Hello,      I have 10 servers with syslog generated. How do I ingest those syslog into the Splunk server. I have gone through the SC4S document. Do I have to install Splunk Connector for Syslog on all 10 machines ? or Do we have any other best way to ingest the syslog ? Also can we use Secure syslog port 6514 ?

We are looking to provide the last part of a request uri that identifies a file name and has a client identifier variable in the middle of the uri. Sample uri request: GET /someportal/rest/product/v1_0/clientidentifier/filename/fnm_123456789abcd.png HTTP/1.1 The underlined text is the value that I need to extract.  Note the space after the .png. My current attempt is this: index=index source=/source sourcetype=sourcetype | rex field=_raw "GET /someportal/rest/product/v1_0/*/filename/(?<FileName>\d+)" Please let me know how far off I am.  Thanks

I have a seemingly simple request: list the events and indicate if it occurred during an outage. I have been trying for ages and I cannot get it to work, can anyone please help? Base search for events:  index=api_calls CSV lookup to record the outage windows, called 'outages.csv' (UK style dates): DateFrom DateTo Reason 01/09/2022 09:00:00  30/09/2022 23:00:00 Testing 1 01/10/2022 09:00:00 31/10/2022 09:00:00 Testing 2   This produces the correct outage row: | inputlookup outages.csv | eval t=now() | eval DateFromEpoch=strptime(DateFrom, "%d/%m/%Y %H:%M:%S") | eval DateToEpoch=strptime(DateTo, "%d/%m/%Y %H:%M:%S") | where DateFromEpoch <= t and DateToEpoch >= t | table Reason Output is: Testing 2 I would have expected this to add the Reason field to the base results: index=api_calls | append [ inputlookup outages.csv | eval t=_time | eval DateFromEpoch=strptime(DateFrom, "%d/%m/%Y %H:%M:%S") | eval DateToEpoch=strptime(DateTo, "%d/%m/%Y %H:%M:%S") | where DateFromEpoch <= t and DateToEpoch >= t | table Reason ] | table _time Reason * But for some reason I cannot get anything to add to the search, not even index=api_calls | append [ | makeresults   | eval Reason="hello" | table Reason ] | table _time Reason * Ideally, I would like this to be as a macro so I can re-use it easily: index=api_calls | `is_outage(_time)` | table _time Reason * I'm doing something wrong, any help appreciated.

Can I limit foreach iterations, or place a where clause (or other filter) in the foreach subsearch? I'm attempting to flatten a JSON field because I have multiple "roots" of the json, that host the same fields I need access to.  For instance: json1.x.y json2.x.y json3.x.y and I want to work with all of the "y" fields at once by referencing them as "y".  I know a single "y" that will always exist, but the others are potentially dynamic, so I can't hardcode the json flattening with a rename.  Currently I'm running the below search, with the issue being "| foreach *.jsonConstant.*" iterates through all the json roots (1/2/3) and makes my results null if the correct root wasn't the last to run.   I'm unsure why it iterates through all json roots as the current event all columns related to other roots are null.       MYSEARCH ("json1.jsonConstant.knownName"=* OR "json2.jsonConstant.knownName"=* OR "json3.jsonConstant.knownName"=*) | eval jsonRoot=case(isnotnull('json1.jsonConstant.knownName'),"json1", isnotnull('json2.jsonConstant.knownName'),"json2", isnotnull('json3.jsonConstant.knownName'),"json3",1=1,0) | eval temp="" | foreach *.jsonConstant.* matchseg1=SEG1 matchseg2=SEG2 [ eval temp= temp . "|" . jsonRoot .":"."<<FIELD>>".":"."SEG1"."/"."SEG2" | eval SEG2 = '<<FIELD>>' ] | stats count by knownName       An example of the error I get would be: Event1: root for this event is json1, but the knownName is null because the foreach ran on json1, json2, and json3. And the most recent loop for json3 was null for all fields. Event 2: root for this event is json3, All fields extract/flatten correctly because json3 ran last. The temp field above is what I'm using to debug. I can't run a where clause within the foreach subsearch because it never runs any of the code in the foreach subsearch.  

So I've searched and searched but can't seem to find an answer to my issue. I need to add an all option to my dynamic dropdown. I have found answers that seem like they should be simple enough. Either add All, * to static or alter the XML code. I've tried both, (I think when I altered the XML code it pretty much caused the dropdown to be the exact same way as it was had I just added the options to the static section) and each time I am getting a "search string cannot be empty" error. Don't know if it matters but I did watch a couple youtube videos, their search used | table fieldname | dedup fieldname at the end, when I did that I got the same issue, but now all the field values are grouped together, so I'm doing | stats count by fieldname at the end

Hi!  We've set up an Eventhub input using the Splunk Add-on for MS Cloud Services, and we are getting events successfully into Splunk. The problem is that the events are not formatted correctly when indexed into Splunk.  JSON formatted events are indexed into Splunk with all the quotation marks escaped. This messes up the syntax highlighting, and the auto field extractions. The sourcetype used during eventhub config is mscs:azure:eventhub, as per the docs states. The following code is used to generate test data, and the rendered result is in the screenshot.  Anyone seen the same, or resolved it somehow?   #Method 1 - You provide a JSON string body1 = "{'id':'device2','goo':'frodo'}" event_data_batch.add(EventData(body1)) #Method 2 - You get the JSON Object and convert to string json_obj = {"id": "device3", "goo": "bilbo"} body2 = json.dumps(json_obj) event_data_batch.add(EventData(body2)) #This just sending the string which will not be captured by TSI event_data_batch.add(EventData('Third event'))        

We've had several changes going on to some dashboards I've been doing, including new data.  Where we used to be dealing with only PRD data, we're adding some TST data activity as well.   The chart I'm trying to do is a to show counts of activity by PRD and TST, stacked, for each of our 3 current users over the last 7 months.  We want an at a glance view of how much work is being done, by whom and where, and how one user compares to the other.   I can do it as separate charts, but it can be confusing.    1 person's count scale peaks at 25 where the other peaks at 66, so if you don't look at the fine print, User A doesn't look like they are doing a third of the work of User B.     I've tried several variations of charts, timecharts, etc., but either they don't work, combine PRD/TST into one total or they don't stack.   Best result for me would be one column (or bar if need be) per user per month, with two separate totals for PRD and TST counts, stacked on each other.       

Hello,  I have to avoid matching several values in a fields.  The following works, but I"m wondering if there is a more efficient way...  index=wineventlog host="myhost" EventCode=7036 | regex Message!="WMI" | regex Message!="WinHTTP"

Following this: https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/ConfigureandinstallcertificatesforLogObserver Our current certificate is working, but is there anything I need to follow when using ACME. Once the certificate is in and working, what needs to be done? Do I need to just restart Splunk and expect it to work? Is there anything else needing to be done for them to be automatically be updated?

Hello - I am trying to troubleshoot an issue and have not had much success in determining a root cause. I was wondering if anybody else has ever seen this issue. I inherited this cluster about a year ago, which is a distributed cluster hosted mostly in our own cloud environment with a few parts located on-prem. The indexer tier consists of a CM with 3 peer nodes. The search tier is two SH (not setup as a cluster), one being the main SH used by the company, and the other SH is running ES and is also he LM for the deployment. We have a license quota of 300Gb/Day, and until very recently I believed we were averaging around 280-320 Gb/day during the workweek.   In the past year, we have been told on multiple occasions that we are exceeding our license quota, and it has been a continuous effort to monitor and reduce our sourcetypes when possible to manage our daily ingestion volume. This has been something that we have spent a lot of time trying to maintain. Doing some log analysis on our sourcetypes, I have discovered what I believe is a duplicate scenario somewhere between the ingest point and the indexer tier. In a rough example to show my case, I have been trying to take measurements of our ingest to better understand what is happening. Using the method recommended in the Splunk Forums, I started out measuring our ingest using this base search.      index=_internal sourcetype=splunkd source=*license_usage.log type=Usage earliest=-1d@d | stats sum(b) as bytes by idx | eval gb=round(bytes/1024/1024/1024,3)     This sum came out to be between 280-300 Gb /day. I then tried to measure the bytes in the logs using the len() aggregate function, in a search like this:     index=* earliest=-1d@d | eval EventSize=len(_raw) | stats sum(EventSize) by index       This search sums out to around 150 Gb /day.  From my understanding, this is completely the opposite of what I expected. I did not expect the numbers to be exactly the same, but being roughly double does not make sense to me. If I am ingesting bytes, and Splunk is counting as (bytes)*2, this is a big issue for us. Please let me know if I am incorrect in this assumption.  Another case example. To reproduce this phenomena, I created a scenario that ingests a small amount of data to hopefully make measuring the difference easier to do.  I created a script that makes an API call to another solution in our network, to pull down information about its clients. Since this list is mostly static, I figured it would be a nice and small data source that I can work with. Running the script locally in a bash shell returns 606 json events. When redirected to a local file, these 606 events equal 396,647 bytes in size.  Next I put this script in an app on my searchhead. I created a sourcetype specifically for the json data that the API call will be returning. I created a Script modular input to execute the API call every 60 seconds.  I enabled the modular input, let it execute once, then disabled it. Looking for the logs in search, Splunk is calling it 1210 events and checking the len(_raw) shows 792,034 bytes. This seems to be a very large issue for us, and it seems to be effecting every sourcetype that we have. I did a similar test on our DNS logs, and our firewall logs, which are our two largest sourcetypes. A close examination of the local log file, shows logs that are near exactly half the size in bytes as the same _raw log examined in Splunk. Has anyone every seen a issue like this before? I have a Case opened with Splunk but so far it has not yielded any actionable results and we are going on 2 weeks now of back and forth. Any ideas or insights would be greatly appreciated. TY  

I have the following query:    application_id=12345 STATUS_CODE IN (300, 400, 500)| head 10   How can I modify this such that I can get 2 unique rows where STATUS_CODE is 300, 2 unique rows where STATUS_CODE is 400, 2 unique rows where STATUS_CODE is 500 and so on?  Above query ends up fetching 10 rows of the first ones it can find thus end up with all 10 rows as STATUS_CODE as 300 in correctly. Pls advice. Thanks.