This MS doc shows their API limits https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-quotas   ... View more

I didnt see the error posted, but long file paths over 255 characters may cause snapshot creation failures, as the OS may not be able to write them. ... View more

this may be what youre looking for: https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/MonitorWindowseventlogdata#Create_advanced_filters_with_whitelist_and_blacklist   ... View more

Have a look at this addon: https://splunkbase.splunk.com/app/4107 basically, send ubiquiti data via syslog to a syslog server, where you can have a Splunk UF monitor it and send to the cloud.   ... View more

Have a look at this: https://splunkbase.splunk.com/app/1317 and this older post: https://community.splunk.com/t5/All-Apps-and-Add-ons/AMQP-Messaging-Modular-Input-How-do-we-configure-a-RabbitMQ/td-p/219123   ... View more

For the UF to collect data, it needs to have an inputs.conf configured to tell it what to collect. There is a default inputs.conf with the UF where you can enable things for it to collect, or you can install TAs (addons) from splunk base, which will come with their own inputs.conf. The outputs.conf tells the UF where to send the data to (you have that part set up fine). A Deployment server is able to distribute those TAs with inputs.conf (and other files) to the UFs, so you can centrally manage what they collect. The method you are using to try and add data is for UFs that connect to your Deployment Server. Since you are not using the Deployment server, you will need to enable the inputs.conf on your UF directly. ie, install/configure the TAs/addons on the UF manually.  See here: https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configuretheuniversalforwarder the default inputs.conf that ships with the windows UF has lots of inputs setup to collect all sorts of data, but they are disabled by default. in the inputs.conf, is where they can be enabled. ... View more

Hello, Looks like you need to do the iplocation before hand, as the data doesnt yet contain the Country info until you do. This may not be the most efficient, but try this to get started, it worked for me: index=myFirewall   |  iplocation clientip | lookup blacklisted.csv blacklisted_countries AS Country OUTPUT blacklisted_countries AS Country |  geostats count by Country I created a lookup called blacklisted.csv with a column called blacklisted_countries which contain the list of countries. Ensure the names are initial caps. so Spain, not spain. Also, not sure why you were doing the stats count by src_ip first, since the geostats is doing a count by country anyway, and that stats command will be removing all the fields aside from src_ip too.  So I just took it out.   ... View more

Hello mwdbhyat, There is a capacity planning guide for splunk:  https://docs.splunk.com/Documentation/Splunk/8.0.4/Capacity/IntroductiontocapacityplanningforSplunkEnterprise Fot 3TB/day, you may want to consult your sales team and their SE. ... View more

Hello, This sounds like you are using a local copy of splunk. If so, the default minimum disk free space needed for Splunk to index data is 5GB. See here to change this setting:   https://docs.splunk.com/Documentation/Splunk/8.0.4/Indexer/Setlimitsondiskusage#Set_minimum_free_disk_space   ... View more

Hello Jonathan, How many alerts are coming from the FMC when they do arrive? If its a very low number, you may need to check and reduce the batch size: Here is a potential issue that sounds like yours: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/api/eStreamer_enCore/eStreamereNcoreSplunkOperationsGuide_354.html#_Toc529958499 Batch Size The eNcore for Splunk add-on also attempts to improve performance by batching received events and only writing them to output when the threshold for the batch has been reached. The default batch size is 100 events. If the event rate is very low, then a batch size of 100 events could cause an unwanted delay in the appearance of events in Splunk. For example, if intrusion events are the only events that are handled and the intrusion event rate averages 100 events per hour, then the first event in a batch will often be delayed an hour or more while the batch completes and is written to disk. To reduce such delays the batchSize can be set to a lower value, or to eliminate them entirely, the batchSize can be set to 1. The disadvantage of setting batchSize to 1, is that in high-throughput environments, the overall event rate will be lower. An example of the batchSize configuration in the estreamer.conf file is shown here: "batchSize": 50 ... View more

Try putting double quotes around Routing_Location in the stats: Change from this: Routing_Location="$Routing_Location$" | fillnull | stats count(_raw) AS Attempts by ANI,Routing_Location | sort -Attempts To this: Routing_Location="$Routing_Location$" | fillnull | stats count(_raw) AS Attempts by ANI, "Routing_Location" | sort -Attempts ... View more

As an alternative, if you can go directly to splunkbase and download the app to a local machine in your network, you can then install it through the GUI on your Splunk Instance from within your company network. ... View more

from the looks of the error returned from netezza $EMPID$ is being passed in as a literal string, and not the list of employee ids. So netezza is getting: 'select "Employee Name" PR FROM BIA_BA_EUL."View Employee Helpdesk" WHERE "Employee Number" IN $EMPID$ as opposed to something like: 'select "Employee Name" PR FROM BIA_BA_EUL."View Employee Helpdesk" WHERE "Employee Number" IN ('123','456','789') You need to check the list of EMPIDs is proper, and the full query is being created with it. To see the empid list and query being generated, you could do something similar to this: | rex field=_raw "(?[0-9]{12})" | dedup EMPID | fields EMPID | stats values(EMPID) as EMPID | eval EMPID = "'".mvjoin(EMPID, "','")."'" | append [| eval query_text="select \"Employee Name\" PR FROM BIA_BA_EUL.\"View Employee Helpdesk\" WHERE \"Employee Number\" IN (".EMPID.")"] | table EMPID, query_text This should You should show you the SQL statement that is being generated, and will be easier to see whats wrong, such as syntax ... View more

I just realized you are not passing EMPID as a variable/token, you are passing a created field. The |eval EMPID=.... is creating a field called EMPID, not a token. Try using EMPID as a field name in the creation of the query, and just concatenate it in: ... | append [| dbxquery connection="EMP-PR" query="select \"Employee Name\" PR FROM BIA_BA_EUL.\"View Employee Helpdesk\" WHERE \"Employee Number\" IN (".EMPID.")"] ... View more

ah, gotch. just realized that. is EMPID an int in the DB? have you tried the IN clause without single quotes around the values, just the commas to separate? ... View more

Are you extraction PR as a field automatically? it's not in the SPL above. if you just do a search for: splunk_server=ass index="ass_main" host=*pr does PR show as a field? If not, you may need to extract it, just like you did with EMPID. Also, the EMPID looks to take from the beginning as there is no pattern to match before (or after), so it may be grabbing too much. Is there data, or some text around the EMPID in the records? something to tell rex where to start and end? Please take a look here for some sample rex commands: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rex ... View more

Hello, in your |rex command, you are creating a field called EMP. Did you mean to make that variable called EMPID? ... View more

Hello, I found on the nxlog site, the integration steps for splunk: https://nxlog.co/documentation/nxlog-user-guide/splunk.html nxlog can output to a file, and sub-directories based on the source. A splunk UF/HF can monitor these and send them to the indexing tier. set the host to the path segment where the files are being written (the directory created for each source should be the hostname of the source). that way, splunk will assign the correct host to each event. ... View more

hello aohls, can you post your SPL? are you specifying 'span=1w' in your timechart? ... View more

in v2.2 you can also add the argument output=csv which will omit the _raw and _time fields. |dbxquery connection="whatever" query="SELECT%20id,name%20FROM%20table" output=csv shortnames=true | dedup name ... View more

This blog may help: http://blogs.vmware.com/networkvirtualization/2016/01/vmware-nsx-security-splunk.html ... View more

This blog may help http://blogs.vmware.com/networkvirtualization/2016/01/vmware-nsx-security-splunk.html ... View more