My data is from a command system that is being sent over UDP connection direct to the indexer. It sends data to Splunk every hour. Data format is Month Date Time sent from command system, system name, 1, Logon Time Examples Dec 10 00:51:46 system.network.net 1 2019-12-10T00:51:19.188-06:00 Dec 9 10:58:25 system.netework.net 1 2019-12-09T10:58:23.793-06:00 Dec 9 22:38:38 system.network.net 1 2019-12-06T08:05:23.745-06:00 I want to use Logon Time as the event time not the time it was received. This used to work until I upgraded to 7.3.3 from 7.3.0 to fix the Y2K20 issue. props file contains DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3Q%:z TIME_PREFIX = \w+\s{1,}\d{1,}\s\d{2}:\d{2}:\d{2}\s\S+\s\d\s category = Custom disabled = false MAX_TIMESTAMP_LOOKAHEAD = 256 TIMESTAMP_FIELDS = Any suggestions on what happened? Scott ... View more

After migrating from OSSEC to Wazuh , I installed the Wazuh app ver. 3.10.2. When starting the app, the API screen comes up with the message - "Kv Store is being initialized please wait some seconds and try again later." I has been a few days and the KV store is still not there. What do I need to do to get the KV store initialized? System details - single instance running Splunk Enterprise 7.3.0 Regards, Scott ... View more

Our anti-virus application is located in the "cloud" and is sending syslog data to the indexer over TCP port 6514. The application has the ability to use SSL to encrypt this data. Looking at previous answers, it looks like I should add [tcp-ssl://6514] to \etc\system\local\inputs.conf. After modifing the config and changing the remote end to use SSL, I get gibberish like this - \x00\x00\x00\x00
\x00\x00 index = avprogram source = tcp:6514 sourcetype = syslog When I remove the SSL requirement from the remote end, the data shows up as correct. It looks to me that I am missing a setting to decrypt the incoming data. Any suggestions on what I need to do? ... View more

I installed the Duo Security App that uses the API to download events in the JSON format. The data is collected and when I perform a search, the events look correct but the data in fields is doubled. Looking through Answers, there are several responses that suggest that props.conf be modified on the UF (adding KV_MODE = none) to prevent both index time extractions and search time extractions. Since the data is not be forwarded, which props.conf do I need to modify? I put KV_MODE = none in props.conf under the apps\duo_splunkapp\local but there was no change. Regards, Scott ... View more

I have a lookup file that contains two columns, ip and mac. I want to update this file daily by running a query that catches when either a new device is added or an existing device is moved. My query is index=syslog logdesc="neighbor table change" vendor_action="add" | regex srcip = "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | stats latest(srcip) BY mac | rename "latest(srcip)" AS srcip | fields mac srcip | lookup srcip_mac.csv mac OUTPUTNEW srcip | outputlookup append=true srcip_mac.csv What happens is that I end up with a file that contains the updated data in a new line but the existing items are duplicated. I end up with a file that is twice the size it needs to be. Any help will be greatly appreciated. Regards, Scott ... View more

i have multiple applications that place login information (Logon Date/Time, Logoff Date/Time, userid, etc.) into existing CSV files (one per application). I am monitoring these files, but when they are indexed, the old data is reindexed, so I have multiple events per logon. This is causing errors in reporting (I shouldn't have to do a dedup ) and is ballooning the size of each index (wasting disk space). My understanding is that when a file being monitored, a beginning and end CRC is generated to fingerprint the file along with a Seek Address. Documentation states: "A matching record for the CRC from the file beginning in the database, the content at the Seek Address location matches the stored CRC for that location in the file, and the size of the file is larger than the Seek Address that Splunk Enterprise stored. While Splunk Enterprise has seen the file before, data has been added since it was last read. Splunk Enterprise opens the file, seeks to Seek Address--the end of the file when Splunk Enterprise last finished with it--and starts reading the new from that point." I take this to mean that existing events are not added and only new events are indexed. This isn't happening in my case. I have read the questions concerning "duplicate data" and two settings keep appearing. One is "followTail", reading the doc for this, i see "WARNING: Use of followTail should be considered an advanced administrative action." and "DO NOT leave followTail enabled in an ongoing fashion.". This doesn't look to be a good fit for my problem. The second is "crcSalt". The question I have on that setting is if I do set it, does that ignore the Seek Address causing the entire file to be indexed, which is where I am now. Thank you in advance for any help that can be provided. Scott ... View more