@isoutamo  New thing I learned, Thank you. ... View more

This helped Thank you @richgalloway  ... View more

I tried installing Add-on on HF and mapped the right source type still no luck.  Few events are truncated in the beginning.   ... View more

I am colleting these logs using Splunk UDP inputs and not through add-on.   However I did install this add-on on our SH to make the data CIM Compatible.  ... View more

They are coming from same source type, sorry the timestamp shown in first set of sample events is Splunk time stamp followed by broken events.   The second set of sample is complete event with timestamp, I removed Splunk timestamp.  Sharing the event below along with Splunk timestamp. 9/29/23 5:57:57.000 AM 2023-09-29T05:57:57-04:00 1x.1xx.2x.1xx %ASA-6-302014: Teardown TCP connection 758830654 for ARCC:1xx.1x.9x.x8/x0 to inside:x0.2xx.x8.x1/4xx17 duration 0:00:00 bytes 0 Failover primary closed 9/29/23 5:57:57.000 AM 2023-09-29T05:57:57-04:00 1x.1xx.2x.1xx %ASA-6-302021: Teardown ICMP connection for faddr 1xx.x5.x0.x4/0 gaddr 1x.xx6.1xx.x6/0 laddr 1x.xx6.1x.x6/0 type 3 code 1 ... View more

I tried installing the add-on on HF but no luck.  I am working with Splunk support on this and they figured that the KV store for Checkpoint add-on is not loading as the regex is not matching our events.  They are working on giving me a regex, will try it out once I have it. ... View more

Hi @gcusello    I am using "Splunk Add-on for Check Point Log Exporter" from https://splunkbase.splunk.com/app/5478. I installed this on splunk SH and  did rename sourcetype on Splunk HF to "cp_log:syslog" as per the add-on.  ... View more

Thank you @yuanliu.  This is exactly what I was looking for. ... View more

It is not working.  I did add/update workload_rules.conf on all our Splunk SH's in our cluster still no luck.  Does it need any Splunk restart or do I have to assign it to users / roles just thinking loud. This is what I have in workload_rules.conf under /opt/splunk/etc/apps/search/local   [search_filter_rule:WildcardSearch] action = filter predicate = index=* OR search_time_range=alltime user_message = Please provide index name ... View more

I tried creating a Admission rule for the condition "index=* OR search_time_range=alltime" but looks like the setting is not getting applied. Users are still able to search for index=*. Does this work on Clustered environment or is there any additional steps I need to follow for cluster env?  We have SH cluster. ... View more

😞 I will put some sample data here for better understanding of my usecase. Index A contains events like below.  Here I already did a field extraction for IP address Hostname FQDN and named it as Reporting host.  This is basically list of servers that are forwarding logs. 2023-02-21 00:14:43.6543016070 2.2.2.2 2023-02-21 00:14:43.6213010920 abc.domain.net 2023-02-21 00:14:43.6543016070 4.3.2.1 2023-02-21 00:14:43.6213010920 xyz.domain.net 2023-02-21 00:14:43.6543016070 1.1.1.1 2023-02-21 00:14:43.6213010920 pqr so when I index=A | stats count by Reporting_host, the result is below.  First of the query works.   Reporting_Host 2.2.2.2 abc.domain.net 4.3.2.1 xyz.domain.net 1.1.1.1 pqr Now I have second index which is from our CMDB which contains Server information like owner, BU, location etc. 2023-02-20 07:47:14.269, CI_Name="xyz.domain.net", Hostname="xyz", Domain="example.com", Environment="QA", IP_Address="3.5.4.6", Tier1="Hosting", Tier2="Processing unit", Tier3="Server", Operating_System="windows", OS_Version="Server 2016", Priority="Priority_5", Server_Owner="Owner3" 2023-02-20 07:47:14.269, CI_Name="pqr.domain.net", Hostname="pqr", Domain="example.com", Environment="QA", IP_Address="13.15.14.16", Tier1="Hosting", Tier2="Processing unit", Tier3="Server", Operating_System="windows", OS_Version="Server 2016", Priority="Priority_5", Server_Owner="owner2" 2023-02-20 07:47:14.269, CI_Name="Host1.domain.net", Hostname="Host1", Domain="example.com", Environment="QA", IP_Address="2.2.2.2", Tier1="Hosting", Tier2="Processing unit", Tier3="Server", Operating_System="windows", OS_Version="Server 2016", Priority="Priority_5", Server_Owner="owner1" My usecase is I need to map the Reporting_host from index A with index B data and get the server information.  Challenge I am facing here is, Reporting_host as shown above is list of IP address, FQDN, Hostnames ( all comes in separate events like some hosts are reporting with IP address, some are reporting with FQDN and rest with IP address so the results) so how can I compare REporting_host with CMDB data and get the Server information.  If the Reporting_host comes in one format like hostname or IP address the comparison could have been easy so I will just use join and the common field would be Reporting_host comparing it with Hostname in index B.  Since the Reporting_host is has 3 different formats how do I compare them ?  I hope I explained my usecase in detail now.  Sorry for too many post. For above ex: my output should be Reporting_Host Server_Owner 2.2.2.2 Owner1 xyz.domain.net Owner3 pqr Owner2   ... View more

Hi @yuanliu  Thank you for looking into it.  When I say mix of values (Reporting_host), I meant like below Reporting_Host (not a string that contains IP host and FQDN but its like below but list of individual values) abc@domain.com 100.10.10.10 abc xyz 44.16.23.01 xyz@domain.com and goes on..   ... View more

Query seems to be working but partially.  When I run the query I get results for splunk_server whose one of the  parsing queue pipeline is not greater than the threshold I set (which is >80). As per my requirement this server xyz should not showup as its parsing_queue.0 is not greater than thershold. (It should only report if all its 3 pipelines 4 Queues are greater than 80). title fifteen_min_fill_perc splunk_server aggQueue.0 87.79 xyz aggQueue.1 87.66 xyz aggQueue.2 86.22 xyz indexQueue.0 88.43 xyz indexQueue.1 87.96 xyz indexQueue.2 89.16 xyz parsingQueue.0 65.10 xyz parsingQueue.1 86.32 xyz typingQueue.0 88.28 xyz typingQueue.1 87.87 xyz typingQueue.2 89.13 xyz Appreciate if you could also help me understand more on why dc is used here and how does it work?   ... View more

@tscroggins  Thank you for looking into my query.  I tried the search query you posted and the results are same as my search query.  What I am looking for a consolidated report for example, in the output I pasted in my original post, instance "Y" has all the four queues full (parsingQueue* OR title=aggQueue* OR title=typingQueue* OR title=indexQueue) so my output should only be this instance name.  I will set up and alert for this host for further action.  Any suggestions pls ?   ... View more

Yes App is pulling logs and I did test is by enabling index and forward setting on HF.  No errors or Warning in app logs and index is created correctly.  I do see logs data transfer for this checkpoint on metrics.log also under  _internal index.  Unfortunately im unable to past metrics logs ... View more