oh ok thanks ... View more

ok, thanks, Will upgrading to 7.0 spike my license usage since every event in it will be counted as fixed 150bytes? ... View more

yes i am already following the best practice of doing this in master apps and then deploying to slave-apps Thanks, i used a different regex and this time its working NOW following is wat i am using in my /opt/splunk/etc/slave-apps/splunk-TA-Windows/local in props.conf # message shortener for windows event security # removes text from message field starting with: This event is generated [WinEventLog:Security] TRANSFORM-windows_events = win_event_shortener in transforms.conf [win_event_shortener] DEST_KEY = _raw REGEX = ((.*+[\v])+)(?=This event is generated) FORMAT = $1 ... View more

I do not want to drop the whole event i just want to drop the static text that gives the description about the event. I am referring to this link https://www.splunk.com/blog/2012/09/21/the-splunk-app-for-active-directory-and-how-i-tamed-the-security-log.html ... View more

Hi, Guys, I have run into issues with UF again this time it has stopped working altogether I have started a new question for this. if you have some time please help https://answers.splunk.com/answers/578313/splunk-winevtlog-wineventlogchanneldeletecheckpoin.html thanks in advance ... View more

oh ok, thanks from next time I will create a new post, Did you mean to say that forwarding should be enabled on the license master to record license usage. Because if I take out indexers IP from the outputs.conf of License master than the license usage is not counted. So now I see 1 H.F. i.e. our license master in our environment when I see forwarder deployment under DMC ... View more

thanks for your reply .please check my resolution for this issue below ... View more

Yeah thx man I have made it in local only and i do not see accept option for your comment How do i accept your answer? ... View more

@sbbadri Thank you fr your reply mwdbhyat was very helpful and kind enough to help me so much. This is resolved by changing these two values in my inputs.conf start_from = newest current_only = 1 ... View more

@mwdbhyat I changed these two values in inputs.conf start_from = newest current_only = 1 and it resolved my issue THANK YOUUUUU SO MUCH MAN! for some reason i dont see your comment here can you please paste it again I want to mark that as accepted answer. Thanks once again ... View more

@mwdbhyat I see your comment in email notification but not here. And this is my inputs I am using the default inputs.conf from the Splunk_TA_Windows app. [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" index = wineventlog renderXml=false ... View more

Thanks, I ran the queries and below are the results, there seems to be a 3-4hrs delay and time diff I do not know why, if I run these queries for other sources it does not show any delay or time difference. source=mysource | eval delay_sec=_indextime-_time | timechart min(delay_sec) avg(delay_sec) max(delay_sec) by host _time 2017-09-25 06:45:00 avg(delay_sec) 8618 max(delay_sec) 8656 min(delay_sec) 8593 source=mysource host=myhost | eval delay_sec=_indextime-_time | convert ctime(_indextime) AS indextime | eval now=now() | table _time indextime now date_zone source sourcetype host _time 2017-09-25 06:59:30 indextime 09/25/2017 09:16:39 source WinEventLog:Security Also please note to troubleshoot this now I have changed the timezone for all my Splunk servers to match with my Domain controller so now both indexer and source have same TZ = EST but still I am not able to search logs in last 60mins or 15mins. ... View more

I am simply typing sourcetype="WinEventLog:Security" in search and i do not find anything when i do last15mins or 60 mins i can only see for last 4hrs and event time is real time like if you convert from UTC to IST (which is the TZ I live in). Also it does not allow me here to paste an image only an url ... View more

Same. I did not apply a TZ before only when this issue started i realised i should enter TZ in props.conf and entering did not make a difference. I also tried entering TZ by creating a props.conf in UFs local but no joy ... View more

I tried with host entry as well it did not work , still when i go to last 4hrs only then i can see events otherwise in realtime search or last 15 or 60mins it does not show up [host::dc1-corpdc01] TZ = US/Eastern ... View more

Ok yeah i see that but its not working for medid u see my props.conf in the below comment and also i am defining TZ by sourcetype and not host will that make a difference ? ... View more

Hi Many thanks for your help I have separated the syslog server from the indexers now and have installed UFs on them to forward the data, I did ran into some problems but everything is cool now and the performance in terms of searches is a lot better. ... View more

This is my props.conf on indexers [cisco:asa] TZ = UTC [cisco:ise:syslog] TZ = UTC [cisco:acs] TZ = UTC [cisco:ios] TZ = UTC [cisco:sourcefire] TZ = UTC [f5:bigip:syslog] TZ = UTC [pan:log] TZ = UTC [WinEventLog://Security] TZ = US/Eastern [catchall:catchall] TZ = UTC it is not working for events that are coming for [WinEventLog://Security] because if i search for last 15mins or 60 mins i dont get results ONLY when i select last 4hours i can see results. I also tried switching my user time zone from UTC to EST through settings>users>my user timezone as EST and log out/login but still the same issue. And I have installed Splunk_TA_windows on my UF that sits on DC Any help will be appreciated ... View more

Are you sure the time zone is right? or should it be EST? ... View more

Hi there I recently inherited Splunk and saw there were too many heavy forwarders in place and i replaced them with UFs but when i take out heavy forwarder from the license master which is also our cluster master we stop seeing license usage. Is HF a mandate requirement on license/cluster master to show license usage? ... View more