You have the right idea, but that regex doesn't work because it's told to expect , "q" at the beginning of the event, which doesn't match the data.  Try SEDCMD-remove = s/, "q": 0, "user": "system.user.admin"//g Anchor tags (^ and $) are not needed as often as commonly thought. ... View more

Your plan is a good one.  I strongly recommend starting with a multisite cluster from the beginning to avoid extra work when you add the second site. ... View more

Have you completed any of the free training offered by Splunk?  There are many, including an intro to Splunk, how to use fields, how to extract fields, and how to do statistical analysis.  Find them here.  They may help answer some of your questions. Installing add-ons can help with automatic field extraction, but not always.  As I mentioned before, the add-on may expect a specific sourcetype name or may only be compatible with certain version of the vendor's product.  If there is no documentation then you'll have to read the add-on's props.conf file to see what it's trying to do.  This could be a challenge for a neophyte, but at the very least, the stanza names in props.conf should match sourcetype settings in your inputs.conf files.  Without a match, the props settings will not be applied. As for what to do with search results, the usual thing to do is refine the search.  A first search often returns too much information or doesn't correlate events as needed so additional SPL commands need to be added to get the desired output.  To use the Statistics tab, your query must contain a statistics command (stats, timechart, or chart). You may also find some of the Splunk documentation helpful Search Tutorial Search Manual   ... View more

The add-on *should* do extraction and normalization automatically, but read the docs.  The add-on may expect a specific sourcetype name or may only be compatible with certain version of the vendor's product. ... View more

It's more efficient to filter before dedup.  It means fewer results are returned to the search head for processing. I believe you do not need to escape backslashes in strings.  | where username!="NAM\OT00564" should be sufficient. ... View more

Make a copy of $SPLUNK_HOME/etc using your favorite tool. ... View more

The in function used with the where command has a very different syntax from the IN operator used with the search command.  An additional complication is neither in nor IN work well with the multi-value fields returned by stats.  For that, you probably want mvfind or do the filtering before stats. index IN ("pisupport", "pisupport-np") sourcetype=PIMessage ("procbook" AND "Successful Login") | rex field=_raw "Identity\sList:\s(?<identity>[^.]+)" | rex field=_raw "Username\s:\s(?<username>[^.]+)" | stats count AS Total_Connections, latest(_time) AS Latest_Timestamp, values(identity) AS Security_Mapping, values(host) AS Connected_Hosts, values(username) as LanID by username | eval discard=if(isnull(mvfind(LanID, "NAM\\OT00564|NAM\\CHawki5")),1,0) | where discard=1 | sort - Latest_Timestamp | eval Latest_Timestamp=strftime(Latest_Timestamp, "%Y-%m-%d %H:%M:%S") | table Latest_Timestamp, Total_Connections, LanID, Connected_Hosts, Security_Mapping   ... View more

There is an interim upgrade required before 10.0.2.  See https://help.splunk.com/en/splunk-enterprise/administer/install-and-upgrade/10.0/upgrade-or-migrate-splunk-enterprise/how-to-upgrade-splunk-enterprise#upgrade-paths-to-version-10.0-0   ... View more

Make sure you have the correct URL for your platform.  See https://help.splunk.com/en/data-management/collect-http-event-data/use-hec-in-splunk-cloud-platform/set-up-and-use-http-event-collector-in-splunk-web#send-data-to-http-event-collector-on-splunk-cloud-platform-0 There is a prefix required (http-inputs-) and the endpoint should end with "/event" or "/raw". ... View more

Probably, but the supported approach is to upgrade UFs last. CM/LM/MC SHC Deployer SHC members Indexers Intermediate Forwarders Universal Forwarders ... View more

If the data has a different sourcetype from that expected by the add-on then the add-on's field extractions will not be used.  Changing the sourcetype to fortigate_log in inputs.conf should fix it. ... View more

There are a few ways to onboard data into Splunk. Install a universal forwarder on the server to send log files to Splunk Have the server send syslog data to Splunk via a syslog server or Splunk Connect for Syslog Use the server's API to extract data for indexing Use Splunk DB Connect to pull data from the server's SQL database. Have the application send data directly to Splunk using HTTP Event Collector (HEC). ... View more

Responses to what?  How high is the roof?  How are you measuring it? When did you upgrade to Splunk 10?  Do all hardware meet or exceed the Recommended Hardware specs? ... View more

Since the data is not structured as expected by the "default add-on", you will have to craft your own add-on to parse the fields. ... View more

That's worth trying. ... View more

Splunk has a host field that identifies the sending server, but there is nothing built-in that identifies the source location (site, IP, etc).  You would need to add fields to include that information.  Use INGEST_EVAL in transforms.conf to do that. ... View more

What are looking at to determine there is an indexing delay?  Another possibility is event timestamps are not honoring the correct time zone and so events just *appear* to be delayed. ... View more

A field that will only accept a standard email address certainly will not accept a PowerShell script. ... View more

Splunk probably expects a dot and TLD in the domain name of the email address.  Go to https://ideas.splunk.com to ask for support for local email addresses.  Until that is added, use a standard email address. ... View more

That you are ingesting Management events, but not Network Activity events tells me there is an input defined for the former, but not the latter.  Perhaps this is not the intent, but it is the effect. Can you share the CloudTrail input(s)? ... View more

You need an input to tell Splunk to ingest the Network Activity data. ... View more

Have you configured and enabled an input as described in https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudTrail/ ? P.S. It appears the version 7.10.0 is no longer available to consider upgrading to 7.11.0 or newer. ... View more

We need more information. Are you saying to want to send data collected by Splunk to GCP?  Is that all data or just some of it? Can you be more specific about the destination?  Saying "GCP" is like saying "AWS".  Both offer a large number of services with different requirements and capabilities. What is your SIEM? It may be necessary to write code that uses the API to fetch data and then ship it to GCP. ... View more