Hi All, We have  Indexer cluster configured on AWS EC2 Instances  which is configured with Smart store. Since this is a Dev environment we want to stop the EC2 instances in non-business hours. Could you please advise if the when we stop an indexer with smart store, the hot buckets are rolled to warm and uploaded to the smart store before the indexer peer stops. Also, what would be the recommended way to stop the splunk service before stopping the EC2 Instance, would it be using splunk stop command or splunk offline command.   ... View more

Hi All, I am trying to build a query through which we can track if all the Splunk forwarders are connected to Cluster Master. Wanted to create an alert if there are issues when forwarder is not able to connect with Cluster master. Could you please help with the query. ... View more

Hi All, Request you to post the query for retrieving messages displayed on the top of the UI so that a Dashboard/report could be created for the messages received. I tried using the below query as per the link , but didn't get any results. https://answers.splunk.com/answers/206670/is-there-a-way-to-retrieve-the-messages-from-the-b.html | rest /services/messages | table title message severity timeCreated_iso published splunk_server author ... View more

Hi All, We have an environment where the owner of all the Dashboards/Alerts is user 'nobody'. Are there any disadvantages of using the user 'nobody'. Please advise if the best possible way to create a alert could be a 'service account'. What are the pros and cons of using a 'service account' vs user 'nobody. Any inputs would be really helpful. ... View more

Hi All, I have the logs in below format which is stored in an S3 bucket : 1567295878959445,hostname,ip,id,session,operation,db,query The first field I believe is the Unix timestamp. When I am integrating those logs with Splunk Addon for AWS the line breaking is not happening as per the timestamp. Below is the sample log that I am receiving in Splunk. The log is not breaking based on the timestamp as you can see below: 1567295878959445,hostname,ip,id,session,operation,db,query,1567295878959550,hostname,ip,id,session,operation,db,query' Could anyone advise the configuration in props.conf to break these logs as per the timestamp? Ideally, log should look like below in Splunk : 1567295878959445,hostname,ip,id,session,operation,db,query -log1 1567295878959550,hostname,ip,id,session,operation,db,query' -log2 Regards, Samad ... View more

Hi All, On tracking the failed logins for AWS console through Cloudtrail logs, errorCode for specific set of logs is not captured correctly. CORRECT PARSING : awsRegion: us-east-1 errorMessage: Failed authentication eventID: eventName: ConsoleLogin eventSource: signin.amazonaws.com eventTime: eventType: AwsConsoleSignIn eventVersion: In the above log errorCode field is 'failure' which is true. INCORRECT PARSING : However, for the below log errorCode field is 'success'. Correct output should be errorCode=failure since it is a failed login whose user name is unknown. awsRegion: us-east-1 errorMessage: No username found in supplied account eventID: eventName: CheckMfa eventSource: signin.amazonaws.com eventTime: eventType: AwsConsoleSignIn eventVersion: 1.05 PROPS.CONF : Below is the entry for errorCode in props.conf EVAL-errorCode = coalesce('errorCode',if(like('responseElements.ConsoleLogin',"Failure"),"failure", "success"),"success"). QUESTION : Please suggest the way how we can achieve the following : if errorMessage=No username found in supplied account OR errorMessage=Failed authentication then errorCode should be 'failure' else it should be a success. what should be the entry in props.conf for EVAL-errorCode so that it can be overwritten in local folder. ... View more

Hi All, I am trying to build a use-case from the firewall logs wherein if any allowed traffic is observed from any Public IP towards the Network on suspicious ports like SSH, RDP etc , it should trigger an alert. Is there any way through which I can achieve the following through Enterprise security : If there is allowed connection from any other IP other than the IP in threat intel , alert severity should be low. If there is allowed connection from threat intel IP, alert severity should be high. ... View more