Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for almost 23 hours to get to here — yes, I'm writing this from .conf! .conf24 is my fifth in-person .conf (2018, 2019, 2022, 2023 and now 2024). For me, .conf is always about the people.   Sure, I come to learn more about Splunk but it's the people (the community) that make Splunk. I was approached in the hallway by an attendee (Hi, Matthew!) who was attending their first .conf.  He asked for any tips and I said to do exactly what he had just done - approach people and say Hi! I'm a Splunk Partner so I attended a number of Global Partner Summit (GPS) presentations in the afternoon. I was privileged to get inducted for the first time in to the SplunkTrust and received my fez along with the other members. I didn't participant in BOTS on the opening night.  Instead, I put a call out to any other Aussies without dinner plans.  Two people took up my proposal and we met up, found a restaurant, and then chatted over dinner.  I had met one of the two at .conf23, and the other I had never met but we quickly realised that our Splunk skills are complementary so, who knows, there may be opportunities to refer business leads on. The biggest thing for me was catching up with people whom I've met over the years - often only at .conf , and meeting people in person whom I've only ever interacted with over email, Slack, or Zoom. And catching up with Buttercup too! Looking forward to the rest of .conf! ... View more

I'm pulling in events from the journal of a number of Linux hosts using the journald modular input. I'm seeing truncated events every so often and, when I look at the length of _raw, I see that it's always 4088 bytes. The man page for journalctl (https://www.freedesktop.org/software/systemd/man/journalctl.html) says that when events are outputted using JSON format, that "Fields larger than 4096 bytes are encoded as null values. (This may be turned off by passing --all, but be aware that this may allocate overly long JSON objects.)" I'm presuming that that's what happening with the truncated events that I'm seeing.   Is anyone aware of a way around this?  I can't see any configuration setting associated with the journald modular input that would let me enable the '--all' flag. FWIW, I'm running Splunk Enterprise 9.0.2 ... View more

The ability to have a *nix UF run under a non-root user but still be able to have it read files was introduced with v9.0.0 of the UF (https://docs.splunk.com/Documentation/Forwarder/9.0.0/Forwarder/Installleastprivileged) Is there a way that I, as a Splunk admin, could see which (if any) POSIX capabilities (CAP_DAC_READ_SEARCH - and potentially also CAP_NET_ADMIN and CAP_NET_RAW) the various forwarders are running under/with?  I've had a look at index=_internal to see if the UF generates anything during start-up but I haven't found anything.   ... View more

I believe that the TIME_FORMAT value for this add-on is incorrect - more specifically, I believe that the trailing percentage sign (%) at the end needs to be removed. Is someone who is more familiar with XML formatted Sysmon events able to confirm this?     ... View more

Before I go and re-invent the wheel, has anyone looked at indexing the results from the running an inspect using the CLI version of splunk-appinspect? The --output-file is, by default, JSON and has a start_time field in it which could be used for the event's _time. And, if you run it with --generate-feedback, then you get a YAML file which can be converted to JSON using the yq command.  The result JSON file also has a start_time field in it which could be used for the event's _time. As for a use-case... I don't know (yet).  At this stage, it's really just a wouldn't it be cool to ... ... View more

The o365:management:activity stanza within DA-ITSI-CP-m365/default/props.conf contains the following line: REPORT-nameval=NameValue   But there is no stanza called NameValue in DA-ITSI-CP-m365/default/transforms.conf and, as a result, I'm seeing errors that look like the following in index=_internal: SearchOperator:kv [12345 TcpChannelThread] - Invalid key-value parser, ignoring it, transform_name='NameValue'. Is this an error with the add-on or am I doing something wrong?  A missing app/add-on perhaps? ... View more

The default/props.conf for v2.0.2 of the add-on contains two issues - both of which are generating WARNING messages in splunkd.log Issue #1   [mysql:errorLog:mysqld_safe] EXTRACT-queries_in_queue = (?<queries_in_queue>[\.\d]+) queries \in queue I believe that the slash before the in was an attempt to stop the "in queue" being treated as the 'regex in field' format of an EXTRACT.   I believe that the line should read: EXTRACT-queries_in_queue = (?<queries_in_queue>[\.\d]+) queries\sin\squeue   Issue #2   [mysql:processInfo] FIELDALIAS-cim_builder = thd_id AS process user AS user   Splunk was generating the following warning: WARN  FieldAliaser - Invalid field alias specification in stanza 'mysql:processInfo': FIELDALIAS-cim_builder='thd_id AS process user AS user' I believe it's because of the redundant 'host AS host' and removing it in a local/props.conf appears to have confirmed this. ... View more

Hi @doksu , I've found that the REGEX used by [netfilter_flags] will break if the event contains a sequence of uppercase characters before the actuals flags within the event.  This can occur if the event contains an action of DROP, ACCEPT or REJECT with whitespace before and after the action.  In these cases, the FLAGS and tcp_flags fields will be set to the action. My fix was to change the REGEX line within the netfilter_flags stanza to: REGEX = \s((?:(ACK|FIN|PSH|RST|SYN|URG)\s)+)       ... View more

I'm working with a client to ingest data from PCAPs into an on-prem Splunk.    I've installed the independent Stream Forwarder (v7.2.0) on the host with the PCAPs and I'm able to ingest the PCAPs.  One issue that the client has raised is that they would like for the generated events to include as metadata the name (including path) of the PCAP file from which the event came. I'm using the -r option to specify the name of the PCAP and I've tried including the following on the command line but StreamFwd wouldn't accept it: --_meta "source_pcap::/path/to/and/name/of/the.pcap"   Any thoughts on how this could be done?  I'm open to raising it as an "idea" if need be. ... View more

We have our authentication tied to AD using the LDAP strategy.   Password complexity and lifetime is, as a result, handled by the requirements set by the AD Group Policy.  But what about failed login attempts?  If a user manages to type in their password incorrectly multiple times (or worse, someone tries to incorrectly guess a user's password multiple times), will it cause their account to become locked within Splunk (and possibly within the underlying OS too?) ... View more