Hi, I got a request to onboard Event IDs 3039, 3040, 3041, 2886, 2887, 2888, 2889. I tried to Google them but couldn't see anything that will tell which logsource they're from. I don't know if I should put them under System i.e.     [WinEventLog://System] index = winlogs_of_domain_controllers whitelist = 2886-2889,3039-3041     Or Security i.e.   [WinEventLog://Security] index = winlogs_of_domain_controllers whitelist = 2886-2889,3039-3041     I was hoping someone could point me to a trusty website?   Thank you. ... View more

Hi, How to properly append the server's hostname, i.e. $HOSTNAME to the source? This was my failed attempt:     #transforms.conf [append-hf-hostname-to-src] SOURCE_KEY = source REGEX = (.*) FORMAT = source::$1:$HOSTNAME DEST_KEY = MetaData:Source #props.conf [my:cute:sourcetype] TRANSFORMS-newsrc=append-hf-hostname-to-src       Thanks in advance. ... View more

Can't seem to find inputs-config for ServiceNow's RITM / Requested Item / table: sc_req_item --> is this correct? Or I'm not looking properly? ... View more

Our two heavy-forwarders serve as intermediate for our hundreds of universal forwarders. I'm working on overriding/fixing hostnames to 6 of them. Here's the issue: Six of the UFs have hostnames with "-NEW" at the end. We want to remove that "-NEW" at parsing/indexing phase (not SH phase). Instead of working with the sysadmins of those 6 servers over a Zoom web conference to fix the hostname at the UF's system-local end, we decided to push a deployment-app to the 2 intermediate heavy-forwarders. The app contains these configs:       # transforms.conf # Of course, I'm using Dragon Ball Z characters as server names so that I don't get fired [hostname_overrider] DEST_KEY = MetaData:Host SOURCE_KEY = MetaData:Host REGEX = host::^(GOKU|VEGITA|GOHAN|GOTEN|TRUNKS|BULMA)(?:\-NEW)$ FORMAT = host::$1       # props.conf [default] TRANSFORMS-hostname_overrider = hostname_overrider     My thinking is that the transforms and props configs will apply to all UFs but will only catch the 6 servers because of the specific REGEX pattern and override the hostname. This method is not working. Any thoughts on why and which is the better approach to take?     ... View more

Hi, Our ES's pre-packaged datamodel (DM) Network_Traffic has 3 months of summary range. We've introduced new logs in this said DM by adding new indexes and specifying eventtypes and tags . We've confirmed by searching the datamodel that the new logs (i.e. WinEventLogs) are now included. However, using tstats to see counts of events per day, we noticed that there's no data beyond one month ago. See: As can be seen from above, other sourcetypes yield positive result except for the newly added sourcetype. We were wondering why this is being the case when the DM's summary range is for 3 months. Shouldn't we be expecting to get more beyond just a month ago? What are we missing here? ... View more