You're welcome 🙂 cheers, MuS ... View more

Sorry, but there is no id in this question and I also don't know what your events look like or your expected output looks like. This is really up to you to figure it out or accept this answer and post a new one with more details. cheers, MuS ... View more

Well, don't forget that your load balancer must be HA as well - and yes F5 does a pretty decent job in handling the Splunk traffic. cheers, MuS ... View more

Is this in Search Head Cluster, distributed setup or a single instance of Splunk? cheers, MuS ... View more

Hi scottprigge, Please provide feedback on the docs page for authorize.conf, the docs team are awesome in checking such findings 😉 It might be just wrong in the docs, or you found a bug. And yes, the default is in Splunk 7.1.4 as well enabled . But you should be able to disable it by actually using [default] schedule_rtsearch = disabled instead of just an empty value for the option. Hope this helps ... cheers, MuS ... View more

Hi socverne, The docs of the apps https://splunkbase.splunk.com/app/3435/#/details tell you this: The searches rely on tools included in Splunk platform to perform anomaly detection, such as the URL toolbox to detect Shannon entropy in URLs So you need to install https://splunkbase.splunk.com/app/2734/ to be able to use the macro. BUT, and some greeting to the BOTS 2019 Team here ;), be aware that this macro returns wrong 2nd level domains for some URL's! The only way to get around this is to actually use a regex and get the 2nd level domains this way. I ended up with this regex to get the correct 2nd level domains: (?<my2ndLevelDomain>[^.]+)\.(?:(?:com|net|org|edu|gov|asn|id|csiro|)\.au|co\.(?:bb|ck|cr|in|id|il|jp|nz|za|kr|th|uk)|[\w\s]{2,})$ Hope this helps ... cheers, MuS PS: @eliasit, yes you still can install the app on Splunk 7.2.x and use it with the above mentioned issues/problems 😉 ... View more

Can you please provide at least two anonymised events for each criteria? Thanks cheers, MuS ... View more

try this: what ever search here earliest=-0h@h | timechart span=5min partial=f count This will search the current hour and only returns events for chunks of 5 minutes, where the 5 minutes already have passed and the chunk is complete. cheers, MuS ... View more

I would try | bin _time span=5m | stats values(*) AS * by _time and see if this helps to solve your problem. cheers, MuS ... View more

In this case, did someone say cough cribl cough 😉 ... View more

Glad I could help - Enjoy the new superpower 🙂 cheers, MuS ... View more

The inputs name will translate into a source::http:InputNameHere which in turn should be useable in props.conf But I must admit, I have not yet tried it 😉 cheers, MuS ... View more

Hi twinspop, you can always use the good old props.conf / transforms.conf approach and add a meta field this way. Here is an example transforms.conf I use to add the hostname of the parsing HWF to events: [add-relay-info-to-meta] FORMAT = splunk_hwf::HostNameHere REGEX = . WRITE_META = true Yes, it is a static value but I assume you will not change your HEC input too often 😉 Hope this helps ... cheers, MuS ... View more

Hi rashi83, take a look in the official Splunk GitHub repository https://github.com/splunk/splunk-ansible you will find a lot of Ansible playbooks in there. Hope this helps ... cheers, MuS ... View more

So, what does your /var/log/messages tell you? Looks like the recent change of /etc/init.d/splunk did not work. cheers, MuS ... View more

Just as addition to this answer here is the docs link https://docs.splunk.com/Documentation/Splunk/latest/Search/NOTexpressions with some good examples. And regarding the search vs where use search if you want to search (HaHA) for a field value and use where if you want to compare two fields or use eval() functions on a field, see the docs https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/search#Comparing_two_fields cheers, MuS ... View more

Might be also worth to read this here https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptWriting cheers, MuS ... View more

Do you pass any timestamp with to output? Search all time in main ... View more

Every output to stdout from a script that is run by Splunk will be indexed. Simply make your script to output to stdout and you will have the output indexed. cheers, MuS ... View more

No -O , everything that goes to stdout will be indexed by Splunk when running scripted/modular inputs. cheers, MuS ... View more

Just a slight modification to it: $SPLUNK_HOME/bin/splunk btool serverclass list --debug | grep -v 'system/default' > /tmp/serverclass.conf Do don't want to keep all the default settings in your config 😉 cheers, MuS ... View more