Hello Team, I got a weird issue, that I struggle to troubleshoot. A month ago, I realized that my WinEventLog logs were consuming too much of my licenses, so I decided to index them in the XmlWinEventLog format. To do this, I simply modified the inputs.conf file of my Universal Forwarder. I changed from this configuration : [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\sgroupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\sgroupPolicyContainer)" renderXml = false sourcetype = WinEventLog index = wineventlog To this configuration: [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\sgroupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\sgroupPolicyContainer)" renderXml = true sourcetype = XmlWinEventLog index = wineventlog Then I started receiving events and my license usage reduced, which made me happy. However, upon closer observation, I realized that I wasn't receiving all the events as before. Indeed, I now observe that the event frequency of the XmlWinEventLog logs is random. You can observe this on these timelines :   And in the metrics :   On the other hand, with the WinEventLog format, I have no issues:   I tried reinstalling the UF, there are no interesting errors in the splunkd.log, and I am out of ideas for troubleshooting. Thank you for your help. ... View more

Hi everyone, First of all i have tried every solution present in splunk answers on this subject but no one solved my issue. I work in an complicate architecture and I want to filter logs from Stormshield Firewall. Stormshield logs are retrieved using a Syslog that writes .txt files and these files are then monitored by Splunk. The sending logic is as follows : FileSyslog on HF --> another HF --> IDX. This all works well but now I would like the events containing alarmid=1 in these files not to be indexed. For this I tried to modify the TA-Stormshield directly on the indexer like this : props.conf : [stormshield] TRANSFORMS-sns = snsnull transforms.conf : [snsnull] REGEX = alarmid=1 DEST_KEY = queue FORMAT = nullQueue It didn't work, then I tried to share the TA-Stormshield to the 4 HF involved in the log exchange, not working. Then I tried to modify the REGEX like this : REGEX = (\balarmid=1\b) OR REGEX = ^.*alarmid=1.*$ Not working again. After i try another strategy, I removed everything I had written in the TA-Stormshield to write directly to .../etc/system/local by creating props.conf and transforms.conf files. In these files I tried to use the source of the monitored files like this : props.conf : [source::E:\LOG\*.txt] # I tried a lot of different syntax for this stanza without result TRANSFORMS-sns = snsnull *transforms.conf: * [snsnull] REGEX = alarmid=1 DEST_KEY = queue FORMAT = nullQueue My logs look like this and I would like the event containing alarmid=1 not to be indexed : 2020-01-22 00:00:00 User.Alert id=firewall time="2020-01-22 00:00:00" ipv=4 action=block class=protocol alarmid=1 logtype="alarm" 2020-01-22 00:00:00 User.Warning id=firewall time="2020-01-22 00:00:00" ipv=4 action=pass class=protocol alarmid=7 logtype="alarm" I also tried several solutions present on the splunk answer, without much result. If anyone has a solution I would be extremely grateful. Thanks for your help. ... View more

Hi everyone, I would like to make a chart that compares the result from last year with this year by month. This is my search : ...| dedup CaseNumber | search ProductName=* IsDeleted=False AccountName="*" CaseRecordTypeName=Standard | eval CreatedDateUNIX=strptime(CreatedDate,"%Y-%m-%d %H:%M:%S") | eval _time=CreatedDateUNIX | where _time>=strptime("2017-01-01 00:00:00","%Y-%m-%d %H:%M:%S") AND _time<=strptime("2017-12-31 23:59:59","%Y-%m-%d %H:%M:%S") | timechart span=1mon count as 2017 | appendcols [dedup CaseNumber | search ProductName=* IsDeleted=False AccountName="*" CaseRecordTypeName=Standard | eval CreatedDateUNIX=strptime(CreatedDate,"%Y-%m-%d %H:%M:%S") | eval _time=CreatedDateUNIX | eval date=_time | eval today=round(relative_time(now(),"@y")) | where date>today | timechart span=1mon count as 2018] Both searches work well separately, but when i try to combine them, I only see the 2017 data. If someone could help me, that would be great. I'll be grateful. ... View more