Technically, you could do a common list of CA's and bind them to all inputs (or just make one input with all those CAs) but I suppose you might not want that.  In that case you just bind one CA to one input and another CA to another input. You can then even limit access to just allowed SANs. ... View more

Let's try one last time! In props.conf, the source stanza actually follows a modified regex syntax. (See my other comment from 19-nov-2024 or just read props.conf.spec). So the following should work [source::/opt/splunk/var/log/syslog/*lx0001*/*] or perhaps [source::/opt/splunk/var/log/syslog/*lx0001*/*.log] But re-reading the original post, @jonatanjosefson was actually trying to set some property for all syslog events corresponding to a particular host name pattern - you can do that using a host stanza instead of a source stanza: host::*lx0001* To me, this seems easier to understand and maintain, as it will work even if the directory structure of the syslog files changes over time. It depends only on the hostname, and not the file name or location.       ... View more

Hi @jaibalaraman yes this should be fine, visit compatibility Matrix: https://docs.splunk.com/Documentation/Splunk/9.3.2/Installation/Systemrequirements#Supported_Operating_Systems   ... View more

To troubleshoot your sources failing to lastchanceindex, I recommend checking if your REGEX pattern is too strict. If this helps, Please Upvote. ... View more

try this: index=_audit action=search is_realtime=1 | eval search_type=case( search_id LIKE "scheduler%", "Scheduled Search", search_id LIKE "rt_scheduler%", "Real-Time Scheduled Search", search_id LIKE "dashboard%", "Dashboard", search_id LIKE "adhoc%", "Ad-hoc Search", 1=1, "Ad-hoc Search" ) | eval human_readable_time = strftime(_time, "%Y-%m-%d %H:%M:%S") | stats count by user, search_type, _time | rename human_readable_time AS "Time", user AS "User", search_type AS "Search Type", count AS "Search Count" | sort - "Time" ... View more

Hello @tchimento_splun @rjteh_splunk  looks like this bug is still happening in 9.3.0 ... View more

Hello @somesoni2 what a great idea to name it same way and using upper/lower case to make them different between eventtype & EventType... 😶 ... View more

The usual consultant's answer - "it depends". The most often used field extraction - the search-time extractions are defined on the search-head tier because... tada! they happen during search time 🙂 (actually their definitions are replicated internally to indexers so that searches can run properly but these are internal intricacies you don't have to concern yourself with at this point ;-)). But if you want to create so-called "indexed fields" (which isn't often done but the possibility is there), you have to define them in ingest-time which means either on indexers or on any other "heavy" component your events go through first. ... View more

Hello, my deployment server shows 11 errors, however the query doesn't return any results and I have selected all time. Where would I go from here? ... View more

Thanks! ... View more

I get this too.  In Splunkd.log, we see the shutdown process, but then it just... doesn't shut down... until it times out. Looks like the shutdown process completes, but the HttpPubSubConnection keeps going. Shutdown [182482 Shutdown] - shutting down level="ShutdownLevel_Tailing" 08-15-2024 22:27:57.171 +0000 INFO Shutdown [182482 Shutdown] - shutting down name="TailingProcessor" 08-15-2024 22:27:57.171 +0000 INFO TailingProcessor [182482 Shutdown] - Will reconfigure input. 08-15-2024 22:27:57.171 +0000 INFO TailingProcessor [182482 Shutdown] - Calling addFromAnywhere in TailWatcher=0x7f4e53dfd a10. 08-15-2024 22:27:57.171 +0000 INFO TailingProcessor [182712 MainTailingThread] - Shutting down with TailingShutdownActor=0 x7f4e77429300 and TailWatcher=0x7f4e53dfda10. 08-15-2024 22:27:57.171 +0000 INFO TailingProcessor [182712 MainTailingThread] - Pausing TailReader module... 08-15-2024 22:27:57.171 +0000 INFO TailReader [182712 MainTailingThread] - State transitioning from 0 to 1 (pseudoPause). 08-15-2024 22:27:57.171 +0000 INFO TailReader [182712 MainTailingThread] - State transitioning from 0 to 1 (pseudoPause). 08-15-2024 22:27:57.171 +0000 INFO TailingProcessor [182712 MainTailingThread] - Removing TailWatcher from eventloop... 08-15-2024 22:27:57.176 +0000 INFO TailingProcessor [182712 MainTailingThread] - ...removed. 08-15-2024 22:27:57.176 +0000 INFO TailingProcessor [182712 MainTailingThread] - Eventloop terminated successfully. 08-15-2024 22:27:57.177 +0000 INFO TailingProcessor [182712 MainTailingThread] - Signaling shutdown complete. 08-15-2024 22:27:57.177 +0000 INFO TailReader [182712 MainTailingThread] - State transitioning from 1 to 2 (signalShutdown). 08-15-2024 22:27:57.177 +0000 INFO TailReader [182712 MainTailingThread] - Shutting down batch-reader 08-15-2024 22:27:57.177 +0000 INFO TailReader [182712 MainTailingThread] - State transitioning from 1 to 2 (signalShutdown). 08-15-2024 22:27:57.177 +0000 INFO Shutdown [182482 Shutdown] - shutting down level="ShutdownLevel_IdataDO_Collector" 08-15-2024 22:27:57.177 +0000 INFO Shutdown [182482 Shutdown] - shutting down name="IdataDO_Collector" 08-15-2024 22:27:57.178 +0000 INFO Shutdown [182482 Shutdown] - shutting down level="ShutdownLevel_PeerManager" 08-15-2024 22:27:57.178 +0000 INFO Shutdown [182482 Shutdown] - shutting down name="BundleStatusManager" 08-15-2024 22:27:57.178 +0000 INFO Shutdown [182482 Shutdown] - shutting down name="DistributedPeerManager" 08-15-2024 22:27:57.692 +0000 INFO TcpInputProc [182624 TcpPQReaderThread] - TcpInput queue shut down cleanly. 08-15-2024 22:27:57.692 +0000 INFO TcpInputProc [182624 TcpPQReaderThread] - Reader thread stopped. 08-15-2024 22:27:57.692 +0000 INFO TcpInputProc [182623 TcpListener] - TCP connection cleanup complete 08-15-2024 22:28:52.001 +0000 INFO HttpPubSubConnection .....  ... ... INFO IndexProcessor [199494 MainThread] - handleSignal : Disabling streaming searches. Splunk continues to write log lines from HttpPubSubConnection - Running phone.... after the Shutdown, nothing else shows up in the logs.  I re-ran "./splunk stop" in another session, and it finally logged one more line and actually stopped. ... View more

Can you expand on how your team did it? Ideally with step-by-step methods. ... View more

I propose the last option. But in 1st phase it could be easier to find differences without --debug option (this shows where those are defined). After you know those differences then look where those are defined. ... View more

The only thing that could work (but I haven't done this myself) is to use ingest actions. You'd need to use ingest actions to rewrite index on already parsed data. But the caveat is that I'm not sure if you can do it as a "default" action or if you have to define it per every sourcetype separately. ... View more

Subject moved to https://community.splunk.com/t5/All-Apps-and-Add-ons/Solution-Splunk-Enterprise-Security-ES-incident-review-not/m-p/694084/thread-id/80869#M80870 ... View more

Hello, this is old topic but want to know if pushing addon from deployer using encrypted credentials in new local/passwords.conf (previously encrypted by clustered search head) is different in term of behavior than configuring addon on search head (web UI) and letting SHC replicating passwords.conf? ... View more