異なるソースタイプ[sourcteype=A1]の中に[user]、[sourcetype=B1]の中に[ap_user]というフィールドがあります。 この２つの[user],[ap_user]のユーザ名が同じであるかどうか判定するリアルタイムアラートを作成したいです。 リアルタイムサーチ時にappendやjoinでサブサーチを利用するとうまくいきませんでした。 これを解決できる方法がありましたら、ご教授下さい。 sourcetype="A1" |fields user |join [ |search sourcetype="B1" |fields ap_user ] |table user,ap_user |eval match=if(user==ap_user, "〇", "×")

Hi, I'm trying to get the audit logs from github cloud into splunk instance which has limited network access. the problem is that ip of github that sends the data to splunk often changes.  Instead of granting access to the changed ip, which takes some time to get the approval, I'd like to install another splunk instance in the DMZ environment, where there are no limit to the network, and send or forward the data in to the splunk instance in the limited network. GitHub needs Splunk http event collector in order to verify before sending data. So I'm guessing that only heavy forwarder(full splunk instance to my knowledge, right?) is available. Is this something that can be done? If so, could you please let me know the steps or docs that I could reference? Thank you in advance.

I am VERY new to splunk so please bear with me.  I have a search, index=vulnerability "list of packages installed on the remote" myserver.com | rex field=output "\n{1,3}\s{2,4}(?<ProgramNameOutput>[^|]+)" max_match=5000 | table ProgramNameOutput Which produces the following fictional output: libhangul-0.1.0-8.el7 intltool-0.50.2-7.el7 libvert-7.6.1-120.el7 at-spi2-core-2.28.0-1.el7 spice-gtk3-0.35-5.el7_9.1 perl-Digest-MD5-2.52-3.el7 mesa-libvert-18.3.4-12.el7_9 hyperv-daemons-license-0-0.34.20180415git.el7 libsysfs-2.1.0-16.el7 openldap-clients-2.4.44-25.el7_9 libvirt-gconfig-1.0.0-1.el7 libpeas-gtk-1.22.0-1.el7 NetworkManager-adsl-1.18.8-2.el7_9 perl-Locale-Maketext-1.23-3.el7   So what I'd like to do is to pair that ProgramNameOutput down to only output that has "libvert" in it.   The output field looks similar to this, it's basically one big text block:   "output:  Here is the list of packages installed on the remote CentOS Linux system :   libhangul-0.1.0-8.el7|(none) Mon 01 Nov 2021 12:06:47 PM EDT intltool-0.50.2-7.el7|(none) Mon 01 Nov 2021 12:10:13 PM EDT gdb-7.6.1-120.el7|(none) Mon 01 Nov 2021 12:06:15 PM EDT at-spi2-core-2.28.0-1.el7|(none) Mon 01 Nov 2021 12:08:53 PM EDT spice-gtk3-0.35-5.el7_9.1|(none) Mon 01 Nov 2021 12:40:05 PM EDT perl-Digest-MD5-2.52-3.el7|(none) Mon 01 Nov 2021 12:05:15 PM EDT mesa-filesystem-18.3.4-12.el7_9|(none) Mon 01 Nov 2021 12:38:01 PM EDT"

Search head cluster captain's /opt/splunk/var/run/file.bundle still has the csv even though file was added in the /opt/splunk/etc/system/local/distsearch.conf's [replicationBlacklist]. $SPLUNK_HOME/bin/splunk btool distsearch list --debug showing the csv file in the [replicationBlacklist] list but the csv file still in the latest bundle on the SH captain? Could this a bug for Splunk 8.2.4 (build 87e2dda940d1) when the number of entries in [replicationBlacklist] exceeds a number? in this case there are entries from blacklist_lookups_1 to blacklist_lookups_79. Thanks in advance for inputs.

I see that there is a journald_input app in the splunk forwarder install, but I can't seem to find any information on how to use it.  I ran: /opt/splunkforwarder/bin/splunk enable  app journald_input But it doesn't appear to be ingesting any entries from the journal.

hi I use a search  thats transpose events with span of 30 m the end of the search is this one   | where _time <= now() AND _time >= now()-14400 | eval time=strftime(_time,"%H:%M") | sort time | fields - _time _span _origtime _events | fillnull value=0 | transpose 0 header_field=time column_name=KPI include_empty=true | sort + KPI   as you can see, I just display events which exist in a specific time range   | where _time <= now() AND _time >= now()-14400   It works fine but just when the timepicker choice is "today" I would like to do the same think on previous timepicker choice like "last 7 days" or "last 30 days" Could you help please?

As of today data models, like the Network Traffic data model, have fields for src, src_ip, dest and dest_ip, but not src_dns and dest_dns. The way I understand it, DNS names should then be used in the src and dest fields, and IPs in the fields src_ip and dest_ip. Some logs don't have DNS names available in the log itself. However, if you have Splunk ES with a populated asset framework, it will automatically add the field src_dns and dest_dns to the events if the fields src and dest are already available. If I want the fields src_dns and dest_dns from the events to be added to the src and dest fields in the data model, I would normally solve this by adding a coalesce for src in props.conf for the source type, but since lookups are applied after evals in the search time parsing, this is not possible when src_dns and dest_dns comes from a lookup, as in the case with Splunk ES. Therefore I propose the following change to the data models themselves, for all datamodels that are using the src and dest fields: Change the eval for src from if(isnull(src) OR src="","unknown",src) to case((isnull(src_dns) OR src_dns="") AND (isnull(src) OR src=""),"unknown",NOT (isnull(src_dns) OR src_dns=""),src_dns,true(),dest) and likewise change the eval for dest from if(isnull(dest) OR dest="","unknown",dest) to case((isnull(dest_dns) OR dest_dns="") AND (isnull(dest) OR dest=""),"unknown",NOT (isnull(dest_dns) OR dest_dns=""),dest_dns,true(),dest)