Hi - I'm trying to have rsyslog send some data on port 4516 to my splunk server running on Centos. I setup a new data input within splunk on this server but I'm seeing the below in the logs. 06-11-2019 19:56:35.508 +0000 INFO TcpInputProc - removeUnusedAccptors - IPv4 port 4516 not used any more, will clean up 06-11-2019 19:56:35.508 +0000 INFO TcpInputProc - Closing raw IPv4 port 4516 06-11-2019 19:56:39.105 +0000 INFO TcpInputConfig - IPv4 port 4516 is reserved for raw input 06-11-2019 19:56:39.106 +0000 INFO TcpInputConfig - IPv4 port 4516 will negotiate s2s protocol level 4 06-11-2019 19:56:39.106 +0000 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 4516 with Non-SSL What could the issue be? I do see the server listening on that port so I'm not sure its a FW issue Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:8088 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8191 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:8065 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:4516 0.0.0.0:* LISTEN - ... View more

I want to have a query on my dashboard and also an alert for the same query but when it comes to updates. I don't want to have to update it in two places... what's the best way to accomplish this? ... View more

My splunk event data has a mv list of zip codes that I'd like to put on a map but it looks like theres nothing out of the box to do the zip to long/lat and that I need to find a way to lookup the data? ... View more

My data in Splunk looks like so: geo { id: 0 internal_name: "TEST" type: LIST zip: 1 zip: 2 zip: 3 zip:4 zip: 5 zip: 6 zip: 7 zip: 9 ... etc description: "TEST" } geo { id: 1 internal_name: "TEST" type: LIST zip: 1 zip: 2 zip: 3 zip:4 zip: 5 zip: 6 zip: 7 zip: 9 ... etc description: "TEST" } geo { id: 2 internal_name: "TEST" type: LIST zip: 1 zip: 2 zip: 3 zip:4 zip: 5 zip: 6 zip: 7 zip: 9 ... etc description: "TEST" } geo { id: 3 internal_name: "TEST" type: LIST zip: 1 zip: 2 zip: 3 zip:4 zip: 5 zip: 6 zip: 7 zip: 8 description: "TEST" } I want to get the zip numbers all into their own field called zip — if I do it via regex, it only takes the FIRST value not all the others per event. Reading some of the docs, it seems like I need to do something with MV_ADD in my props or transform config files, but I can't find anything that clearly states what I'm suppose to do. ... View more

I have a multiline file that I'm trying to get Splunk to understand... note that I'm not using the .conf files, but relying on the add new data UI within Splunk to help... geo { id: 0 internal_name: "TEST" type: LIST zip: 7 description: "TEST" } geo { id: 1 internal_name: "TEST" type: LIST zip: 5 description: "TEST" } geo { id: 2 internal_name: "TEST" type: LIST zip: 1 description: "TEST" } geo { id: 3 internal_name: "TEST" type: LIST zip: 2 description: "TEST" } I've got this regex working as PCRE to break things up into events, but when I use that as the line breaker regex in Splunk, it just spits out one massive event.... (^geo \{(?s).*?\}) What am I doing wrong? ... View more