Hello We want to forward (and index in Splunk) some Events (Windows Event Logs) to Nessus Security Center Log Correlation Engine. I've tried the following settings on the Indexer: "D:\splunk\etc\system\local\props.conf" [WinEventLog://Application] TRANSFORMS-routing1=nessus [WinEventLog://Security] TRANSFORMS-routing2=nessus [WinEventLog://System] TRANSFORMS-routing3=nessus "D:\splunk\etc\system\local\transforms.conf" [nessus] REGEX = . DEST_KEY=_TCP_ROUTING FORMAT=nessusforwarder "D:\splunk\etc\system\local\outputs.conf" [tcpout] defaultGroup = nothing disabled = 0 [tcpout:nessusforwarder] disabled = 0 server = xx.xx.xx.xx:9445 sendCookedData = false indexAndForward = true Does't work like this, any hints what's wrong in my config? ... View more

Hello I've moved some indexes to a new path, everything works fine. In the splunkd.log I see a Warning now from one of the indexes: WARN DatabaseDirectoryManager - Unable to find a directory for db id=perfmon~56~EB58ECE2-6770-43E7-988E-1CC4959EDC6F with dir_name=hot_v1_56 The directory is there and I don't understand what's the problem and how to fix it/get rid of this Warning. I see the Warning only on one Index. Any suggestions? Thx in advance! ... View more

Hello Where can I find Information about Windows Server 2016 compatibility (universal forwarder)? Regards ... View more

I have an event with multiple date strings, it looks like this: 2016-06-01 15:31:31 INFO - Transfer[sourceName=xxx,sourceFile=xxx,sourceSize=xxx,sourceCheckSum=xxx,targetName=xxx,targetFile=xxx,targetSize=xxx,targetCheckSum=xxx,status=xxx,errorText=xxx,startTime=Wed Jun 01 15:29:26 CEST 2016,endTime=Wed Jun 01 15:29:27 CEST 2016,checkSumMethod=xxx,originalEntryDate=xxx] Splunk uses the date string in startTime for the _time field. I want to use the date string found in the beginning of the event. In the props.conf, I've added TIME_FORMAT to the stanza, but nothing changes.. TIME_FORMAT = %y-%m-%d %H:%M:%S Any hints? ... View more

I'm trying to convert a string to a date. The string looks like 2016-05-20T05:16:02.007+02:00 ... View more

Is there a way to trigger PDF creation of an existing dashboard (and send an email) via REST API? ... View more

Hello everybody I'm pretty new to Splunk and I'm trying to parse an xml input for the first time. Unfortunately, without success so far. 😞 I want to extract some fields of an xml file. In my Test Environment I've created a new deployment app, server class, and made the associations. In the app (default folder) I've created an inputs.conf: [monitor://C:\temp\input.XML] NO_BINARY_CHECK=1 sourcetype=my-source Then I've created a props.conf: [my-source] DATETIME_CONFIG = CURRENT LINE_BREAKER = [\>\s]((?=\<data\>)) SHOULD_LINEMERGE = false NO_BINARY_CHECK = 1 TRUNCATE = 10000000 So far so good, the input file is indexed by Splunk, but my props.conf has no influence at all. The XML looks like this: <?xml version="1.0" encoding="UTF-8"?> <report> <reportdata> <name value="VPN User Total" type="string"/> <desc value="VPN User Total" type="string"/> <freq value="None" type="string"/> <created value="2016/03/15 09:02:27" type="timestamp"/> <timezone value="Europe/Berlin" type="string"/> <author value="useradmin" type="string"/> <customquery><query/></customquery> </reportdata> <domain id="master" total="0"/> <domain id="domain.intra" total="572"> <query id="New"> <data> <appl_types value="RO" type="string" source="digipass" displayname="Application"/> <domain value="domain.intra" type="string" source="digipass" displayname="Domain"/> <dp_type value="GO001" type="string" source="digipass" displayname="Type"/> <serial_no value="0123456789" type="string" source="digipass" displayname="SN"/> <userid value="user1" type="string" source="digipass" displayname="User"/> </data> <data> <appl_types value="RO" type="string" source="digipass" displayname="Application"/> <domain value="domain.intra" type="string" source="digipass" displayname="Domain"/> <dp_type value="GO001" type="string" source="digipass" displayname="Type"/> <serial_no value="987654321" type="string" source="digipass" displayname="SN"/> <userid value="user2" type="string" source="digipass" displayname="User"/> </data> </query> </domain> </report> From the second line, everything is on one line (just added some line breaks for better reading). The File contains a lot of entries, this is only a demo version of it. Splunk indexes only the first 10000 chars and adds no line breaks. My Goal is to extract the userid and serial_no from all fields (I know that my props doesn't do that, but I tried to start as simple as possible. Any hints why my props.conf is not working at all? ... View more

We have some Appliances (Open System Webproxy), they can send Splunk cooked data into Splunk. I want to receive the data to a restricted index (securitylogs). In a first try I configured the listening port in the Webui, Setting -> Forwarding and receiving -> Configure receiving -> added Port 3514 This was working but it was using the main index. So I've reconfigured it in the app "config_all_indexers": inputs.conf [splunktcp://3514] disabled = 0 index = securitylogs Then I used the "| delete" function to remove the data from the main index. Now I dont get any data from the appliances anymore and I've no idea why.. Maybe someone can give me a hint whats the problem of my config? ... View more