critical   error   warning   notice   info   debug kernel              0       1          2       3         4        5      6       7 user                8       9         10      11        12       13     14      15 mail               16      17         18      19        20       21     22      23 system             24      25         26      27        28       29     30      31 security           32      33         34      35        36       37     38      39 syslog             40      41         42      43        44       45     46      47 lpd                48      49         50      51        52       53     54      55 nntp               56      57         58      59        60       61     62      63 uucp               64      65         66      67        68       69     70      71 time               72      73         74      75        76       77     78      79 security           80      81         82      83        84       85     86      87 ftpd               88      89         90      91        92       93     94      95 ntpd               96      97         98      99       100      101    102     103 logaudit          104     105        106     107       108      109    110     111 logalert          112     113        114     115       116      117    118     119 clock             120     121        122     123       124      125    126     127 local0            128     129        130     131       132      133    134     135 local1            136     137        138     139       140      141    142     143 local2            144     145        146     147       148      149    150     151 local3            152     153        154     155       156      157    158     159 local4            160     161        162     163       164      165    166     167 local5            168     169        170     171       172      173    174     175 local6            176     177        178     179       180      181    182     183 local7            184     185        186     187       188      189    190     191   This facility field can used to easier identify some modules/processes from a device that generates log to your remote server. After the facility parameter is configured with the info-center loghost command, the switch will send the syslog packets containing the modified parameter, such as:   And for example if you mention specific source modules required to send logs to remote server, for that loghost you can modify the facility number contained in the packets, such as: Here the ARP logs will be sent to loghost 1 using the user-defined local0 facility(number 16):   In the capture it will be changed like this: So users can filter the logs with the facility field on the log server that supports the facility field. In the same time, if the remote server allows it, the facility can also be used to store the logs in different places based on this field. So specific logs with different facility fields can be categorized in specific paths for easier tracking. So combined with severity you can better find and track different sources that send syslog packets.   Help would be very appreciated.    Thanks in advance.   Best regards,   Danny 

Hello everyone, I want to change the percentage of pie chart to be integer    I am using this to show the percentage      <option name="charting.chart.showPercent">1</option>       and my query is      index="test" sourcetype=csv | chart count by status    

Hello, I have log events that follow this structure: "2023-01-10 09:54:18.566 | ERROR | 1 | GroupManagement| ExceptionHandler | UUID CC22E78A-E62D-4693-8D89-0A54E159DDC5 | hasError | This is the error message " It has leading and trailing quotes, and is delimited with pipe character.  I am having trouble with creating the sourcetype and require some assistance. My biggest issue I think is the fact that I have to remove the leading and trailing quotes so that Splunk does not treat the entire event as one field.  I seem to be able to remove them using the following sourcetype, but it does not then identify the fields: [sourcetype] SHOULD_LINEMERGE=true LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 disabled=false FIELD_DELIMITER=| FIELD_NAMES=timestamp,type,num,area,code,uuid,text,message TRUNCATE=20000 TIME_PREFIX=^ TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N SEDCMD-remove_quotes=s/(?<!,)\"([^\"]*)\"/\1/g   Does anybody have an idea?   Thank you and best regards,   Andrew

Splunkd logs - in universal forwarder I notice,     INFO AutoLoadBalancedConnectionStrategy [XXXXX TcpOutEloop] - After randomization, current is first in the list. Swapping with last item   what is this log indicate ?

Hi team, I have a Windows 10 machine sending logs to Splunk Enterprise. For that I opened a port tcp 514. Checking on metrics.log I see the events being delivered to Splunk (the IP for Windows 10 is 192.168.2.11) 02-09-2023 08:55:06.031 +0000 INFO Metrics - group=tcpin_connections, 192.168.2.11:49713:514, connectionType=raw, sourcePort=49713, sourceHost=192.168.2.11, sourceIp=192.168.2.11, destPort=514, kb=0.000, _tcp_Bps=0.000, _tcp_KBps=0.000, _tcp_avg_thruput=0.012, _tcp_Kprocessed=339.454, _tcp_eps=0.000, _process_time_ms=0, evt_misc_kBps=0.000, evt_raw_kBps=0.000, evt_fields_kBps=0.000, evt_fn_kBps=0.000, evt_fv_kBps=0.000, evt_fn_str_kBps=0.000, evt_fn_meta_dyn_kBps=0.000, evt_fn_meta_predef_kBps=0.000, evt_fn_meta_str_kBps=0.000, evt_fv_num_kBps=0.000, evt_fv_str_kBps=0.000, evt_fv_predef_kBps=0.000, evt_fv_offlen_kBps=0.000, evt_fv_fp_kBps=0.000 I can see events from yesterday from that machine but today I see nothing. Events are sent on syslog format with message in CEF. So, why I can see yesterday events but not today events even if I see the events getting to Splunk server? Where can I check any log that let me know if something is getting wrong? Thanks in advance

Hello everyone,  I'm new on splunk.  I want to build mini lab splunk with virtual machine. Can someone else can share me if you know :  Do you know where i can buy/use cheap/free resources virtual server that are configurable enough for lab splunk building. I'm plan on building 8 server with roles like that : - 2 forwarder - 3 index - 1 cluster manager - 1 search head - 1 license manager / deployer server / monitoring console.   Hope someone can help. Thanks a lot.   

I have created a view with javascript to add search bar and display results as event list. How can I change the format in which the events are displayed? I want to use a userscript to format the way events are displayed

For example: i have been hitting the pavement trying to figure out a search query for events that happened between 3:00 and 3:15, my next search should be 3:01 to 3:16 and so on then count all the total events that occured in the 15 minutes buckets. thank you guys in advance for any help and suggestions is greatly appreciated.

I need to group by a field where all possible values should be shown in the result. For example, the below snippet groups by interface, but rows can be omitted if the query does not return results for an interface. <search> | stats count(state='success') as count by interface  For example, three interfaces exist. [A, B, C]. The search has no results for C. Output interface      count A              100 B              200 Missing Record C              0 How can any missing records be included?  Any option where a lookup table is not used?

Hi, I have 10 hosts, from this only 3 hosts are reporting to DS and 7 are not reporting. when i searched with _internal i could see only 3 hosts logs are coming in. How to troubleshoot further on this issue??