Hi all, Within Splunk ES I've configured a test threat intelligence feed with the following settings: New > Line oriented Name: Binary Defense Banlist type: network url: https://www.binarydefense.com/banlist.txt weight: 60 interval: 43200 Max Age: -30d Max Size: 52428800 Checked Threat Intelligence File parser: line Delimiting regular exp:  Extracting regex: ^(\d.+)$ Ignoring regex: (^#|^\s*$) fields: ip$1,description:BinaryDefense_banlist skip header lines: 0 No encoding, no user agent, sinkhole checked. Some global parse modifier settings: Certificate attribute breakout = checked IDNA encode domains = unchecked Parse domain from URL = unchecked In debug mode I see that the file is downloaded and then it says: <timestamp> INFO pid=1050977 tid:MainThread file=get_parser.oy:_detect_file_type:139 | stanza"binary Defense Banlist" status="Automatically detected STIX parsing for file_path /opt/splunk/var/lib/splunk/modinputs/threatlist/Binary Defense Banlist" It goes on to parse the file and get the records. However, the records contain HTML elements like <'\div> and <\iframe> as url value. This is strange since it's just a .txt file. Moreover, why is it parsing it like a STIX document when I explicitly stated that the File parser = line? This happens with other threat feeds as well. I've checked with a colleague at another client and with the exact same settings his works and mine doesn't.   Am I missing something? Do you know where else I can look to troubleshoot?   Some figures: Splunk: 8.2.9 ES: 7.0.1 Single search head, behind proxy

our main Splunk administrator retired and we since disabled his Active Directory account which he used to create and manage hundreds of Splunk searches, now listed as Orphaned under Settings \ All Configurations \ Reassign Knowledge Objects \ Orphaned we have the option of reassigning these searches to other Domain Accounts belonging to regular Splunk non admin users, or to the built in default Splunk admin account which is a local account on the box with no Domain permissions, so the question is should we do that since there is also this Warning: Knowledge object ownership changes can have side effects such as giving saved searches access to previously inaccessible data or making previously available knowledge objects unavailable. Review your knowledge objects before you reassign them. Running Splunk version 9.0.0 on the Microsoft Windows platform 

Hi,  We're preparing to upgrade SE from 8 to 9 and have a question about this requirement: For distributed deployments of any kind, confirm that all machines in the indexing tier satisfy the following conditions:  ... ... They do not run their own saved searches If our indexers are also search heads, would that violate this?

I have a SH that is not part of SH Cluster.  The SH is connected to an Index Cluster.  I am seeing the following errors on the Indexers (W.X.Y.Z is the IP address of the SH) ERROR TcpInputProc [2317 FwdDataReceiverThread] - Error encountered for connection from src=W.X.Y.Z:46788. error:140760FC:SSLroutines:SSL23_GET_CLIENT_HELLO:unknown protocol I don't think there is a mismatch of sslVersions.   Please help me troubleshoot this.  

Hello Splunk masters I am trying to figure out how to get a rate (percent) by looking at two strings within a column, then dividing by values in another column Sample data below.  What I'm trying to do is calculate the rate of "incomplete" by batch week.  Rate is calculated by taking the batch week, getting the total = (complete + incomplete) / incomplete.  As shown below, I included a sample of what I'd like to get as a final output.  This is way beyond my Splunk-fu and hoping someone can help me out here.   Thanks for the help in advanced       Sample Data site batch_status batch_week status_count 2506 complete 16 7 2506 incomplete 16 4 2506 complete 17 5 2506 incomplete 17 3 2506 complete 18 2 2506 incomplete 18 4 What I'd like to get back 2506 incomplete 16 36% 2506 incomplete 17 38% 2506 incomplete 18 -66%        

not sure what it looks like on the Unix platform but in the Web UI on a Windows Server there is no separate square aka pane for the Deployer Server as in the Search Head Cluster software configuration Deployer on the Overview screen, although it is clearly assigned the Deployer role in the Monitoring Console and that is the only role for that Instance (I like to follow the guidelines to the T)  When you click on Topology it shows up under the Other category along with the Cluster Master and Deployment servers  All I'm saying is that it would be nice to be able to see it's performance metrics  on the Overview page along with all its other brother and sister servers 

Hi,   I'm having some architecture deployment issues on an indexer. When I check hosts using (index="_internal"  | stats count by host). I double-checked my outputs.conf on all my instances, I also checked the inputs.conf on indexer2 both are set to 9997 and I believe I have the right local IP running on all my instances but I still don't have any other host pop-up on Indexer2 except Indexer2. Any assistance would be highly appreciated. Side note I'm using AWS to practice setting up my own Architecture for learning purposes any help will be appreciated.   Regards,