About richgalloway

richgalloway

Splunk does not have an out-of-the-box REST input. You have to install an app for that. There are a number of apps on splunkbase that support REST so perhaps you can use one of them as a model for building your own app to the API in question.

richgalloway

That document is for a specific source where the event size is well-defined. The information there cannot be generalized because the size of an "event" is unknown. I've seen event sizes range from <100 to >100,000 bytes so it is very difficult to produce an EPS number without knowing more about the data you wish to ingest. It's possible the documentation for other TAs provides the information you seek. Have you looked at the TAs for your data?

richgalloway

The Forwarder Management screen applies only to Deployment Server (DS) instances. A DS is a Splunk instance type that ensures each forwarder has the configuration (apps) it needs. DSs are optional and are unnecessary when you only have a single forwarder. When you installed the forwarder, did you configure it to forward data to the server? If so, then you should be seeing data from the forwarder. Verify that by searching for index=_internal host=f1 Make sure that returns results for continuing further. The next step is telling the forwarder what you want it to forward. By default, it only sends its own logs. Install the Splunk Add-on for Windows (https://splunkbase.splunk.com/app/742) on the forwarder and turn on (set disabled=0) the inputs you desire. Be sure to restart the forwarder after changing inputs.conf settings.

richgalloway

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

richgalloway

The current query can't do that because it only looks at failed logins. It will never see a successful login. The solution will entail appending a tstats command that counts successes and then modifying the where command to look for 6 or more failures and at least 1 success. You can find an example in the Basic Brute Force Detection use case in the Splunk Security Essentials apps.

richgalloway

Splunk is not going to be able to process that binary PowerPoint file without some pre-processing (manual or via a script).

richgalloway

You appear to have a hex dump of binary data. Decoding the hex will give you the original binary, but Splunk doesn't support binary data. I've seen similar-looking input when an encrypted input stream is not decrypted before being indexed. Double-check the TLS/SSL settings.

richgalloway

I just checked on a Splunk Cloud SHC and saw to difference in expansion time so I suspect there's something happening in your environment. Do you see any relevant messages in splunkd.log on the SH?

richgalloway

I find it interesting that you give the log file size in GB rather than events yet you expect UF documentation to provide EPS. @PickleRickhas explained why we cannot offer an EPS number and also why any talk about data rates is a guess at best. A Splunk UF is very capable of handling 100GBs of log files. Many customers do so regularly. Why problem are you trying to solve?

richgalloway

Same speed here. What is your environment like?

richgalloway

There may be a few ways to do that. Here's one. | eval Status = case(isnotnull(IPv4) AND isnotnull(IPv6), "IPv4 + IPv6", isnotnull(IPv4), "IPv4", isnotnull(IPv6), "IPv6", 1==1, "")

richgalloway

It depends on the size of an event. The UF is rate-limited by the maxKBps setting in limits.conf.

richgalloway

@marnallHas better eyes than me and spotted the mix of italics and non-italics in the bracketed text. The final regex likely will be a combination of our suggestions.

richgalloway

This regular expression works in regex101.com using the sample data. | rex field=pluginText "host:\s+(?<vendorSoftware>.+?)\s+\[(?<version>[^\]]+)] \[(?<installedDate>[^\]]+)" It looks for the "host" introductory text and skips the spaces which follow. The next set of text (terminated by whitespace before a left bracket) is the software name. The text in the two sets of brackets become the version and date, respectively.

richgalloway

I also expected the LOG field to be extracted. Were the changes to props/transforms installed on the first full Splunk instance the sees the data? Was that instance restarted? Is the screenshot showing new data (since the restart)?

richgalloway

Not only is it possible, it's mandatory. You don't have to worry about it, though, because Splunk manages it for you.

richgalloway

The subsearch derived the Member field from TeamMember so it would seem the main search, which uses the same index and sourcetype, would expect a field called "TeamMember" to come from the subsearch. For a join to work properly, both sides must use the same field name(s). This can be done using rename in the subsearch. Run the subsearch by itself with | format appended to see what the subsearch turns into. That resulting string, inserted into the main search, is what produces the final result set. Adjust the subsearch (or the join command itself) appropriately to get the results you want.

richgalloway

Done

richgalloway

There are many formats that someone would consider "normal". Almost none of them require rex. Use the strptime and strftime functions to convert one time format to another. | eval ts = strftime(strptime(ts, "%Y-%m-%dT%H:%M:%S.%9N%Z"), "<<your 'normal' format>>")

richgalloway

You are correct. Use the singular form.

richgalloway

Have you tried "Subject: $result.Level$ app in $result.APPDIRS$"?

richgalloway

The old events cannot be searched because they're on the old volume. Indexers have only one volume definition so they only know the current volume. Use OS tools to copy the directories from the old volume to the new one then restart the indexers.

richgalloway

Please explain what is meant by "it's not working". That phrase does not provide any actionable information. What are the current results and how do they differ from what you expect? Does the "other_transforms_stanza" do anything to the data that might affect the "my-log" stanza? Have you used regex101.com to test the REGEX? The "^.*" construct at the beginning of the regex is meaningless. Get rid of it.

richgalloway

The docs at https://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps#How_Splunk_software_determines_time_zones specify how Splunk determines the time zone for an event. Note that the UI setting is not included.

richgalloway

The FIELDALIAS attribute extracts fields at search time rather than at index time as requested. IME, it's unusual to have a single FIELDALIAS attribute define more than one alias. Be sure the props.conf file has line continuation characters (\) between each alias as shown in props.conf.spec. If that doesn't work, then use a separate FIELDALIAS setting for each alias.

Posts	15656
Solutions	2830
Karma Given	1572
Karma Received	6044
Member Since	‎07-24-2012

Online Status	Offline
Date Last Visited	3 hours ago

Receiving notifications that are disabled

collectd reports "write_http plugin: curl_easy_per...

How do you restart splunk?

stats count(eval) always returns zero

Need help getting right timestamp from CSV

How to display more than 5 questions per page on A...

What will break if I set coldPath to /dev/null?

Knowledge Object Explorer won't load

How to use a field in SingleValue label?

How to move an index to another app?

Re: Import data from REST APIs in Splunk Cloud

Re: EPS in flat file with universal forwarder

Re: Having trouble getting started

Re: need help on regex

Re: Correlation Search for brute force

Re: Automatic conversion from HEX to text

Re: Automatic conversion from HEX to text

Re: Macro Expansion - Possible Bug

Re: EPS in flat file with universal forwarder

Re: Macro Expansion - Possible Bug

Re: How to compare and calculate comparison flag f...

Re: EPS in flat file with universal forwarder

Re: Extracting fields from a large text field

Re: Extracting fields from a large text field

Re: extracting mv fields

Re: SmartStore in Splunk Cloud

Re: SubSearch is not getting the info

Re: How to make fields show in an alert?

Re: Convert Time with T and Z to Normal format

Re: How to make fields show in an alert?

Re: How to make fields show in an alert?

Re: Transfer existing events to new volume

Re: extracting mv fields

Re: Does the time setting on a Heavy Forwarder Fro...

Re: Field Alias issue in props.conf