Ah sorry in my test search I had just status. Change status to statsCode and you should be good to go ... View more

In the text editor for putting your question theres a little picture of some 1s and zeroes. It will open a code box you can paste your xml in there ... View more

Have you tried just TIME_FORMAT = %H:%M:%S.%3N in your props.conf? Splunk extract the correct time and will apply the date from the current system time which would be fine if you're indexing live files. ... View more

Have a look at index=_internal sourcetype=dbx* . Depending on the version of dox you are running there are different log events in there to extract information from. Then it would just be a matter of creating an alert from your search. ... View more

You are correct that the UFs will maintain their own fishbuckets. I can't speak to best practice but in my own experience the best way to deal with logs on shared directors was to have a dedicated forwarder reading the logs. That way the forwarder is no longer part of the applications' infrastructure, so maintenance to your clustered application will not disrupt the splunk forwarder. ... View more

Do you want the hash of the file or the hash of the filename? The filename you can hash easily enough like | eval hash=md5(filename_field) . There shouldn't be a need to index that - you can run it at search time. If you want to calculate the hash of the file itself you'll need to do that with a scripted input - the universal forwarder by itself won't pull that from the event log (unless there is a windows event that contains that information) There are most likely many answers on here about the best way to do malware monitoring - also check out the channel #security on the Splunk slack for more advice ... View more

Hi, it would be helpful if you demonstrated the search you are currently running, and possibly some sample events and what you expect the output of your SPL to be ... View more

Best practice is to use syslog-ng/rsyslog as a collector and then have either a universal forwarder collect the data or if you want to go state of the art use the HEC (https://conf.splunk.com/files/2017/slides/to-hec-with-syslog-scalable-aggregated-data-collection-in-splunk.pdf) HFs have their place but you will definitely run into issues at scale. If you go down the HEC route (and given you already have an HF tier that should be easier to set up) it will be a doddle to add additional metadata. For the best practice set up the best way to have forwarder attribution is to have syslog write to a path with some metadata in the path name. For example.... /var/log/$syslog-collector-name/$HOST/$FACILITY Then the source field in splunk will contain the name of the syslog host the data was received at. ... View more

Theres no way for the UF to do this. Your options are either to write a script that copies the latest one for you, or simply index all three files and pick the latest one during search. ... View more

Not 100% sure what you're after but Sstats and sort is all you should need. ... | stats values(FIELD_TEXT) AS FIELD_TEXT by GROUP_ID Field1 | sort Field1 This will give you something like this: GROUP_ID Field1 FIELD_TEXT A 0 Select B 0 name A 2 from A 4 table2 B 4 table If thats not what you need, | stats list(FIELD_TEXT) as FIELD_TEXT list(Field1) as Field1 by GROUP_ID will give you something like this: GROUP_ID FIELD_TEXT Field1 A Select from table2 0 2 4 B name table 0 4 If you're coming from a SQL back ground this document may help you adjust to Splunk: http://docs.splunk.com/Documentation/SplunkCloud/7.0.3/SearchReference/SQLtoSplunk ... View more

UFs cannot share state with one another. If you monitor the same NFS path with three different UFs you will get triplicated results. Where are the logs being generated? It would be better to run the UF on the host that is generating the logs, that way you don't need to deal with any NFS issues. ... View more

That is odd - the initCrc should not be changing (unless theres a timestamp at the top of the file or something) so it should not be re-indexing the whole file. Do you have some customisation around how bash histories are written in your environment? That said, if you're serious about monitoring commands you should look at auditd instead. There is no good way to do time attribution on a bash_history file, as all session history is written on log out. ... View more

The best way to handle this is to have double quotes in your event. IE make it something like MESSAGE="PPQR14142 PghZDxfscbn :ascasc12" Otherwise build a regex extraction with the field extractor: http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/ExtractfieldsinteractivelywithIFX ... View more

The best way to check an oracle connection is to use sql*plus and actually connect. from the splunk host. IO Socket does indicate a network issue BUT it could be something else. ... View more

I'm guessing thats because the data type is a 64 bit signed doubles , so theres a maximum amount of precision. ... View more

How are you expecting flowTuples to extract? The below (as you have in your sample events) is a single object array (and hence will be a single value in splunk) flowTuples: [ 1531920192,11.11.111.111,12.12.122.122,1608,703,U,O,A 1531920222,11.11.111.111,12.12.122.122,14172,703,T,O,A ] correctly I think it should be flowTuples: [ [1531920192,11.11.111.111,12.12.122.122,1608,703,U,O,A] , [1531920222,11.11.111.111,12.12.122.122,14172,703,T,O,A ] ] If you cannot fix the underlying event you could do something in search - what does the flowTuples field in Splunk look like when it has multiple values? (ie ...search to get a flowTuples with multiple values ... | head 1 | fields flowTuples ... View more

A private SloshBurch experience? @tfechner you're in for a treat 🙂 ... View more

Its going to depend on what the raw data looks like. Can you possibly post a series of events with the same field A to show us the flow you're talking about? ... View more

Nothing there looks wrong. What does your db_inputs.conf look like? ... View more

So Header Extraction has a very important role to play, and that is in keeping your data schema free. Consider a csv with three fields, A, B and C. As its a CSV, each event (ie each row) has zero context in it other than column ordering. You could create a search time field extraction based on that column ordering, which would be fine unless someone reordered the columns to say, A, C and B. Now if you modify the field extraction for the source, all events prior to the change will have incorrect field information! So, instead splunk adds the field metadata from the header to each event . That way if the schema of your csv changes, it doesn't matter - splunk will just read the updated header and apply the metadata as it always does. In terms of impact bear in mind that the metadata is being added at INPUT time, rather than index time (indeed this setting must be on the forwarder), so the load on the indexer is not the same as doing regex parsing on the indexer to add custom fields. Now in terms of why you shouldn't do this for unstructured sources, the opposite is true - the file for an unstructured source does not contain schema information. So if you apply a schema through index time field extraction, and the datas schema changes, you have now broken future events, and you will be sad. Have a look for Martin Muellers conf talks on indexing - they will illuminate how this works. Also, try it for yourself. Turn on indexed_extractions and play with the walklex command to see whats actually happening to the tsidx. ... View more

Can you post some sample data/searches? The answer is very much it depends ... View more

Not something I've seen before. Theoretically JSON/py dict key order is irrelevant (although I think arrays are meant to be returned in element order) and there is nothing broken in returning the data out of order, but I agree it it nice when it comes back the same way every time. That said other than the look of it, this shouldn't be causing an issue - is it breaking your search in some way? ... View more