Install Splunk the way that you plan to.  Start Splunk. See what the pat is where it creates the splunk.secret file.  Stop Splunk.  Remove EVERYTHING.  Reinstall Splunk. BEFORE YOU START SPLUNK, drop the splunk.secret file.  Start Splunk. ... View more

This problem is impossible to solve at the Splunk level.  I *suspect* that it is maybe possible to solve at the syslog level, if you only have one service. ... View more

Here are some things that hopefully you can change/disable that can get in the way: FIPS selinux firewall (firewalld) missing route dns ... View more

I just had this problem and I suspect that it is just to big and that this would have fixed it: https://docs.splunk.com/Documentation/ES/latest/Install/InstallEnterpriseSecurity#Step_2._Install_Splunk_Enterprise_Security For me, that was a hassle so I just downloaded it and did this from the CLI: cd $SPLUNK_HOME/etc/apps tar xf /tmp/python-for-scientific-computing-for-windows-64-bit_410.tgz ... View more

If in *nix, you should be able to tap "q" to skip the text and get to the prompt. ... View more

The "easiest way" is almost never the "right way".  The "right way" is almost always to drop it as early in the transmission pipeline as possible.  So if syslog-ng, then do it with an IP filter in syslog-ng.  The easy way is to drop it at the indexer, but I would never do it that way. ... View more

You are already there, just set it as an alert with "Number of Results is greater than 0": index="_internal" AND sourcetype="splunkd_access" AND Http | rex "HTTP\/\S+\"\s+(?<responseHttp>\d\d\d)\s+" | eval result=if(like(responseHttp, "200"), "Success", "error") | stats count(eval(result="Success")) AS Total_Success, count(responseHttp) AS Total | eval Success_Count=(Total_Success/Total)*100.0 | stats avg(Success_Count) AS SuccessRate | where SuccessRate<40 | eval message="SuccessRate is low, please take action." ... View more

There are MANY reasons for this including: See "maxKBps = <integer>" section here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf If you are using "monitor", you MUST clean up old files because the scanning breaks down SEVERELY once you have 200 or so files co-resident, even if you are NOT monitoring them!  You can switch to "batch" which deletes the files once read. ... View more

Works for me: |makeresults | eval file="foo.exe" | where not match(file, "\.(jpg|png)$") ... View more

The problem is that your lookup will create TWO multivalued fields: "Base" and "Category" and unless you entangle them row-wise they association will be lost.  You can do this 2 ways.  You can merge the 2 fields into a single field called "Base_and_Category" and then do filter/split/mevexpand, but this is probably more trouble than it is worth.  The other option is to lookup each (potentially) multivalue field separately and filter/stats/mvexpand before doing the other field.  Try this: |makeresults | eval _raw=" Base Host Category X device1 Lin X device2 Win X device3 Lin M device2 Lin M device14 Win M device15 Win" | multikv forceheader=1 | fields - _* linecount | outputlookup eraseme.csv | stats count BY Host | rename Host AS hostname | rename COMMENT AS "Everything above is setup; everything below is your answer" | lookup eraseme.csv Host AS hostname OUTPUT Base | stats count BY hostname Base | search Base="M" | lookup eraseme.csv Host AS hostname Base OUTPUT Category ... View more

BTW, if you have control over the creation of the file at the original source, you can just ensure that this line is inserted by that host (since he clearly knows his own hostname): ***SPLUNK*** host=YourHostValueHere ... View more

You are very correct about your situation.  There are TWO very unknown/unused splunk configurations that I have used in such situations.  You are implying that the host value can be found somewhere inside of the file, hopefully on the first line.  You are going to combine this: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Assignmetadatatoeventsdynamically with the "unarchive_cmd" here: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf So here is some unarchive code that we used to create a Semaphore event that summarizes the data (so that we can test the data found by search against what the semaphore event says should be there and know FOR SURE whether our search has all the data from the file, or some of it is missing for some reason): [source::....import] unarchive_cmd = gawk 'BEGIN { min="999999999999"; max="0"; count="0" } /./ { match ($0, /"time":([0-9\.]+)/, time); min = (min > time[1] && time[1] > 0 ? time[1] : min ); max = (max < time[1] && time[1] > 0 ? time[1] : max); count++; print } END { "date +%s.000000" | getline date; close("date"); print "{\"time\":"date",\"earliest\":"min",\"latest\":"max",\"NumberOfRecords\":"count",\"SplunkIndexingStatusSemaphore\":\"Splunk Indexing Complete\"}" }' sourcetype = preprocess-yourSourcetypeHere So what this does is that when splunk sees a file named "*.import", it passes the file to this "gawk" script which calculates "min(_time) max(_time) count" as it echoes out each line of data for the UF to process.  Then, at the very end, it emits a final JSON summary event.  So we get each original line/event as-is/as-was, AND 1 extra, super-useful event. Your use case is a bit different.  You will need to is buffer the events/rows/data until you get the to point where you can discern the host.  Then you emit a line like this to "stdout": ***SPLUNK*** host=YourHostValueHere Then you will reprocess your queue, then continue processing the file's rows/events echoing out lines as-is. ... View more

This is a basic boolean logic error.  Try this: ... NOT (eventtype="xxx" AND eventtype="yyy") ... View more

Why studio?  I know how to do it in SimpleXML... ... View more

This is not a Splunk question.  This is a security or Fortiweb question.  But in general, map the events to the "Network Traffic" datamodel and then leverage the usecases from there (think "Splunk Security Essentials"). ... View more

You get it wherever you can.  In the filenname.  In the directory path.  In the file createtime.  In the file modtime. Somewhere inside of the file.  It has to be somewhere. ... View more

| rex "GET\s+\/shopping\/carts\/v\d+\/(?<justAcart>[^\/]+)\s+HTTP" ... View more

Just setup throttling. ... View more

|makeresults | eval APM_ID = "ABCDE-FVG-HH HBBB-NDBXB-SM A1001 SBSKS A0002 JJSKM" | rex max_match=0 field=APM_ID "(?<APM>A\d{4})" ... View more

Yes.  I updated my answer to help better. ... View more

Exactly. ... View more

There are several parts as follows: 1: Get new data in. 2: Do the CIM mapping. 2a: Usually there is an app in splunkbase that does this but is it doing it's job well enough?  Check with this: https://docs.splunk.com/Documentation/CIM/latest/User/UsetheCIMtovalidateyourdata 2a1: Sometimes the app does a good job. 2a2: Sometimes the app needs to be fixed. 2a2a: Sometimes the author can be found and cares and will update the app if you send him your fix. 2a2b: Most of the time, your fix is for you alone. 2b: Sometimes there is no app and you have to do ALL of the work yourself. 3: Set your "cim_*_index" macros.  You can use a scheduled search in the "CIM Toolkit" app to do this.  This search can also be scheduled to let you know when your macro needs to be updated:  https://classic.splunkbase.splunk.com/app/6243 The CIM Toolkit is a treasure trove of useful macros, searches, and ideas on how best to leverage the CIM in a SIEM. ... View more

[Username] REGEX = \"SubjectUserName\">(?<Username>[^\<]+) ... View more