I have a UF set to send logs to both Splunk IDX and SIEM, using the TCPOUT settings in outputs.conf, but this is sending via TCP and we want it to use UDP (due to high log rate). Can it be done? There is no option for the tpcout stanza to set a protocol. So it is TCP only. I found there is a syslog-out stanza for the outputs.conf file, which can use UDP or TCP, but that one also says it can't be used on UFs. Am I stuck with TCP, or is there another way? Thanks for any responses, Rod.

Hello Splunkers I have the following raw events 2023-01-20 18:45:59.000, mod_time="1674240490", job_id="79" , time_submit="2023-01-20 10:04:55", time_eligible="2023-01-20 10:04:56", time_start="2023-01-20 10:45:59", time_end="2023-01-20 10:48:10", state="COMPLETED", exit_code="0", nodes_alloc="2", nodelist="abc[0002,0006]", submit_to_start_time="00:41:04", eligible_to_start_time="00:41:03", start_to_end_time="00:02:11" 2023-01-20 18:45:59.000, mod_time="1674240490", job_id="79" , time_submit="2023-01-20 10:04:55", time_eligible="2023-01-20 10:04:56", time_start="2023-01-20 10:45:59", time_end="2023-01-20 10:48:10", state="COMPLETED", exit_code="0", nodelist="ABC[0002-0004,0006-0008,0073,0081,0085-0086,0089-0090,0094-0095,0097-0098]" submit_to_start_time="00:41:04", eligible_to_start_time="00:41:03", start_to_end_time="00:02:11" How do I extract or parse the highlighted nodelist="ABC[0002-0004,0006-0008,0073,0081,0085-0086,0089-0090,0094-0095,0097-0098]  into a new field called host and the host values for first event would be host= abc0002 and host=abc0006 similarly for second event it should be host= abc0002 host= abc0003 host= abc0004   host=abc0006  host= abc0007 host= abc0008 host=abc0073 host= abc0081   host=abc0095 host= abc0097 host=abc0098 Thanks in Advance

performing the following search: I get this result. I need to parser this information, building a table excel type. The information is in JSON format, so a UPLOAD in SPLUNK. Like this:        

So from my research it looks like Base Searches increase the performance of the dashboards. A dashboard with several views loads faster if the query of each view is using a pre-existing base search. However my friend is convinced that that's not the case and using Base Searches does the opposite - it prolongs the loading time of the dashboard. Has anyone else had such experience?

Given the below scenario: base search| table service_name,status,count Service_name Status Count serviceA 500_INTERNAL _ERROR 10 serviceA 404_NOT_FOUND 4 serviceB 404_NOT_FOUND 1 serviceC 500_INTERNAL_ERROR 2 ServiceC 404_NOT_FOUND 5 serviceD 206_PARTIAL_ERROR 1   How can I display the results with group by service_name and the result as below table: Service_name Status Count serviceA 500_INTERNAL _ERROR, 404_NOT_FOUND 14 serviceB 404_NOT_FOUND 1 serviceC 500_INTERNAL_ERROR, 404_NOT_FOUND 7 serviceD 206_PARTIAL_ERROR 1

Hello Guys, I'd like to create a search based on business hours, and like to use a field with value like this:  "2023/01/20 08:52:58" The bold number would be interesting, and like to search with multiple values. example 08-18h [08,09,10,11,12,13,14,15,16,17,18] How could I find a regex to extract theese numbers?  thanks a lot!  

Hi guys, Happy New Year, i do some code testing with the Splunk HEC, now i need to transfer some large volum data with gzip compressed. 1. first i find one limit in $SPLUNK_HOME$/etc/system/default/limits.conf     [http_input] max_content_length = <integer> * The maximum length, in bytes, of HTTP request content that is accepted by the HTTP Event Collector server. * Default: 838860800 (~ 800 MB)     but i It is found that this value seems to calculate the size after decompression, because i have one test file about 50MiB, it's far less than 800MB, but when i sending request, Splunk raise the:     <!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>413 Content-Length of 838889996 too large (maximum is 838860800)</title></head><body><h1>Content-Length of 838889996 too large (maximum is 838860800)</h1><p>The request your client sent was too large.</p></body></html>     2. the 2nd limit i find at $SPLUNK_HOME$/etc/apps/splunk_httpinput/local/inputs.conf     [http] maxEventSize = <positive integer>[KB|MB|GB] * The maximum size of a single HEC (HTTP Event Collector) event. * HEC disregards and triggers a parsing error for events whose size is greater than 'maxEventSize'. * Default: 5MB     i think this limit is set at only one event size? if i send batch events in one request by "/services/collector", so this limit will apply to every event in the batch events, right? Are there any relevant experts to help confirm this behavior? if need more details feel free to let me know, Many thanks!

Hello, My events contain strings such as: notification that user "mydomain\bob" has notification that user "fred" has  notification that user "01\ralph2" has  I'm trying to write a conditional EXTRACT in props.conf, so that the a new field 'domain' is assgined the domain name (i.e. mydomain, 01) where specified, else is assigned NULL and new field 'user' is assigned the user name (i.e. bob, fred, ralph2). This works well enough when there is a domain and a user, but oviously not when there isn't a domain: EXTRACT-domain_user = notification\sthat\suser\s\"(?<domain>[\w\d]+)\\(?<user>[\w\d]+)\"\shas I'd be grateful for some assistance.      

Is it possible to assign a value to a different fields. I am trying to combine two different events but the same index. The other one has the field which I needed ip address while the other one doesn't have it in the raw logs. Is it possible to assign/pass the value to the other?   date name description ip 1/15/2023 12:05 xxx this is test 1 192.x.x.x 1/15/2023 12:06 xxx this is test 2   1/15/2023 12:06 xxx this is test 1 192.x.x.x   I tried using eval and passing the data but it fails. Using fill null values and assigning the a fix value doesn't fix it. it should be based from the IP above or within that same date Thanks you in advance for any advice