Hello fellow Splunkers. I am trying to set the sourcetype name using a part of the source path. I've read the answers from the same question on the community, but i just cant get it working, so ill give it a shot and ask here. The goal: Set sourcetype name from the third folder in the source path. For example, automaticly set sourcetype to "foobar" from logs collected from source C:\data\Logs\foobar\logfile.log What i have tried: (on the universal forwarder) inputs.conf: [monitor://C:\data\Logs\...\*] index = main   (on the indexer receiving from the universal forwarder) props.conf: [source::C:\data\Logs\*] TRANSFORMS-changesourcetype = changesourcetype transforms.conf: [changesourcetype] SOURCE_KEY = MetaData:Source REGEX = C:\\data\\[^\\]+\\([^\\]+)\\ #REGEX = C:\\data\\Logs\\(\w+)\\ (Commented out: for debugging purposes) FORMAT = sourcetype::$1 DEST_KEY = MetaData:Sourcetype I've also tried (for debugging-reasons) solving it differently, by tagging a temporary sourcetype at the UFW: inputs.conf: [monitor://C:\data\Logs\...\*] index = main sourcetype = changemeplease props.conf: [changemeplease] TRANSFORMS-changesourcetype = changesourcetype transforms.conf: [changesourcetype] SOURCE_KEY = MetaData:Source REGEX = C:\\data\\[^\\]+\\([^\\]+)\\ #REGEX = C:\\data\\Logs\\(\w+)\\ (Commented out: for debugging purposes) FORMAT = sourcetype::$1 DEST_KEY = MetaData:Sourcetype   The data gets forwarded and indexed, but the transforms seem to not hit, what so ever. Any suggestions on what i am doing wrong here?

I have to ingest some data so i've created a field called customer data and the regex works fine - ^[0-9]{16}.{249}(?<customer_information>.{174}). As it contains PII data i need to mask it but keep the format of that event so the 174 characters within the customer_information field news to show as ####   Ive created this within the props.conf file but I can't get the data to be shown as ###. can you help? [mask_customer_data] DEST_KEY = _raw REGEX = ^[0-9]{16}.{249}(?<customer_information>.{174}) FORMAT = $1CI##############################################################################################################################################################################

Hi Splunkers, i work with Splunk Enterprise and wonder if i can modify content in share folder. I would like to change the fonts of the web-GUI to our corporate fonts and found the fonts used by splunk in $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/fonts and the CSS for that in ../exposed/build/css/bootstrap-enterprise.css (searched for proxima in the css) Will it have any Impact on splunk Version updates or Splunksupport if i change the Fonts to corporate Fonts? Thanks in Advance for your answers

Hello! Using AppDynamics (SaaS Pro Edition), we would like to collect logs from Azure, so we are able to create useful custom dashboards. The data we are interested in is currently collected by Log Analytics in Azure, but we would like to have some of that data in AppDynamics as well. All of the documention related to Log Analytics in AppDynamics mentions Analytics agent installation, but I don't think it applies to Azure App services for example, there's just AppDynamics App Agent extension available and afterwards there's no configuration to enable some Analytics Agent that you need to select while configuring Agent Scope/Source Rules. Is there a possibility to make use of Analytics Agents on Azure to fetch some logs?  Or is there another way to fetch the logs from Azure App Services that we can later see in Log Analytics or App Insights? Couldn't find an answer in the documentation. Thank you in advance! Marcin

Just putting this here for others who come across this problem since I got no results when I searched here. After upgrading to Splunk 9.0.1 and configuring an SSL cert for the kvstore I got this error on one of my two instances. On Windows, the kvstore relies on the server cert being in the Windows local machine certificate store. At startup it converts the supplied PEM (with embedded cert and password protected key) into a PFX which it then imports into the store. The error referenced in Subject is preceded by:   ERROR MongodRunner [9060 KVStoreConfigurationThread] - Command cmd="{CMD.EXE /C ( "C:\Program Files\Splunk\bin\openssl.exe" pkcs12 -inkey "C:\Program Files\Splunk\etc\auth\mycerts\splunkd.pem" -in "C:\Program Files\Splunk\etc\auth\mycerts\splunkd.pem" -passin pass:xxxx -export -out "C:\Program Files\Splunk\etc\auth\mycerts\splunkd.pem.pfx" -passout pass:xxxx )}" failed: exited with code 1. unable to load private key\r\n10460:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:.\crypto\evp\evp_enc.c:590:\r\n10460:error:0906A065:PEM routines:PEM_do_header:bad decrypt:.\crypto\pem\pem_lib.c:476:\r\n   I tried this command and it did not work. I tried the openssl command by itself in PowerShell and it DID work. The problem turned out to be one of the special character in the password I had set on my private key. I used open SSL to write out a new copy of the key with a different password with no special characters and lo and behold it worked. Just be careful to replace the new password in all locations it might be used (EG: Twice in server.conf and in inputs.conf on an indexer). The command for changing the password on your key is as follows:   .\openssl.exe rsa -aes265 -in mykey.key -out mynewkey.key -passin pass:oldpassword -passout pass:newpassword   Just make sure you are aware of what the special character in your old password might be and use PowerShell not the command prompt

Hi Team, I have a field which has the values in the below string format:  HH:MM:SS.3N 0:00:43.096 22:09:50.174 1:59:54.382 5:41:21.623 0:01:56.597 I want to convert the whole duration into minutes and anything under a min is considered 1 minute