I have a saved search that runs every day and does a partial fit over the previous day. I'm doing this because I need 50 days' of data for the cardinality to be high enough to ensure accuracy. However, I don't want over 60 days' of data. How do I build up to 50 days' of data in the model but then roll off anything over 60 days?   Thanks! ... View more

I'm getting the following error while trying to save a correlation search as a user with the ess_admin role: There was an error saving the correlation search: User 'local_ess_admin' with roles { ess_admin, ess_analyst, ess_user, local_ess_admin, power, user } cannot write: /nobody/SplunkEnterpriseSecuritySuite/savedsearches/Threat - test2 - Rule { read : [ * ], write : [ admin ] }, export: global, owner: admin, removable: no, modtime: 1591818982.977029000 The ess_admin role should by default be allowed to edit correlation searches, and the role does have the "edit_correlationsearches" capability. Is there any other capability that should be enabled in order for this to work?   ... View more

I’m trying to specify that logs from a certain source coming from a UF are UTC. This should be pretty straightforward, however the following props.conf on the indexers does not work. [source::c:\\path\\to\\logs\\*] TZ = Etc/UTC I’ve tried a .* at the end of the file path and many other variations, nothing works as it should according to the props.conf.spec. Any ideas? Thanks ... View more

I've recently been running into issues with Splunk not ingesting files, both on universal and heavy forwarders. The example here is a UF on a Windows server. In this example, I'm trying to ingest \\path\to\file.csv , and the error I get is: DEBUG TailingProcessor - Skipping itemPath='E:\path\to\some\other\file.txt, does not match path='\\path\to\file.csv' :Not a directory :Not a symlink My input looks like: [monitor://\\\\path\to\file.csv] index = myindex sourcetype = mysourcetype initCrcLength = 512 Also, I had to turn on debug logging in log.cfg to even see these errors. Otherwise there were no errors at all. Any ideas? Thanks ... View more

I have a three-node search head cluster, when I create a field extraction through the GUI, it takes hours for it to become active. This used to take less than 5 minutes, any ideas why this could be happening? Thanks ... View more

I have three data sources that I need to correlate together, I'll simplify it for sake of example: Index A: _time, fieldA, fieldB, fieldC Index B: (web logs): src, uri_path Index C: src, usr FieldA from Index A should show up within the uri_path of Index B (within similar time ranges), when it does, I need to correlate the src IP address of Index B with Index B, and pull back the usr from Index C. The end result needs to contain all fields from Index A, plus the "src" field from Index B, plus the "usr" field from Index C. This seems like it would be fairly easy if it were possible to pass data from outer searches to subsearches, but that's not possible. I tried starting with Index C and using a subsearch searching Index B, and a subsearch within that subsearch to search Index A, which returns FieldA to this first subsearch, which then returns "src" to the main outersearch which returns a list of users, however it seems difficult if not impossible to return all the needed fields back to the outer search. I feel like I must be missing something and that it should be easier to correlate this data. Any ideas? Thanks ... View more

I have the need to change the sourcetype of certain logs on a per-event basis, then apply further changes on the new sourcetype in props.conf after the sourcetype change. For example: transforms.conf: [set_new_sourcetype] DEST_KEY = MetaData:Sourcetype REGEX = some_regex FORMAT = sourcetype::my:new:sourcetype props.conf: [old:sourcetype] TRANSFORMS-sourcetype_change = set_new_sourcetype [my:new:sourcetype] SEDCMD-whatever = s/change/that/g However, the SEDCMD does not work on the new sourcetype. If I move the SEDCMD to the original sourcetype it works. Is there a workaround for this? If not, what's the point of being able to change the sourcetype on a per-event basis if you can't do anything with it afterwards? Thanks ... View more