@cichris I hope you got to know the new version of this add-on has support for python 3. The new version is available to download. I have installed this new add-on version on splunk version 8.0.1. It is successfully running and able to pull the data from microsoft graph api. ... View more

@ashish9433 I am also facing the same issue where splunk is unable to run split and mvexpand on the json data. Did you find a resolution to your question? If so, could you share it? ... View more

@abhijittikekar I am also facing the same issue. Did you get a solution to your issue? ... View more

I noticed that the link for the document has changed in newer splunk version. The link on how to extract fields from structured files, for latest realese of Splunk version 7.3.1, is as below: https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Extractfieldsfromfileswithstructureddata ... View more

@captainjak I believe that all your questions have been answered. Can you confirm either way? ... View more

@rashid47010 Splunk docs clearly state that: If you don't set TIME_PREFIX but you do set TIME_FORMAT, the timestamp must appear at the very start of each event; otherwise, Splunk software will not be able to process the formatting instructions, and every event will contain a warning about the inability to use strptime. So, I see that currently you have set TIME_PREFIX to empty string. considering your event, I would recommend to add TIME_PREFIX=^[ and TIME_FORMAT as %H:%M:%S.%3N. TIME_PREFIX = ^\[ TIME_FORMAT = %H:%M:%S.%3N MAX_TIMESTAMP_LOOKAHEAD = 12 I hope that helps. ... View more

Have you configured /etc/rsyslog.conf to route firewall syslog data to a local folder on the Linux server? If so, where are your firewall syslogs collected on the Linux Server? I mean which directory? Subsequently check if you have placed the monitor stanzas in inputs.conf(in Splunk UF) to capture files under that directory. ... View more

@captainjak If yours is a small installation and not many users, Indexing/Searching can be done on one server. But forwarding needs to be definitely on a different server. But Ideally, I like all three layers - forwarding, indexing and searching - on separate servers. also my preference is Linux over Windows. To configure inputs.conf, you would also need a 4th server called as deployment server to push inputs.conf to the Splunk UFs. For more details on configuring inputs.conf for syslog, check these links: http://www.georgestarcher.com/splunk-success-with-syslog/ https://docs.splunk.com/Documentation/Splunk/7.3.1/Updating/Exampleaddaninputtoforwarders ... View more

When you say your splunk setup is running on windows server, exactly what component of splunk are you running on Windows Server? Is that component the UF, indexer or Search head? Also, I am not familiar with using syslog on Windows server to capture the firewall logs. But I can certainly warrant for the native syslog utility on Linux servers to collect and forward data to the indexers. What I am trying to say here is, you will want to have your firewall syslog data to a Linux server (that has splunk UF installed on it). This UF will then subsequently send data to the indexer (which I believe can be a windows indexer in your case). Seems you are trying to use the UI to configure data inputs (like in "Continuously monitor"). Rather than that, use deployment server to push inputs.conf on your splunk UF. You do not want to install syslog server on the indexer and monitor files from there, that is not a recommended approach. Let me know if you have any questions on this set up. ... View more

@captainjak You can use Linux's native rsyslog utility to ingest syslogs data from your firewall. This syslog utility can be configured to listen on a UDP OR TCP port, and then write the data to a local server's directory. Then install a Splunk UF on this Linux Server and subsequently configure monitor stanzas on this UF's inputs.conf to read the files from local directory and send it to splunk indexers. If your Splunk enterprise is running on Windows Server, you can still configure Splunk UF on Linux server to send data to Splunk indexers on Windows server. You may want to check this blog as well: https://www.function1.com/2012/05/syslog-collection-with-splunk ... View more

I have the same issue. @mathiask Did you ever get to resolve this issue? If so, Can you please share your solution here. ... View more

Thanks for your reply. https://user:password@host/metrics --> this worked just fine. ... View more

Here is my apps/modinput_prometheus/local/inputs.conf [prometheus://gralog] URI = https://graylog-server/api/plugins/org.graylog.plugins.metrics.prometheus/metrics index = prometheus sourcetype = prometheus:metric interval = 30 disabled = 0 insecureSkipVerify = 1 host = graylog-server the prometheus endpoint is https, so I have configured insecureSkipVerify=1. Please let me know if this is not the right config. ... View more