So we have both Snort and Sourcefire in our environment. I'm using a simple search to create a table of the top hits but the results are inconsistent. (all searches below are for the same time parameters and performed within seconds of each other) sourcetype="SNORTIDS" OR sourcetype="eStreamer" | rename Message AS msg | top 25 msg gives me 20 different messages. BUT reviewing the results, we noticed that some messages from eStreamer were missing. A quick check revealed the following: sourcetype="SNORTIDS" | rename Message AS msg | top 25 msg yields 20 unique messages. sourcetype="eStreamer" | rename Message AS msg | top 25 msg yields 10 unique messages. If I search specifically for the messages that we know are missing, the search is successful, so I know those events are in the index. But then why doesn't sourcetype="SNORTIDS" OR sourcetype="eStreamer" | rename Message AS msg | top 25 msg yield all 30 messages? (and yes, the 20 found in the first are completely different from the 10 found in the second) Is this a mistake where I don't understand how the search syntax works or is there something deeper in the Splunk configuration that is wrong? ... View more

My question is similar to the below: http://answers.splunk.com/answers/179701/splunk-db-connect-why-am-i-getting-an-error-config.html This saga started when I upgraded to 1.2 back on July 17. At the time I was running Java 1.7. Things got a little crazy and I never noticed that I stopped getting data from ePO. Fast forward to this week when I finally noticed that my ePO dashboards weren't working. While troubleshooting, I found that I need to upgrade java to 1.8 as DB Connect 1 version 1.2 didn't work with java 1.7 I upgraded to Java 1.8 and removed versions 1.6 and 1.7. So I now have DB Connect 1 version 1.2 and I also upgraded Splunk Add-on for McAfee to version 2.1.1 Splunk is installed on CentOS 6.5 and McAfee ePO 4.6.9 is running on a Windows 2008R2 server with MSSQL 2008R2. java bridge is now running just fine. But here's my problem. I am still not getting any events from ePO. I've double/triple checked that the domain/username and password are correctly entered. I don't have any errors in splunkd.log, dbx.log or jbridge.log. However, when I go to the Splunk DB Connect app and go into the Database Info page where it had the Database Tables panel and I click the 'Fetch tables' button, I get nothing back (after, mind you, selecting the correct database in the drop down above). Also, when I got to Settings- External Databases - mydatabase and try to re-enter the domain/username and password, I get this error: Encountered the following error while trying to update: In handler 'databases': Error connecting to database: com.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2043][11550][4.19.26] Exception java.net.ConnectException: Error opening socket to server /x.x.x.x on port 3,700 with message: Connection refused. ERRORCODE=-4499, SQLSTATE=08001 And if I go to Settings - Database Inputs - myinput and (without changing anything) click save, I get this error: Encountered the following error while trying to update: Splunkd daemon is not responding: (u'Error connecting to /servicesNS/-/dbx/dbx/dbmon/dbmon-tail%3A%252F%252Fmcafee_epo_4_db%252Fta_mcafee_epo_4_input: The read operation timed out',) and finally, if I got to the app itself and go to settings - Splunk DB Connect configuration and click save (with or without changing anything), I get the following error: Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/dbx/dbx/install/java I'm wondering what else I can do. The two things I know I have not tried are 1) Uninstall and reinstall DB Connect 1 and 2) Install and use DB Connect 2. Suggestions? Thanks. ... View more

My question is probably related to the (unanswered) question: http://answers.splunk.com/answers/219615/why-is-the-splunk-for-palo-alto-networks-app-not-p.html I have a single Palo Alto forwarder from which I am sending the logs to an index (one of two) and then searching the data at the search head. I installed the Palo Alto app straight from the apps.splunk.com and the default has appeared to work just fine until now. Today I noticed that it appears the parsing is not working properly. If I use the following search: index=pan_logs sourcetype="pan_traffic" 10.10.10.10 the search results are parsed correctly with extractions and labels and such, but if I just search for 10.10.10.10 and I have results from a variety of sources and source types, any results from with sourcetype 'pan_traffic', are NOT parsed at all, do not have any labels and data extracted beyond the very basic syslog parsing: Selected host 10.10.10.10 source udp:6514 sourcetype pan_traffic Event eventtype pan pan_traffic index pan_logs linecount 1 splunk_server SPLUNK.xxx.xxx Time _time 2015-07-22T13:36:30.000-04:00 Default punct __::_--.-._,//_::,,,,,//_::,...,...,...,...,__,..\ This makes it hard to correlate the actions of the IP I'm searching for with other events from other sourcetypes. Any idea what is going on? We need to be able to search a single data point and view the results from all sourcetypes with that data point to get a story of what that data point is doing. Thanks. ... View more

So I have not created any new views or dashboards or anything with Sideview Utils. At the moment, I'm only using it to do some "in web gui" management of a couple of my lookup tables. Recently I updated to Splunk 6.2.3 and today I went to Sideview Utils - Tools - The Lookup Updater. When I did that, I got multiple popups saying "Splunk encountered the following unknown module: "Pulldown" . The view may not load properly". It seems the searches on this error have to do with users who are creating pulldowns using Sideview Utils. As I mentioned, I have not created any pulldowns, yet I'm getting this error. Should I remove the app and reinstall? Is there another fix? Thanks. ... View more

So I have a device which sends it logs in CEF format via syslog. This is not an ArcSight connector. I have configured this device to send these logs to a syslog server which in turn writes them to a file /var/log/<date>-device.log and I have setup the server as a Heavy Forwarder which monitors that file (and others) and sends those events to an Indexer where I now access those events via my SearchHead. So I installed the CEF (Common Event Format) Extraction Add-on for Splunk Enterprise to correctly parse these logs. But while all the posts about properly configuring this addon talk about modifying the props.conf and properly placing the transforms.conf file, I'm not sure which props.conf to modify and where to place the transforms.conf. Normally on the Search Head, I would modify the props.conf and transforms.conf in the app, but there is no app in this case, and there is not a local/props.conf under /opt/splunk/etc/apps/SplunkForwarder. There is a default/props.conf under /opt/splunk/etc/apps/SplunkLightForwarder/, but I don't know if that's the right place. I have the same issue with the Heavy Forwarder and the Indexer, not sure what props.conf to modify and not sure where to put the transforms.conf. I tried to modify the props.conf and transforms.conf in the SearchHead, after installing the addon, but that doesn't seem to have fixed it... Suggestions? Thanks. ... View more

I have just built a brandy new syslog server. The purpose of this server is to provide a buffer so that instead of sending all syslog traffic directly to my indexers and losing data when I have to restart the indexers for various reasons or the connectivity drops or whatever, all that traffic comes to the syslog server which then gets sent to the indexers. The idea is that this machine would be capable of buffering events if the indexer can't be reached. So my question is this: Is it best to: receive remote logs via syslog, write them to a local file/database and then use a universal forwarder to send to indexers receive remote logs via syslog, write them to a local file/database and then use a heavy forwarder to send to indexers receive remote logs via syslog, and use syslog to forward again to indexers Thanks. Oh, and IF #1, how many universal forwarders can you have on a single machine? ... View more