You can leave out those startswith and endswith parts if needed. PS: you might want to change your 'answer' to a comment and if my answer (or the answer of @niketnilay below) works for you, appreciated if you mark it as accepted, such that it is clear this question was answered 🙂 ... View more

Interesting, that is basically the same thing I suggested, but supposedly didn't work, isn't it? ... View more

KV_Mode (configurable in props.conf) instructs Splunk how to automatically extract key value pairs from events. In this case Splunk will detect this as JSON data and automatically extract the fields and their values. I'm trying to understand why Splunk in your case duplicates the values for each of the fields... ... View more

From the screenshot in your question, the event seems to be a single event, right? It is just the field extractions that are duplicated somehow? Did you write custom field extractions and also left KV_Mode to its default setting (auto)? ... View more

Fair point, I had them the other way around originally, then thought to optimize things a bit, but clearly didn't fully think that through 🙂 Let me adjust that. Question spoke about "a list of users" which my solution would give. If you indeed want to just filter the original data for those entries that relate to users that have over 1000 entries, then eventstats is indeed the way to go. ... View more

Your comment (which shouldn't have been posted as an answer) doesn't make too much sense to me. The macro you described in your question only populates some additional fields, derived from the host field. That sounds like a perfect case to implement using automated extractions and/or lookups. Why would implementing these conversions as automated lookups/extractions rather than using the macro mean you have to type every single servername into your search? ... View more

No need to add a double == sign. Just source="filter-string" will do. But that shouldn't break things (at least it doesn't in my test box). Are you sure those are the source values of your events? Just the filename, no path included? Can you provide a screenshot of the actual event with the source field visible? ... View more

Have a look at the transaction command. That should give you the tools you need to do what you want to do. For example: ...base search that returns these events... | transaction TaskID startswith="Start handling request" endswith="Handling request finished" The transactions that result from this will have a duration field, you can also append a stats command to this search to count number of transactions (by TaskID) etc. ... View more

Good point, didn't notice they included the private key in the certificate.pem file. Technically there is no need for the client to have the private key of the server certificate. This is against the whole concept of such private/public key cryptography. So it seems to me that those instructions are mistaken. It is also strange that they suggest to copy myServerCertificate.pem and the CA public certificate myCAPublicCertificate.pem, while myServerCertificate.pem already includes myCAPublicCertificate.pem. So I think the instructions in step 3 should read: copy the server public certificate myServerPublicCertificate.pem and the CA public certificate myCAPublicCertificate.pem into $SPLUNK_HOME/etc/certs/ on the forwarders. Also, this line from step one clearly shows that the person writing that text has no proper understanding of how public/private key crypto works: " This key will be used to encrypt the outgoing data on any Splunk instance where you install it as part of the server certificate. " The client uses the server's public key to encrypt, upon which the server uses its private key to decrypt. Not the other way around. I guess this warning at the top of the page (if you're logged in) is there for a reason: "Much of the content on this site is quite old, should be consumed with caution, and may be removed in the near future." With "everywhere" I meant using the same key on server and client. As long as you use a different key on the server and only the client key is compromised, that only allows impersonation, it doesn't break confidentiality of the communication between other forwarders and the indexer. ... View more

Well, those people that do not need to see data from other departments, can simple be put in a role that restricts them. The few people (managers) that do need to see data beyond their own department can be put in a role that is not restricted. To make it easier for managers to still only look at their own department's data you provide them with a macro. ... View more

Can you not solve that by presenting them some department specific reports/dashboards, or do they really actively use the search to dig through their department's data normally? Should the access really be restricted normally, or is it just to help them focus on their own department's data? In that latter case, you could also provide them with a search macro that applies the filter in a user friendly manner perhaps? Such that they can use that macro when they only want to look at their own data and when they want to look at other data, they leave the macro out (or use the macro relevant for that other department). ... View more

So the purpose of that timeprefix is to get splunk to use the (more detailed) timestamp that is in the event, rather than the one at the start of the line? Wondering if Splunk's automatic timestamp detection (since you don't specify a time format) is able to deal with all these formats here and whether it is able to deal with multiple formats coming in the same file. Then again, you say it is working correctly in DEV, does DEV also have all these different formats in 1 file? Can you not use a syslog daemon to split these different logs into separate files, rather than having splunk sort out the 'mess'? ... View more

That looks fine. How does that file get populated? ... View more

If it gets ingested into splunk it must be mentioned in some inputs.conf, so best to find out where. If it is not in system/default or system/local, I guess it is in some specific app under etc/apps? ... View more

Is the filename in the source field (as usual)? Then you could do something like: ...base search... | eval validFileName=(if(match(source,"<validation regex>"),"Yes", "No")) ... View more

Just to clarify: you mean that userA should normally have a restricted view, but in certain situations, the same userA needs to be able to see the events without restrictions? If the "when needed" does not occur very often, you could consider switching the user's role when needed, but that would require the user to get help from an admin. More user friendly as the user does not have to switch to a different account, but it does introduce a dependency on the admin to switch the user to the 'unrestricted' role. Then again: any solution where the user can freely choose whether or not to have the restrictions enabled or not is a bit pointless, isn't it? I mean: what's the point of having a restriction in place if the user himself can disable that restriction? ... View more

Are you sure the original timestamps are in the same minute for the 2 sources, can you show a screenshot of those events? ... View more

If it works in dev, but not in prod, can you perhaps highlight differences in those two environments? Is the data actually getting indexed with the webseal:syslog sourcetype? Just to rule out a typo in the inputs.conf in your production environment... ... View more

Have a look at Splunk TA-nix: https://splunkbase.splunk.com/app/833/ This also includes a sample inputs.conf file if I recall correctly. That should give some inspiration (although likely needs tuning for the specific files as they exist on your linux box(es). That should also point you at what sourcetype to use. But (assuming you have a splunk forwarder installed on the linux box(es)) basically you just need to create some file monitor inputs, see inputs.conf reference documentation for syntax. ... View more

This is assuming the data is in lookups (since you're referring to "list"). If the data is in an index, write a search that returns data from both sets (as explained in the answers of somesoni2 and mayurr98 and then again count occurrences. ... View more

And which files specifically did you check for size and did you see getting duplicated? This all looks like copies of config that is already in /etc/system/default/inputs.conf anyway, but with some important settings missing (like move_policy = sinkhole for the batch inputs...). ... View more