Hi @JGP, Forwarders are always waiting for data to read and forward. If you don't receive data is because there isn't any new data. You can check if the Forwarder us up and running checking the the presence of Splunk internal logs: index=_internal host=your_forwarder I always create an alert that make this check because if a Forwarder is down you're blind. Ciao. Giuseppe ... View more

Hi @AL3Z, CIM compliance is usually granted by the Add-On you're using, for this reason, when you have to use a data flow in ES it's a best practice to check the CIM compliance of the used Add-On and you can find this information in Splunk baseline. If you don't have a CIM Compliant Add_On (because your data flow hasn't an Add-On in Splunk baseline or because you created your own Add-On), you have to manually modify your  Add-On. You can do this with the support of some app like Add-On Builder or CIM_Validator. In very (and not exhaustive) words you have to: create eventtypes to tag your data, create field aliases to normalize your field names, create some calculated field to normalize values of some fields (e.g. action). Ciao. Giuseppe ... View more

Hi @Rakzskull, no as me and @isoutamo said in deploymentclient.conf there's the address of the Deployment Server, the server with the role to manage forwarders, instead in outputs.conf there's the address of Indexers or Heavy Forwarders that muste receive logs from the UF. They can be the same server in labs or little infrastructure, nevere in medium or big deployments, because in this case both Indexers and Deployment Server must be in dedicated servers, so they have diferent IPs. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @krithikar, it should woth also with wildcard, but if they aren't so many, you can create a stanza for each one. Anyway, remember that you have to put this configuration in the first full Splunk instance that data passing through, in other words not on Universal Forwarders. Check the choice to disable the inputs that's better and easier. Ciao. Giuseppe ... View more

Hi @Sekhar, please trys this: | rex field=msg "studentinformation\\\"\s+:\s+\\\"(?<studentname>[^\"]*)" that you can test at https://regex101.com/r/GQVTYF/1 Ciao. Giuseppe ... View more

Hi @krithikar , if you want to delete all the logs from some servers, why don't you disable those inputs? anyway, as described at https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues you should try to put in props.conf: [host::your_host] TRANSFORMS-null= setnull and in transforms.conf: [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue  Ciao. Giuseppe ... View more

Hi @Sekhar, let me understand, you can correlate events using the id field or there some other corrrelation rule? if you can use id to correlate events, you could try something like this: (index=emp source=empsource " offer letters") OR (index=manager source=manager source " relieving letters") | stats earliest(_time) AS earliest latest(_time) AS latest values(branch) AS branch values(managerid) AS managerid values(empname) AS empname BY id | eval diff =latest-earliest, | eval earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"), latest=strftime(latest,"%Y-%m-%d %H:%M:%S") Ciao. Giuseppe ... View more

Hi @Sekhar, if you could share some sample of your data I can be more sure. anyway, you should try something like this: | rex field=msg "student\s+information\"\s+:\s+\"(?<studentname>[^\"]*)" Ciao. Giuseppe ... View more

Hi @pm2012, as I said a different order isn't the same, for this readon I asked a rule. Without a rule it's difficoult to create a regex for fields extraction. Ciao. giuseppe ... View more

Hi @Rakzskull, as @scelikok and @isoutamo hinted you have to update both deploymentclient.conf and outputs.conf. My hint is to create a new add-on (called e.g. TA_Forwarders), containing at least three files: apps.conf: describing the add-on, outputs.conf: addressing the HFs or the Indexers to send data, deploymentclient.conf: addressing the Deployment Server. in this way you can centrally manage your Universal Forwarders without locally intervene on the machines. Ciao. Giuseppe ... View more

Hi @rithikas, what's the name of this app? did you checked in Inactive Apps? Anyway, if this app is deprecated or only too old, probably it isn't compatible with the new Splunk Versions. Ciao. Giuseppe ... View more

Hi @AL3Z, create an alias and add it to your Data Model, as I said it isn't a best practice to have spaces or special chars in field names. you should have the same issue also using this field (with {}) in some commands as eval. Ciao. Giuseppe ... View more

Hi @AL3Z, as you can read at https://docs.splunk.com/Documentation/AddOns/released/Overview/SplunkCloudinstall, if you have Victoria Experience (the new interface to install Apps on Splunk Cloud),  you can install apps from Splunkbase by yourself, there are some controls only to install custom apps that must be checked and usually have issues to be solved before installation. Ciao. Giuseppe ... View more

Hi @f_666dhn, let me translate your question in Splunk language: you have a lookup containing ip hostname and owner. Then you have a search on an index containing ip address and you want to enrich your search on your index with hostname and owner, is it correct? if this is your need, please try this search: index=your_index | lookup invent.csv ip OUTPUT host AS hostname owner | table ip hostname owner I supposed that the ip address has the same field name both in index and lookup, otherwise you have to rename it the lookup command. Ciao. Giuseppe ... View more

Hi @AL3Z, CIM field names are predefined ( for more infos see st https://docs.splunk.com/Documentation/CIM/5.1.1/User/Overview). but it's possible to add custom fields. Obviously custm fields must follow some rules. e.g. field names cannot contain spaces or special chars. So which field do you want to add? Ciao. Giuseppe   ... View more

Hi @informations4, in my opinion, in general, you should have: an Indexer Cluster with two Indexers and a Master Node, eventually (better!) a Search Head Cluster, with three Search Heads and a Deployer, only for lab, you could put the Deployer on the same server of Master Node, if you don't want a Search Head Cluster, you can use one Search Head, a Deployment Server, only for lab, you could put it on the same server of Master Node, une or two Universal Forwarders (possibly one Linux and one Windows), then you should configure one of the servers to send syslogs to the Linux Universal Forwarder. I configured my lab with six VMs and I used my laptop as client to manage using the DS. Ciao. Giuseppe ... View more

Hi @AL3Z, In CIM, there's a Data Model called "Data Lost Prevention" for this scope. Ciao. Giuseppe ... View more

Hi @bitnapper, if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @AL3Z, where, in Manage apps? what's the issue? Ciao. Giuseppe ... View more

Hi @zacksoft_wf, it's used when the log is multirow. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the Contributors 😉   ... View more

Hi @willsy, see what you have in the Downtime field, maybe there are different formats values: e.g. sometime 10, and sometimes 10d. identify the different choices and extract the numers using a regex. If you share some samples containing all the choices, I could help you. Ciao. Giuseppe ... View more

Hi @AL3Z, go in [Manage Apps > browse More apps] and choose Anomali ThreatStream App for Splunk. Then you have to insert your Splunk credentials (not Splunk Cloud Credentials!) and the installatin is automatic. i suppose that you have to configure inputs, but I cannot give informatio because I never dis it, but there's a documentation on anomali site about Splunk Integration. You can find few additional documentation also on https://splunkbase.splunk.com/app/3443  Ciao. Giuseppe ... View more

Hi @willsy, which is the time format of Downtime? define the threshold in the same time unit and then use the where command to make a filter,  so e.g. Downtime is expressed in days, you can use  | where Downtime>90 if it's expressed in seconds, you can use: | where Downtime>7776000 Ciao. Giuseppe ... View more