After the upgrade of Splunk Enterprise to 8.2.4, several triggered alerts with tokens are no longer sending out emails.    Looking at splunkd.log, there is a warning message concerning the alert 02-10-2022 10:02:28.244 -0600 WARN Pathname [15448 AlertNotifierWorker-0] - Pathname 'E:\Splunk\bin\Python3.exe E:\Splunk\etc\apps\search\bin\sendemail.py "results_link= "ssname=Password Reset Reminder" "graceful=True" "trigger_time=1644508948" results_file="E:\Splunk\var\run\splunk\dispatch\scheduler__srunyonadm__search__RMD5c5f30383081059ef_at_1644508800_24883\results.csv.gz" "is_stream_malert=False"' larger than MAX_PATH, callers: call_sites=[0xd4d290, 0xd4f001, 0x15d1632, 0x15ce217, 0x1439f53, 0x13c8176, 0x71f406, 0x71ea9e, 0x71e899, 0x6eaeeb, 0x70c3c5] I am concerned with the "larger thanMAX_PATH" message because Splunk doc states -  "The Windows API has a path limitation of MAX_PATH which Microsoft defines as 260 characters including the drive letter, colon, backslash, 256-characters for the path, and a null terminating character. Windows cannot address a file path that is longer than this, and if Splunk software creates a file with a path length that is longer than MAX_PATH, it cannot retrieve the file later. There is no way to change this configuration." What can be done to get this working again? Regards, Scott Runyon ... View more

I upgraded Splunk Enterprise to 8.1.8 from 8.0.6.   I am now getting messages where 45 days are allowed over 60 days to go over the indexing limit.   Looking at the indexing, the largest amount are from internal Splunk.  I have a single instance.  The first three indexes are internal Splunk The largest source is the Splunk Metrics log And lastly, the sourcetypes splunk_metrics_log and splunkd are a major portion of indexed data My question is, why is the internal Splunk processes counting towards my indexing?     Regards, Scott Runyon     ... View more

Syslog data from my Fortinet firewall is not being parsed out correctly.   I have noticed that there are multiple formats of messages.    This first format parses out correctly.  ...  policyid=474 sessionid=3929476361 user="FRED" group="RegularSupport.Grp" srcip=10.120.2.26 ...  These do not (specifically the user field is not populated) ....   policyid=441 sessionid=3929476369 user="BARNEY" srcip=10.120.36.105   .... (missing group after user field) .....   policyid=471 sessionid=3929476336 user="BETTY" group="TL-AVP-SVP.Grp" srcip=10.120.2.128 .... (has "-" in the text for group) ....   policyid=103 sessionid=3929476142 user="WILMA" group="Wkstns_SSLVPN_PD.Grp" srcip=172.24.1.18    ...... (has "_" in the text for group). I tried to do a extract fields on one of the different events, that solved the issue for the new event but the original event no longer works.    I assume that there is a regex somewhere that parses this out but I cannot find it.  My question is where do I go find out where it is so I can hopefully generate one that works?   Scott     ... View more

I am receiving Syslog data from the firewall and I would like to send a subset of it to the nullQueue. The issue I am having is that I have two set values (action and srcip) but 6 values for the destination. The formats of the fields of the raw data are - action="deny" scrip=10.12.55.55 dstip=192.168.10.0 The regex I have come up with is: (?:srcip\=10\\.12\\.55\\.55)|(?:dstip\=192\\.168\\.10\\.*)|(?:dstip\=172\\.16\\.10\\.*)|(?:dstip\=172\\.18\\.10\\.*)|(?:action\=\"deny\") What happens is that the "|" acts as an "or" so I will be dumping too much information. My question is what is the format to place in transforms.conf to filter out the events to be dropped? Regards, Scott ... View more