Try this on the command line: /opt/splunkforwarder/bin/splunk list forward-server It should show you if the UF has successfully connected to any configured destination server. Also, do you get ANY logs from the forwarder at all, if only _internal logs? Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

Hey, what you're using looks like the "old" Microsoft DNS debug logs, where everything is written to a single file in a pretty terrible format. The Windows DNS TA however refers in it's installation instructions to this microsoft article, which tells you that you need either Windows Server 2012R2 or 2016, and requires a certain hotfix installed in case of 2012R2. So, you gotta follow that article, enable the proper logging, and the TA will then work with that data. The older debug style logs are not supported by the TA and are actually quite terrible 😉 Edit: You're right - the regexes match the old debug log style, but the linked article in the installation manual points to the new method. Whatever, if it works for you, let's try the timestamp recognition. TIME_FORMAT = %d/%m/%Y %H:%M:%S This also includes the time, maybe this works better. The timestamp you get is a common format, also in the US day + month are twisted. Splunk recognizes such timestamps by default, so no configuration is needed, and therefore you don't see it in the TA's default props.conf. BTW, this config should go on the first HF/indexer the data goes to. If this doesn't work out, please run this on the CLI: /opt/splunk/bin/splunk btool props list MSAD:NT6:DNS --debug and post the output as a comment here. Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

Hey, try this: | makeresults | eval START="04-30-2018 16:17:09" | eval END="2018-04-30 16:17:19.072" | eval end=strptime(END,"%Y-%m-%d %H:%M:%S") | eval start=strptime(START,"%m-%d-%Y %H:%M:%S") | eval DURATION=(end-start) | table start end DURATION | fieldformat DURATION=tostring(DURATION, "duration") | eval DURATION=replace(DURATION, "\.000000", "") Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

There is literally a million valid regexes on the Internet to extract IP addresses. Assuming the following: You only have IPv4 addresses They're always at the beginning of the event You could use this regex: ^((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?) Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

Simply put, you can't. KV Store lookups allow to only update certain records, but CSV lookups can only be written as a whole. You therefore have to do | inputlookup , then do your change, and then do | outputlookup so all data is written back to the lookup. You could however replace | table in your example with | fields . The | table command is only used for graphical representation, and is considerably slower than | fields , although it has the same effect in your use case. ... View more

Hey, check these answers, they should be adaptable to your problem: https://answers.splunk.com/answers/170826/set-delimiter.html https://answers.splunk.com/answers/627420/how-do-i-load-the-custom-delimited-file-with-heade.html ... View more

Usually, an add-on or TA (short for technical add-on) is only responsible for the data input and parsing, e.g. properly indexing and parsing the data, making it CIM compliant etc. If you want to have any "visual user experience" stuff, like dashboards/searches, you need to install the app, because that's what usually brings all those things. In some cases the app is "the add-on plus dashboards", but in this case you need to have the app AND the add-on installed, according to the manual of the app. Therefore, install both on the Splunk instances mentioned in the manual, and make sure to follow both manuals for installation instructions (especially the part that your data has to be indexed with sourcetype=fgt_log. Then everything should work out. ... View more

Ah, that you're using the SNMP input would habe been a valuable information at the start 😉 Yeah, if you deploy that app with on all UFs with a Config for all devices, you will get duplicates, true. Why however do you want to do one UF for one device? I would just take one UF that does this task and have him do all the SNMP work, and not spread it over 20 single instances, because that will most likely be awful too debug (and definitely awful to manage via DS). ... View more

...and you most likely want to use KV_MODE and not indexed extractions. Remember that in case 9d KV_MODE, this has to go on the search head, not on the indexer. In case of indexed extractions, it has to go on the indexer, and maybe on the search head (not sure about that). ... View more

The error you're seeing is from the ta-dockerstats addon you can find here on GitHub. This add-on is most likely meant to be run on a docker host, not inside a container. It's supposed to collect statistics about running docker containers etc, so I wonder why this is running inside your container? Did you built your Splunk UF container yourself, or are you using a premade one? ... View more

Can you explain why the inputs.conf has to be different on every UF? Basically - you can't dynamically change an app per UF, there is no templating or anything like this. So if you actually need to have a different inputs.conf per UF, you need to clone the app 20 times and assign each copy to it's respective UF - therefore it would be good to see the reason why you want to do this. 🙂 ... View more

You could try tcpdump -i eth0 tcp port 9999 -nn to see if traffic is actually flowing while Splunk is running - that would verify that connections are properly established and data arrives. ... View more

There is a lot to this topic and more than can be covered in a single answer here, so I'll just link you to the proper documentation. Check out About deployment server and forwarder management - it's a good point to get started and get a high level overview and more details to dig into. Hope that helps! ... View more

Thanks for updating this with your response. So - the question would be - if you just set all your indexes maxTotalDataSizeMB to the value of your volume's maxVolumeDataSizeMB everything should be fine - all indexes could grow to the max volume size, but they can't grow above the max volume size together. Did you try that? ... View more

Check index=_internal firewalls to see if you have any sourcetype parsing issues, or swap firewalls with 9999 in that search. 🙂 ... View more

Glad it worked out. 🙂 Would appreciate if you accept the answer/upvote it, so others can find the solution more easily. ... View more

Ah, yeah, the Powershell input uses a different cron format. Always forget that. Take a look at the Quartz docs - that's the cron implementation used for Powershell. If you adapt your cron schedule to that format, it should work. ... View more

There is no cost on this beyond your license, apps on Splunkbase are free if you can simply download them there. Only very few have special license costed associated, but then it's mentioned in the docs. The add-on seems to not have been updated since 2016, but that might simply be due to the fact that haproxy logs structure didn't change. I can't make any guarantees on compatibility with Splunk 7.x, but I'd assume as it's a rather basic add-on, it should work fine. ... View more

You can try a search like this: index_internal ExecProcessor - that should show you everything related to the component that is running the inputs. You might have to drill down on your specific host, search for "Error" or your powershell scripts, but that might give you errors that occured during script execution. ... View more

The Port used to initiate a connection from is random for several reasons, and this behaviour is common practice. Splunk doesn't offer a config parameter to change this, and (if I remember correctly) is behavior determined on a lower level (C library/operating system). I can't think of a good reason to force this to be a fixed port - maybe you can explain why you want to do this? Maybe we can find an alternative, or there is simply a misunderstanding in how this is supposed to work? ... View more

Yeah, that sounds difficult (I've no experience on gmetad). If you can get that data written to disc, you could have a python script preprocess and then ingest it. However, you might actually be better off with a simple macro that does the lookup on search time, because you're more flexible and can do more of it on the Splunk side of things, and need to do less dirty hacks on data-index-time-level 😉 If my answer helped you, would appreciate an upvote/accept, maybe others can profit from this too 🙂 ... View more

Ah, I missed the part about Splunk Cloud. The docs say this: To enable you to use Splunk Web to manage forwarders and configure data inputs) In the Deployment Server dialog, enter your Splunk Cloud hostname in the Hostname or IP field. Specify the URL provided in your Welcome email, omitting the leading https:// and preceding the URL with "input-". For example: input-prd-p-z41nh2qlt7cx.cloud.splunk.com. (Note: When you install the universal forwarder on other platforms, you must configure the deployment server/client settings manually by editing .conf files. On Windows, this logic is included in the installer.) Check this: https://docs.splunk.com/Documentation/SplunkCloud/7.0.0/User/ForwardDataToSplunkCloudFromWindows ... View more