Do you have any IPS or something like that in between those two components? Because it looks awfully similar to an over-zealous "protection" solution which resets "bad" TLS connections. Notice that each side blames the other one for the connection closing. I've seen this myself - an IPS/NGFW/whatever notices some "strange" communication (from his point of view) and sends RST to both sides. ... View more

What do you mean by "array"? And are you sure you want a left join? It looks  more like inner join. ... View more

From the technical point of view - you don't have to. https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Wheretofindtheconfigurationfiles It's just that if you don't keep your configs "tidy", they can get confusing quickly with settings being spread all over the place 🙂 Hmm... but if you have splunktcp input and you can see TLS handshake over the wire then UF must be applying some TLS settings and trying to negotiate secure connection. ... View more

OK, because your initial posts weren't clear on this. Do you have splunktcp:9997 (or splunktcp-ssl)  input enabled? I think I only saw a http input. Or maybe you enabled plain tcp:9997 input instead of splunktcp?   ... View more

Thank you for an exhaustive response. I always found autoregress more straightforward and obvious but it seems I sill have to learn a bit more about streamstats. 🙂 ... View more

Short of checking what searches were spawned? I'm afraid you can't. ... View more

Well, regardless of my personal opinion about it, that's how it is. As long as the services are provided from US, they do not fall under GDPR jurisdiction and you created your account of your own free will. There might be other laws in play if you're talking about services provided from within EU (I'm not sure if Splunk provides Cloud services from geographicaly-limited infrastructure - haven't used Cloud myself yet) but that's a different story. ... View more

Extracting everything between "USER" and a colon (":") is relatively easy: USER\s(?<username>[^:]*): There is one caveat though. If your username contains a colon (":"), it will only capture the username up to (and without) that colon. BTW, you could try TA for proftpd - https://github.com/jewnix/TA-proftpd ... View more

Again - syslog is a separate layer. From application perspective you should just use a common logging framework (if I remember correctly, Python has one built-in). Then you - depending on the target logging method - should just create proper handler either emiting syslog messages (then you can use rsyslog/SC4S or even splunk's built-in tcp/udp listener) or a handler sending events to HEC endpoint. Or one writing to files (then you can set your UF to read from files).   ... View more

You get ACK/RST as first response or after initial 3-way handshake and some trafifc exchange? Maybe you have some mismatch in TLS settings between HF and UF? ... View more

I'm  a bit confused - are you trying to log from your own application or want to build application to receive syslog and write to splunk? If the former - why you mention syslog? If the latter - there are already working solutions for that. ... View more

There are two issues with your search. 1. Your subsearches must return properly named columns. Are you sure that you don't need to do some "| rename"? 2. With subsearches provided this way you only add further conditions to your search. You will still not get any results if there are no events matching the condition set. If you want to find which hosts didn't send anything, you'd have to append "fake" results from a pre-defined set of hosts, and then - for example - sum them with your found events. Then you'd see which results have zero ocurrences. A rough idea: <your search> | stats count by Computername | append [ | inputlookup myhosts.csv | eval count=0 ] | stats sum(count) by Computername ... View more

Exactly. That's the first step with any connection problems. Dump the traffic on the appropriate interface and see whether any connection tries even take place. tcpdump/wireshark is your greatest friend with network/connection troubleshooting. ... View more

Unfortunately, as you said - IgnoreOlderThan is an option only for monitor:// type inputs (file inputs). Windows event logs are ingested by modular input (external tool) and are limited only to options provided by this tool. So you can either ingest events from the whole log or set current_only and make the forwarder wait for new events after restart. There is no option for a given "backlog" to read. If you believe it would be useful you can propose idea for such functionality at https://ideas.splunk.com/ ... View more

I suppose (but I haven't verified it - you can try to trace it with debugging tools on your browser) that most of the logic is done on the client's side and changing filters/parameters only modifies the resulting parameters sent with resulting search to search-head. These parameters are not passed to server as a part of dashboard request since they have no meaning for the server. It's the client who request the searches from search-head. ... View more

Close, but not quite 🙂 Try to understand what you're doing. Firstly, you search for some events with eventtype=heartbeat. Now everything is ok. Of those events some will have more than one eventtype. Then you do | search eventtype=heartbeat Which effectively doesn't do anything at this point since all events you find in the previous step had eventtype=heartbeat. So you pass this stepp with your full set of resulting events of which some have more than one eventtype. Then if you do the timechart by eventtypes of course all your eventtypes will get included in the results What did you do wrong? You did a search in the wrong place. You should have done stats first, so you get results for all eventtypes and _then_ search (in the resulting stats) for wanted eventtypes. eventtype=heartbeat namespace::my-namespace | timechart count by eventtype span=1 | search eventtype=heartbeat   ... View more

https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/UsetheHTTPEventCollector For starters. ... View more

The easiest solution to write is to generate time ranges with a subquery and then search for errors during those periods. <your general search for errors> [ search <your search for zookeeper errors> | table _time | rename _time as latest | eval earliest=latest-15*60 ] But it has all the limitations of a subquery (the result limit which is probably not important here and the execution time limit and possibility of silent termination). You could also try something with streamstats along the line of <your search for errors> | streamstats max(_time) as bigerrortime reset_before="like(_raw,\"%your_Zookeeper_error%\")" | where _time-bigerrortime<=900 ... View more

I can confirm. Simple | makeresults count=10 | streamstats count | eval count="data: ".count | stats values(count) Produces results in a single line, separated by commas. Splink 8.2.2.1 ... View more

Your regex specifies that your capture group consists of digits only (at least one digit) and then immediately you get a space. In your event you have a decimal fraction as well. So you need \d+(\.\d+)? ... View more

Can you describe what your data looks like and _what_ you want to achieve. Not how you're trying to do it because it shows that you're not used to splunk data manipulation paradigm and you're trying to "program" instead of searching. In general, there are very few cases when you want to use map cpmmand since  it has its limitations, is heavy on the servers and can faik silently and give inconsistent results. ... View more

Question is whether you want current state or any historic occurrences? Because if you just want to have current status - it's relatively easy <your search> | stats max(_time) as maxtime by Message Device | xyseries Device Message maxtime | rename "Ok (Fully Patched)" as ok | rename "Severity Critical Patch Missing" as crit | eval state=case(ok>crit,"OK",1=1,tostring((crit-ok)/86400)." days overdue")   ... View more

What is your original data? Because this already looks like some calculated stats table. ... View more