You'll probably need to send the firewall events to another device via syslog and ingest them into Splunk via a forwarder on that syslog aggregator. https://doc.pfsense.org/index.php/Copying_Logs_to_a_Remote_Host_with_Syslog ... View more

What is the architecture of your pfsense firewall? Given that the OS is a modified BSD, even running on an Intel CPU, it's probably not going to work. You'll be better off collecting syslog output from the pfsense firewall and ingesting that data into Splunk via a forwarder on the device collecting the syslog. ... View more

Splunk would not put the data in an index you created unless it's directed to. You can run btool to look at your active configuration and that may lead you to the answer: splunk cmd btool inputs list --debug http://docs.splunk.com/Documentation/Splunk/6.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations ... View more

One possibility is that there is a transforms.conf being utilized that is forcing an index name. Are you using a Juniper app to view the data? This is probably the case if there happens to be an SRX index that you did not create. There is also a possibility that the date/time extraction is not happening properly, or the timezone is not set properly. If that is the case and you're looking over a relative time period (say back 15 minutes) or even all-time, your search may not return the events showing up from the SRX. When running your search, select real-time -> All Time (real-time) on the time picker. This should show events coming in (if they actually are coming in) regardless of whether or not they have a future time set. ... View more

A new add-on has just been released. The Splunk Add-on for Cisco ASA supports the Common Information Model and therefore works with Enterprise Security. http://apps.splunk.com/app/1620/ ... View more

Yes, I think this syntax is probably best then: SEDCMD- = y/ / / ... View more

The part of the name is somewhat arbitrary, it could be anything, it doesn't have to be the field name. If you want to change only the Asset_Title field in your events, you should do something like this: SEDCMD-title = s/Asset_Title=(MP)/Asset_Title=ZZ\1/g The ZZ will replace what's in the capture group (MP in this case). You'll have to adjust the regex to match the values in the Asset_Title field, as I'm sure the above example won't quite do it. If you want to post an example of your data, I can post a more accurate answer. ... View more

You're right, that is confusing. If you're dedicating a box to only indexing, then you will clearly need a separate search head. There is room in that range for a shared box though, depending on the specs and how it will be used. ... View more

It doesn't need to be a copy of the default. Only new items or those that you want to override in default should go into local. ... View more

It's doable but not as a "workflow" action. I think a custom drilldown will work for you here. http://docs.splunk.com/Documentation/Splunk/6.0/AdvancedDev/TableChartDrilldown ... View more

Whether or not there is benefit in integrating, primarily has to do with how vested you are in the use of qradar but also in how you want to use your data. The possibility for use cases, beyond what qradar can reasonably handle, is huge in Splunk. Of course, I'm speaking of the core capabilities of Splunk and not just ES. Splunk is a platform and it does not require that your data be fully parsed when it is indexed, so unlike database driven SIEMs, data can be parsed at search-time, to accommodate different use cases. In addition, data not relevant in a SIEM can be utilized in Splunk. ... View more

Hi Aaron- It could well be a permissions issue. Per the Splunk docs for the Citrix XenApp app: Microsoft PowerShell v2.0 is required on the Citrix Licensing Server and XenApp servers. Ensure the PowerShell execution policy is set to RemoteSigned at a minimum. http://docs.splunk.com/Documentation/XenApp/latest/DeployXenApp/Platformandhardwarerequirements Have you confirmed that those requirements are in place? FYI, you can set the executionpolicy via GPO if necessary. ... View more

Are you utilizing python that comes with the OS or the one that comes with Splunk? Try running your script like this: $SPLUNK_HOME/bin/splunk cmd python my_formula.py This should run it with the Splunk python distribution. ... View more

This error shows up when you're gathering data via an input that specifies an index that does not exist on the indexer. You mentioned that you reinstalled the Cisco Firewalls app and restarted, so you should have the index on your search head. Do you also have an indexer? You'll need to create the index (one named firewall in this case) on the indexer as well. ... View more

Can you post your search? ... View more

I may have misunderstood your question. It's not that deployment server can't drop any configuration file onto a deploymentclient but as you point out, there are some files where it doesn't make sense to manage them via DS. Those are generally configurations that would best be put in $SPLUNK_HOME/etc/system/local, instead of within an app context. ... View more

The scope of your saved searches is likely private or limited to the app(s) that they were created in. You can check by going to the manager, selecting "searches and reports", and clicking "Permissions" next to the saved searches in question. Change to "all apps" and set the appropriate role permissions. Your dashboard, in your new app, should then be able to see/use them. ... View more

BTW, this will match [\r][\n] but you mention "ignoring" the pattern. Do you mean that you've collected the data and you want to ignore those lines in your search results or do you mean that you'd like to not index the lines that contain that pattern? ... View more

It's not individual files that are in or out of scope for deployment server, it's the location where they can be placed. By default, "apps" that are deployed via deployment server will be placed in $SPLUNK_HOME/etc/apps. Deployment server cannot manage configuration files located in SPLUNK_HOME/etc/system/local. ... View more

By extract, do you mean that you want to remove the data prior to indexing? ... View more