Also note that for Search Head Clustering there is a new replication port that you can pick, e.g. 8181. Also with SHC you need the KV store port (by default, 8191) must be available to all other members. You can use the CLI command splunk show kvstore-port to identify the port number. The replication port must be available to all other members. ... View more

Contact Splunk Cloud Ops support and get the IPs of your Search Heads, and supporting management servers. Only your search heads should have direct user access. When you setup ldap.conf you will need to specify the secure port. Use good SSL certificates to complete the connection. ... View more

no this applies to both linux/windows splunk running dbx2 ... View more

Also getting this error when trying to setup a connection from a Splunk 6.2 HWF to a MSSQL 2012 database server. Java bridge is running, increased splunkdConnectionTimeout in web.conf to 90. Logged into Splunk as admin/changeme and using DB Connect 1. With DB Connect 2 I couldn't get the default cert to generate on this system. ... View more

Syslog servers when they operate in a tiered deployment, e.g. syslog to syslog server. This type of header nesting also occurs as per the RFC 3164. Splunk is acting the same way as a Syslog server would. http://wiki.splunk.com/Community:Test:How_Splunk_behaves_when_receiving_or_forwarding_udp_data ... View more

Create a csv file for your domain threat list. Upload the csv file to SplunkEnterpriseSecuritySuite/lookups Create a lookup definition. Create a threatlist definition. [threatlist://malwaredomains] delim_regex =, description = "Threatlist:Malware domains" fields = domain,description,category,risk skip_header_lines = 1 type = "Threatlist:Malware" url = "lookup:// " weight = 90 Make sure that the data source you want this threat list to match has the DEST field populated with a domain value. ... View more

I think you have to add more slashes to get this working. [monitor://C:\Windows\System32\dhcp] With the (“\”s added. ... View more

I've filed a case to request this feature. ... View more

For URLs it would be good to split the url into parts. The URL can be main domain, but also has embedded cookie, referrer, etc. The threat list should be matching against all of its value within url field ... View more

You can't do this to Windows Forwarders from a Linux Deployment server. You need a Windows Deployment Server to manage windows permissions / environment. ... View more

check out the answer i posted - hope this helps ... View more

Approach 1: Set each system to use a different udp port, then setup your config to have an distinct index/sourcetype easily, just change inputs.conf to use the ports you are sending syslog to. This example, udp:1514, and udp:2514. Approach 2 Set up a genric udp listener on 514 or 5514 (if 514 is reserved) and change the index and sourcetype based on the incoming ip address, for this change props and transforms to set the index/sourcetype by regex. Both approaches are encompassed below in the following inputs,props,transforms.conf by utilizing a listener on the ports, and transforms to set the index/sourcetype based on host. Setup inputs.conf # these are the default index/sourcetype that will be assigned to incoming data from 514, UNLESS there is an override specified in the props and transforms [udp://514] connection_host = ip # connection_host = dns # connection_host = none #approach 2 see props and transforms [udp://1514] # approach 1 and done disabled = 0 source = udp:1514 sourcetype = cisco index = my_cisco [udp://2514] # approach 1 and done disabled = 0 source = udp:2514 sourcetype = vmware index = my_vmare [udp://5514] # 5515 can be used when splunk is not running as a sudoer since 514 is reserved port. connection_host = ip # connection_host = dns # connection_host = none # approach 2 see props and transforms Set your props.conf like this # Props.conf [source::udp] NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TRUNCATE = false MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %b %d %H:%M:%S TZ = America/Chicago # set the host as from the incoming udp packet TRANSFORMS-gethostfromdata = set_host [source::udp:514] # set two transforms for index and sourcetype for each device coming in from this port #Approach 2, because we haven't separated the ports for cisco and vmware, we need to apply transforms to change to the right index/sourcetype # cisco TRANSFORMS-get-cisco-index = set_index_cisco TRANSFORMS-get-cisco-sourcetype = set_sourcetype_cisco # vmware TRANSFORMS-get-vmware-index = set_index_vmware TRANSFORMS-get-vmware-sourcetype = set_sourcetype_vmware # drop non-relavant events to nullqueue TRANSFORMS-drop-events-nullq = drop_events_nullq TRANSFORMS-get-syslog-index = set_index_generic_syslog TRANSFORMS-get-syslog-sourcetype = set_sourcetype_generic_syslog [source::udp:1514] # cisco TRANSFORMS-get-cisco-index = set_index_cisco TRANSFORMS-get-cisco-sourcetype = set_sourcetype_cisco # drop non-relavant events to nullqueue TRANSFORMS-drop-events-nullq = drop_events_nullq [source::udp:2514] # vmware TRANSFORMS-get-vmware-index = set_index_vmware TRANSFORMS-get-vmware-sourcetype = set_sourcetype_vmware # drop non-relavant events to nullqueue TRANSFORMS-drop-events-nullq = drop_events_nullq [source::udp:5514] # rerouted from 514 network data, because 514 is usually reserved port TRANSFORMS-get-cisco-index = set_index_cisco TRANSFORMS-get-cisco-sourcetype = set_sourcetype_cisco # vmware TRANSFORMS-get-vmware-index = set_index_vmware TRANSFORMS-get-vmware-sourcetype = set_sourcetype_vmware TRANSFORMS-get-syslog-index = set_index_generic_syslog TRANSFORMS-get-syslog-sourcetype = set_sourcetype_generic_syslog # drop non-relavant events to nullqueue TRANSFORMS-drop-events-nullq = drop_events_nullq Setup transforms.conf # Transforms.conf [set_host] #grab the first IP address and use that as the real host (syslog) DEST_KEY = MetaData:Host REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s FORMAT = host::$1 [TrashComments] # drop lines that start with # REGEX = ^\s*# DEST_KEY = queue FORMAT = nullQueue # Set cisco BY incoming IP address by using REGEX [set_sourcetype_cisco] REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(10\.000\.00\.00)[\w\.\-]*\]?\s DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::cisco [set_index_cisco] REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(10\.000\.00\.00)[\w\.\-]*\]?\s DEST_KEY = _MetaData:Index FORMAT = index::my_cisco [set_sourcetype_syslog] REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(10\.000\.00\.00)[\w\.\-]*\]?\s DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::syslog [set_index_syslog] REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(10\.000\.00\.00)[\w\.\-]*\]?\s DEST_KEY = _MetaData:Index FORMAT = index::my_syslog Summary: Change inputs.conf, props.conf, and transforms.conf to collect UDP on multiple ports (on per device type) or on a single port that has to then split the traffic up incoming connection ip/name ... View more

from a search performance perspective you would want to raise the max_memtable_bytes to encompass your large lookups, but realize that your RAM memory will start to swap if you start utilizing memory system wide too much. ... View more

Is the file d:\PingFederate\PingIISAgent.evtx readable if you edit it? If not then it is in proprietary format. Sounds like you are trying to read events? You probably need to enable logging from the PING system. You may want to enable logging such as : Administrator Audit Logging Runtime Transaction Logging Security Audit Logging Server Logging Which is documented here on Ping's website. http://documentation.pingidentity.com/display/PF610/Managing+Log+Files The logs are stored by default in the /pingfederate/log directory and end in *.log not evtx. ... View more

Hi OP, wondering if your files were on an auto rotate backup schedule? ... View more

moving the bucket location means that acceleration needs to be rebuilt. ... View more