Hi, We have recently migrated from LEA to checkpoint log exporter facility to collect Checkpoint firewall logs in CEF format. Even after trying multiple props configuration, we still observe events breaking at irregular intervals. Some events parse correctly at the start and end of the event and some in between or abruptly. we even tried the splunk add-on - https://splunkbase.splunk.com/app/4180/ Does anyone have a working props? ... View more

hi, we are trying to route windows security event logs from UF's to Splunk indexers and also to a syslog aggregator. we would like to read the event log only once on the UF and are using a HF as interim relay to route data to desired locations. On UF we have the Splunk_TA_Windows application deployed On HF we have a outputs.conf: [tcpout] connectionTimeout = 45 defaultGroup = all_indexers forwardedindex.0.whitelist = .* [tcpout:all_indexers] autoLB = true server = IDX1:9997, IDX2:9997 [syslog] connectionTimeout = 45 [syslog:clf_syslog_group] server = Syslog1:514 Props.conf [WinEventLog:Security] TRANSFORMS-routing = WinSecEvent-Splunk,WinSecEvent-Syslog SEDCMD = s/[\t\n\r]/ /g TRUNCATE = 0 Transforms.conf [WinSecEvent-Splunk] REGEX = (.) DEST_KEY = _TCP_ROUTING FORMAT = all_indexers [WinSecEvent-Syslog] REGEX = (.) DEST_KEY = _SYSLOG_ROUTING FORMAT = clf_syslog_group The above configuration works fine until the part where it routes data to different output groups. However, I would like the splunk indexed logs would still be in the RFC 3614 or splunk parsed format but have events on syslog as normalized using above props. is this a possibility? how do we apply two parsing patterns for one sourcetype? - maybe based on the output group? please advise. Thanks. ... View more

Hi, We have had this working in the past, but for some reason, now, i am unable to forward filtered events to one Tcp group. Both the output groups receive all events. To summarize, the UF to send winevent:security to tcpout:hf group, HF to route winevent security logs based on the eventcode filters to indexers and syslog archivers. but i am receiving all event codes to indexers as well as syslog. On UF: Inputs: [WinEventLog://Security] _TCP_ROUTING=HF disabled = false index=idx1 start_from = oldest current_only = 1 evt_resolve_ad_obj = 1 checkpointInterval = 5 [WinEventLog://Application] disabled = 0 index = idx1 start_from = oldest current_only = 0 checkpointInterval = 5 Outputs: [tcpout] defaultGroup = indexers forceTimebasedAutoLB=true useACK = true autoLBFrequency=15 [tcpout:indexers] server = idx1:9997, idx2:9997, idx3:9997, idx4:9997, idx5:9997, idx6:9997 [tcpout:HF] autoLB=true server = HF1:9997,HF2:9997 HF Outputs [tcpout] defaultGroup = indexers forceTimebasedAutoLB=true useACK = true autoLBFrequency=15 forwardedindex.2.whitelist = (_audit|_introspection|_telemetry|_internal) [indexAndForward] index=false [tcpout:indexers] server = idx1:9997, idx2:9997, idx3:9997, idx4:9997, idx5:9997, idx6:9997 [syslog] ## syslog outputs for archive## [syslog:syslogGroup] disabled=false server=syslog:514 HF Transforms [WinSecEvent-Splunk-SubSet] REGEX = (?m)^EventCode=(4634|4776) # need to forward selected events to indexers REGEX = (?m)^(.EventCode=(4634|4776).) DEST_KEY=_TCP_ROUTING FORMAT=indexers [WinSecEvent-Syslog-All] REGEX = (.) # Archive all event codes on a syslog archive DEST_KEY=_SYSLOG_ROUTING FORMAT=syslogGroup What am i missing 😕 Thanks in Advance!! ... View more

Hi , We have configured a couple of Bluecoats on TCP custom ports on a HF. i see the data flowing in but the Bluecoat admins frequently comment that they are receiving alerts for failed upload to Splunk. My 1st guess is that the port is exceeding the buffer limit or has filled up its queue. But how can I ensure there is no data loss? Can we enable multiple listeners on a HF? We are to onboard more Bluecoats to Splunk through the same HF. Is there a limit to the number of listeners we can configure on a HF? Does it affect performance? Thanks, Shiv ... View more

Hi, I need help with props.conf for line/event breaks, the log has to be split by MsgId="LOGON" event followed by 8 MsgId="WSECL". below is an example how it should look like. As of now events are merged. basically event should break between 2 LOGON MsgId's 11:08:36.472 -I [REQ MsgId="LOGON" UId="XYZ123"] 11:08:36.512 -I [REP MsgId="LOGON" Tkn="12XYZ12" UId="XYZ123"] 11:08:36.518 -I [REQ MsgId="WSECL" Tkn="12XYZ12"] 11:08:36.524 -I [REP MsgId="WSECL" Tkn="12XYZ12"] 11:08:36.529 -I [REQ MsgId="WSECL" Tkn="12XYZ12"] 11:08:36.534 -I [REP MsgId="WSECL" Tkn="12XYZ12"] 11:08:36.538 -I [REQ MsgId="WSECL" Tkn="12XYZ12"] 11:08:36.544 -I [REP MsgId="WSECL" Tkn="12XYZ12"] 11:08:36.547 -I [REQ MsgId="WSECL" Tkn="12XYZ12"] 11:08:36.551 -I [REP MsgId="WSECL" Tkn="12XYZ12"] 11:08:36.686 -I [REQ MsgId="ISACTIVE" Tkn="12XYZ12"] 11:08:36.686 -I [REP MsgId="ISACTIVE" Tkn="12XYZ12"] Thanks for you help ... View more

my log looks like below and i wanted to know if i could make a single regular expression to extract all xxx-xxx numbers The following messages were logged on 12/07/16 at 07:52:10. 0420-094: blah blah blah destination. 0423-245: blah blah blah changed. 0420-098: blah blah blah job. 0424-138: blah blah blah. so if Regex is Number then i would like to see number 0420-094 0423-245 0420-098 0424-138 or to better understand if i do a stats count by number number | Count 0420-094 | 1 0423-245 | 1 0420-098 | 1 0424-138 | 1 i know i can do multiple regex's for each one and then coalesce to merge them all, but if there's a better way then why not 🙂 ... View more

I have 4 unique and standard values under one field extraction topic. I want to combine them into two values and use the output for my tokens in dashboard panels. topic | count A | 10 Aa | 10 B | 5 bb | 5 Required output topic | count A | 20 B | 10 ... View more

i am dealing with a imilar issue, i am trying to ingest webserver logs and the historical log data in webserver is huge and brought splunk down when i tried to ingest. i want splunk UF to start from the latest or the day before's log file and ingest the new log files that are created in future Example: exclude logs till march 27th. ingest march 28th.log march 29th.log march 30th.log march 31th.log april 1st.log . . . . . and all log files post march 28th ( normal splunk UF behaviour) can i use current_only=1 setting or any other suggested recommendation. Hope i was clear enough. Thanks in advance ... View more