We are trying to mask some data from winhostmon using SEDCMD. The sample data sourcetype=WinHostMon source=process : Type=Process Name="wfcrun32.exe" ProcessId=1 CommandLine="C:\PROGRAM FILES (X86)\Test\test.EXE" /h0 "C:\Program Files (x86)\Test2\test2.test" /username:"Test" /domain:AD /password:"test" StartTime="20170516135737.278912+120" Host="test-test2-test3" Path="C:\PROGRAM FILES (X86)\Test\test.EXE" Props: [WinHostMon] SEDCMD-anonymize=s/\/password.*$/\/password:XXXXX/g The issue is that it is not masking the data, i have tried sourcetype,source and host on the indexer but still its not masking. If i upload a test file with data using the add data option i am able to mask the data using the SEDCMD, same goes for a file with a static sourcetype. My guess is that the source/sourcetype is not correct because of the way Splunk identifies the data at indexing/parsing. Does anyone have an idea how i can mask the data at indexing time? The data is being send from a universal forwarder to our indexers so it is not passing through a heavy forwarder. ... View more

On our search head cluster we are running into the following issue. When searching using the time picker everything works as expected, when searching using earliest/latest in the search we are running into issues. If the time range picker is set to last 60 minutes and earliest in the search is earliest=-15m it works. If i set earliest=-1d@d it only shows data from the last 60 minutes. If i try the same thing on a fresh install or a non search head cluster member i am getting the notification: Your timerange was substituted based on your search string. And i am getting the correct timeframe/data. Does anyone have an idea what kind of setting/conf i should be looking at? We are running splunk 7.0.3 ... View more

Hi all, We are trying to do the following: At index time we want to use 4 regex TRANSFORMS to store values in two fields. The issue I am running into is that I only want to keep the results from the regex that was not empty and not write the matches from the regex that matched before. Here is our current set-up: props.conf TRANSFORMS-test= test1,test2,test3,test4 outputs.conf [test1] REGEX = \S{3}.\d{1,2}.\d{1,2}\:\d{1,2}\:\d{1,2}.(([a-zA-Z0-9]{1,5}-){1,5}\S{1,3}).([\S\s]+) WRITE_META = true FORMAT = message_type::empty message::$2 [test2] REGEX = \S{3}\s\d{1,2}\s\d{1,2}\:\d{1,2}\:\d{1,2}\s(([a-zA-Z0-9]{1,5}-){1,5}\S{1,3})\s([\S]+):\s([\S\s]+) WRITE_META = true FORMAT = message_type::$1 message::$2 [test3] REGEX = \S{3}\s\d{1,2}\s\d{1,2}\:\d{1,2}\:\d{1,2}\.\d{1,3}\s([\S]+):\s([\S\s]+) WRITE_META = true FORMAT = message_type::$1 message::$2 [test4] REGEX = (%|-)([\S]+):\s([\S\s]+) WRITE_META = true FORMAT = message_type::$1 message::$2 Is there a way to combine the regex that runs so that only the last one with actual values is written? I tried using these in a an SPL, and as long as I did not use the same field names, I got the results. I was not able to combine it, the reason for index time is being able to use tstats. Any help is appreciated. ... View more