Hi. My configuration is UF->HF->INDEXER. Aim: configure DMC to monitor all instances of my deployment including Universal Forwarders (ver 6.1.4 or 6.2.0). Problem is that I can't get splunkd.log and other internal logs from UniversalForwarders to my indexer(ver 6.4.1). I have deployed a small app to my Universal Forwarders with such inputs.conf: [monitor://$SPLUNK_HOME/var/log/splunk/splunkd.] index = _internal sourcetype = splunkd _TCP_ROUTING = * otputs.conf [tcpout] forwardedindex.0.whitelist = . forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_introspection|_internal) forwardedindex.filter.disable = false But I still have no data on my indexer from that UF On Universal Forwarders I have such $SPLUNK_HOME/etc/system/local/outputs.conf [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = heavyforwarder:9997 [tcpout-server://heavyforwarder:9997] All non internal logs have indexed good, but internal logs such as splunkd.log have not indexed. Also I have some UFs that are sending data directly to indexer and I see all internal logs from them without my app. So I can monitor them and my heavy forvarder in DMC without problem, but I need all forwarders. Need help ... View more

Hi. I have a monitor of "/etc/shadow" file with last password change field lastchange in days (example lastchange=16937). It's a number of days from 01/01/1970 I need to determine the date of last password change of a user. I want to do something like: 01.01.1970+lastchange=last_password_change_date How to do that? ... View more

Hi guys! I have two questions: 1) Is it possible to use Forvarder ver 6.4.1 if my indexer and deployment servers have Splunk Entervrise ver 6.2.1 2) Which instalation of Splunk forwarder I can use for Red Hat Enterprise Linux Server release 7.0 core 3.10.0-123.6.3.el7.x86_64 ... View more

Hello guys I'm trying to drop the end of all Security events: This event is generated when a logon session is created. It is generated on the computer that was accessed. .... My conf files on Heavy Forwarder is: transforms.conf [win-event-cut-en] DEST_KEY = _raw REGEX = ((.*+[\v])+)(?=This event is generated when) FORMAT = $1 props.conf [WinEventLog:Security] TRANSFORMS-windows_events =win-event-cut-en However, this does not work. ... View more

Hi all, my search | stats count(filename) AS files, sum(size) AS TotalMb by user| sort -TotalMb | eval email=user."@mydomai.com" | table user, files, TotalMb, email | head 2 Result is: user1, 123, 506, user1@mydomai.com user2, 234, 26, user2@mydomai.com I need to send each row for each of user from search result: fitst string to user1@mydomai.com second string to user2@mydomai.com I am using: my search | stats count(filename) AS files, sum(size) AS TotalMb by user| sort -TotalMb | eval email=user."@mydomai.com" | table user, files, TotalMb, email | head 2 | map search="sendemail to=$email$ from=splunk@mydomain.com subject="Big files" sendresults=true inline=true priority=normal server="mail.server" message="TEST"" Result is emailed for each user with "No results found". Why are users not receiving emails with the results of the search? Please help ... View more

Hi splunkers !!! Need help. I used eval to create a field with the email address for some users: search myquery.... | fields username, result | eval mail=username+"@mydomain.com" |sendemail to=mail subject="Splunk is wathing you" sendresults=true inline=true priority=normal But it's not working. In python.log I want to send emails for all users from my search with specific results for every username from the search. Is it possible? Can I use "mail" field like variable? ... View more