Hi, I have an inputs.conf that seems to be ignoring the host entries that I've entered. Am I missing something? `[monitor:///data/syslog-ng/logs/unknown/.../*.log] host_segment = 5 disabled = false index = unknown sourcetype = unknown_syslog blacklist=(1.2.3.4|4.5.6.7|6.7.8.9|127.0.0.1) ... View more

We upgraded our Splunk for Windows Add-on from version 4.3.8 to 5.0.1 and our memory doubled on our indexers. Not entirely sure the TA is the whole problem, but it does appear that as part of this upgrade, Splunk is doing a transform on each and every windows eventlog, and transforming the sourcetype, at the indexer layer. Why in the world would they do that? Seems like a really bad idea. Has anyone else run into this or confirmed it? If accurate, I'd like to understand why they don't just set it at the UFW layer. The props: [(?::){0}WinEventLog:*] TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype The transforms: ## Setting generic sourcetype and unique source [ta-windows-fix-classic-source] DEST_KEY = MetaData:Source REGEX = (?m)^LogName=(.+?)\s*$ FORMAT = source::WinEventLog:$1 [ta-windows-fix-xml-source] DEST_KEY = MetaData:Source REGEX = <Channel>(.+?)<\/Channel>.* FORMAT = source::XmlWinEventLog:$1 [ta-windows-fix-sourcetype] SOURCE_KEY = MetaData:Sourcetype DEST_KEY = MetaData:Sourcetype REGEX = sourcetype::([^:]*) FORMAT = sourcetype::$1 ... View more

Anyone run into an issue where the User Logon/Logoff events from O365 stop indexing from the Splunk Add-on for Microsoft Office 365? Other events are still appearing, but these stopped. Our O365 admin ran a powershell script using the same credentials as the plugin, and the events appeared, so I don't think that it's an issue with the account, or Microsoft. The plugin doc provided some additional steps to assist with trouble-shooting, but those did not solve the issue either. ... View more

Hi, Has anyone successfully created tenants via .conf files from the command-line? I've created them and restarted splunk, but data pull fails. The log files say that the splunk_ta_o365_secret could not be found. When I look at the local directory for the app, no passwords.conf exists. I then go into the gui, re-enter the client secret, and the passwords.conf file gets created, and the data pull works. So, it looks the tenant client_secrets must be added via the gui? Hope this makes sense. ... View more

Hi, I'm having some issues getting a feeds timestamp picked up properly. The date field comes in like this: "date": "8/15/2019 10:55:16 AM" . My props has this, which isn't working. TZ = UTC TIME_FORMAT = %m/%d/%Y %I:%M:%S %p TIME_PREFIX = "date": " ... View more

Splunk recently announced that they were no longer going to support their add-on for Tenable Nessus data, and recommended using Tenables own add-on for Splunk. I installed the add-on, but I'm seeing huge differences in event counts for the vuln sourcetype, with the Tenable one generating more than twice the amount of events. Has anyone run into this? Also, is there a way to disable the asset and plugin data from being collected? ... View more

Hi, I'm trying to do an eval, but it's not working, and could use another set of eyes. I extract my data in the props.conf on the SH: EXTRACT-action = \<ACTION\>(?<actionTESTA>[^\<]+)\<\/ACTION\> That part works - it returns values of Discard, Refuse or Allow. I then have an eval function in my props. right under the extract statement. EVAL-action=case(actionTESTA="Allow","allowed",actionTESTA="Permit","allowed",actionTESTA="Discard","teardown",actionTESTA="Refuse","blocked",eventTESTA="Connection closed","teardown",eventTESTA="Incomplete connection closed","teardown") I would expect the eval statement to change values, but it's not. Anyone? ... View more