Hi Splunkers, I have a request by my customer. We have, like in many prod environments, Windows logs. We know that we can see events on Splunk Console, with Splunk Add-on for Microsoft Windows , in 2 way: Legacy format (like  the original ones on AD) or XML. Is it possible to see them on JSON format? If yes, we can achieve this directly with above addon or we need other tools? ... View more

Hi Splunkers, in our environment we are collecting Microsoft Windows logs that, currently, come in xml format. Customer demand us to switch off xml: on Splunk Console, he want to see logs in legacy/traditional format and not xml one. I don't remember how this can be achieved; am I wrong or I have to change a parameter in addon configuration? By the way, those are essential data for our scenario: Collection mode: UF installed on each Windows data sources. Logs are sent to an HF and then to a Splunk SaaS, so final flow is: log sources (with UF) -> HF -> Splunk SaaS (both Core and ES). UF management: all UF are managed with a Deployment Server Addon used: the "classic" one, https://splunkbase.splunk.com/app/742  Addon installation: on both SaaS env and HF ... View more

Hi Splunkers, in our Splunk Cloud environment we had 2 need: Reassign knowledge object owner Reassign Knowledge object app The first point management is well known and we already applied it, assigning all KOs created by us to a service account. I don't remember if the second one is possible: can I reassign a KO app? For example, if we assigned an alert to search app, is it possible to change it with another one? And if yes, how? ... View more

Hi Splunkers, I have a problem with a blacklist filter. On customer's UF, we filtered out some events changing the inputs.conf file. The ones based on comma separated list, like Windows EventID, are working fine with no problem, while the one based on regex not. Of course, as first thing, I checked regex syntax and I can confirm it works fine; testing it on regex101, it match perfectly what I want. Tests have been with different source logs, to be sure of a full proper working. This is how we placed regex on UF: [<stanza name>] ...other parameter... blacklist = \]\sA\s+(.*)(microsoft|office|azure|o365|onenote|outlook|windowsupdate)(\(\d+\))(com|net|us)(\(\d+\))\s This filter must be applied to logs coming by Windows DNS; its purpose is to avoid ingestion of legit domain, in all their combination, but only if they have a "normal" form. In regex you can see I put a filter about (<number>), because in raw log we have domains in format main_domain(<number>)root_domain, like microsoft(3)net. For example, microsoft(2)com and microsoft(3)net match the regex and should be filtered out, while microsoft(9)123(5)com not and should be sent to Splunk. My assumption is that I missed out some delimiter after the equals symbol; I mean, should I put regex code between any kind of symbols? Something like  regex = '<regex code'> Or regex = "<regex code>" etcetera. ... View more

Hi Splunkers, I have to perform a UF config and I don't know if some problem could rise. Let me explain better. For a customer, we are collecting data from Windows Systems using UF. All selected logs come fine. Now, we have to collect logs from Windows DNS query; they are collected in debug mode and, then, stored in a path. So, before any UF or Splunk action, the flow is: Win DNS set on debug mode -> Log forwarded on a server -> Logs stored on server's path. Due the high volume of collected store, on that server there are 2 scripts that follow a retention policy and, in a nutshell, delete logs older than 1 day. This because when DNS forward logs, write a file of maximum 500 MB and then another one is created. So, files are writed until threshold is reached. Due we want use UF to monitor that path, our customer asked us its behavior regarding file monitoring; his doubt is how UF works when monitoring file, expecially the current writing one. My knoledge is that UF should work exactely any other Data Input File & Directory monitoring: if we tell, in inputs.conf stanza, "monitor path X" it shuld simply monitor each file in a sequential manner; am I right?   ... View more

Hi Splunkers, I have to forward data inside csv files from an on prem HF to Splunk Cloud and I'm facing some issues, cause data seem to not be forwarded. Let me share with you some additional bits. Info about data Source data are on a cloud instance (Forcepoint) provided by vendor A script has been provided by vendor to pull data from cloud The script is installed and configured on our Splunk HF Data are saved locally on HF Data are in .csv files  Info about HF configuration We create a new data inputs under Settings -> Data inputs -> Local inputs -> Files & Directories We set as data input the path were .csv are saved after script execution We set the proper sourcetype and index Of course, we configured the HF to send data to Splunk Cloud. We downloaded the file from cloud, from "Universal Forwarder" app and installed it as app on HF: the outputs.conf is proper configured, other data are sent without problem to Splunk cloud (for example, Network input ones goes to Cloud without issues; same for Windows ones) Info about sourcetype and index and their deployment We create a custom addon that simply provide the sourcetype "forcepoint" Sourcetype is configured to extract data from CSV; that means that we set parameter      Indexed_extractions=csv ​     We installed addon on both HF and Splunk Cloud The index, called simply "web", has been created on both HF and Splunk Cloud By thw way, seems that data are not sent from HF to Cloud. So, did I forgot some steps? Or I made wrong some of above ones?   ... View more

Hi Splunkers, in our environment we onboarded Forcepoint Cloud logs following this guide.  In a nuthsell, we have to use a script that regularly pulls data from cloud and place them on a HF, as .csv files; then, info are sent to Splunk Cloud. We got the following problem: logs are always of 2 types, the correct one and the "empty one": As you can see, we have only the field labels, not values. Working with support, we discovered that a possible root case is in the add-on, that sometimes extract the .csv header and manage it like data. So, if we want to solve the problem and avoid to change the script, we could fix the problem going in props.conf of add-on used to parse, which is Splunk Add-on for Forcepoint Web Security , perform a change and take the correct logs. So, the question is: if I have to tell in a props.conf "Hey, don't extract the .csv headers", which syntax I have to use? ... View more

Hi Splunkers (I know, you starts to see my post too much on this blog...sorry!), I'm a bit confused about the management of blacklist and whitelist mechanism, for universal forwarders. As I wrote on others posts, we are managing a Splunk Cloud for a customer where we are completing, for Windows logs, the migration from WMI to UF. After installation completed, we want to manage those UF with a DS. Reading docs, I got that first step to say a Splunk host "Hey, you are a DS!" is to create the first app to be deployed on clients. Here the example states about outputs.conf but, due we already linked UFs to our HF, we don't need that; we prefer to use the inputs.conf, cause we want manage blacklist and whitelist mechanism true DS. The confusing thing for me is: is I want to say to UF "Hey, collect only a subset of Windows Event Code ", I saw here on community some posts where people get struck with whitelist and its wa suggested to them to us bot parameters: whitelist and blacklist. What I don't understand is why this and, so, the final configuration. For Example, if I want to say on inputs.conf for Security logs "Hey, collect only 4624 and 4625" I will have something like that: [WinEventLog://Security] ... <other parameter> ... whitelist = ? blacklist=? ... View more