One more thing ; -)   @bowesmana , @richgalloway , in general, should we consider using the EVENT_BREAKER on the Universal Forwarder?  ... View more

Just checked -  LINE_BREAKER = ([\r\n]+)Running   "Running" is still part of the _raw data after ingestion. ... View more

Thank you @richgalloway , so we are "losing" the Running word from the event?  ... View more

You are right @tscroggins, it should be more like -  LINE_BREAKER = ([\r\n]+)(?=Running)   A positive lookahead that checks, without consuming. ... View more

This one makes perfect sense to me -  [your_sourcetype] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]Running) TIME_PREFIX=Last connection attempt:\s* ... View more

That's it @akashhu, for switches, routers and firewall devices the "regular" mechanism is syslog.  ... View more

@kgiri253 , I was never a great fan of minimal throughput from the forwarders and tiny memory buffers on the Splunk servers. In my mind, these strict low quotas lead to issues, like yours in many cases. ... View more

Copilot said -  Hi Javi, Yes, it’s possible to forward data from Splunk to third-party services like AWS EventBridge or Lambda, but it’s not a native feature out of the box. Splunk primarily ingests and indexes data, but you can achieve this forwarding through a few approaches: HTTP Event Collector (HEC) + AWS Integration Splunk can send data via HTTP Event Collector to an endpoint. You could set up an AWS API Gateway or Lambda function to receive these events and then route them to EventBridge. Splunk Add-ons or Apps There are Splunkbase apps and add-ons for AWS that can help with integration. For example, the Splunk Add-on for AWS is typically used for ingestion, but custom scripts or modular inputs can be adapted for forwarding. Custom Scripts / Modular Outputs Splunk supports custom alert actions or scripted outputs. You can configure Splunk to trigger a script whenever new data matches certain criteria, and that script can call AWS APIs to forward the data. Third-Party Middleware Some organizations use a message bus (like Kafka or Kinesis) as an intermediary between Splunk and AWS services for scalability and reliability. Summary: Splunk doesn’t automatically forward all ingested data to AWS, but with HEC, custom alert actions, or middleware, you can build a pipeline where Azure → Splunk → AWS EventBridge/Lambda works as you described. Would you like me to draft a step-by-step guide for setting up Splunk to forward data to AWS Lambda or EventBridge? Or should I prepare a diagram of the architecture for this flow? ... View more

I would probably create a python script that does the renaming and sanity checks on the incoming csv file(s). ... View more

From AI - To configure Splunk and uberAgent, first install the Splunk apps on your Splunk server by uploading the files from the uberAgent download. Then, enable the HTTP Event Collector (HEC) in Splunk's global settings to allow uberAgent to send data to it. Apparently, the uberAgent works with HEC and then you can send the data stream straight to the indexers, does it make sense? ... View more

Sorry @PickleRick, but try please to view a truncated json object, it's a mess ; -)  ... View more

TRUNCATE has its default value at 10,000 characters but a JSON event is a one-liner, and trimming it "breaks" the entire presentation of the object, so we internally here decided to make the default unlimited for JSON cases, the only thing is to find a way to classify them automatically and not handle each JSON case individually. If anybody has a generic solution, please share. ... View more

@b17gunnr do you mind describing the architecture? per the direction of @richgalloway   ... View more

Both of them - no doubt ; -) ... View more

Thank you for the attention @mlevsh and the quote ; -) ... View more

We spoke about it at this thread and it might help you - How do we enable a forwarder boot-start? ... View more

The following mentions the *.bundle files but not their var/run/<app> location - Extended example: Deploy configurations to several forwarders In the page, we can search for fwd_to_splunk1-timestamp.bundle . ... View more

I guess the following explains it in the url from above - -- If you change a single file in the users directory, the deployer redeploys the entire users tarball to the captain. This is because the users directory is typically modified and redeployed only during upgrade or migration, unlike the apps directory, which might see regular updates during the lifetime of the cluster. ... View more

The command generates a beautiful and useful chart @rich7177. Maybe it's also the commands which are not used such as fields . ... View more

It makes sense @Azeemering - much appreciated. ... View more

Looks great - | makeresults | eval VLAN="Vlan819(RVP_CDN)" | rex field=VLAN "(?<VLAN>.+)\(" ... View more

Any ideas about this one, by any chance? ... View more

Very kind @rich7177 ! ... View more