Hi @ganesanvc  Does "text_search" come from a search result - or is this something like a token you are passing in? I couldnt tell from the request but if its coming from a token and you want to apply the additional escaping then you can do this: index=main source="answersDemo" [| makeresults | eval text_search="*\\Test\abc\test\abc\xxx\OUT\*" | eval FileSource=replace(text_search, "\\\\", "\\\\\\\\") | return FileSource ]   Note: I used a sample event in index=main as you can see in the results above using; | windbag | head 1 | eval _raw="Test Event for SplunkAnswers user=Demo FileSource=\"MyFileSystem\\Test\\abc\\test\\abc\\xxx\\OUT\\test.exe\" fileType=exe" | eval source="answersDemo" | collect index=main output_format=hec I may have got the wrong end of the stick with what you're looking for here but let me know! 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi There is no official Splunk TA for Typo3, so you need to create a custom sourcetype with appropriate field extractions for your Typo3 logs. Start by identifying the log format (e.g., JSON, key-value, plain text) and create custom props.conf and transforms.conf settings to parse the fields. Its a few years since Ive used Typo3 and the only instance I still have running just has apache2 logs however in the Typo3 docs I found the following sample event - is this similar to yours? Fri, 19 Jul 2023 09:45:00 +0100 [WARNING] request="5139a50bee3a1" component="TYPO3.Examples.Controller.DefaultController": Something went awry, check your configuration! If so then the following props/transforms should help get you started: == props.conf == [typo3] SHOULD_LINEMERGE = false # Custom timestamp extraction (day, month, year, time, tz) TIME_PREFIX = ^ TIME_FORMAT = %a, %d %b %Y %H:%M:%S %z TRUNCATE = 10000 # Route event to stanza in transforms.conf for field extractions REPORT-typo3_fields = typo3_field_extractions == transforms.conf == [typo3_field_extractions] # Extract log_level, request id, component, message REGEX = \[([^\]]+)\]\s+request="([^"]+)"\s+component="([^"]+)":\s*(.*)$ FORMAT = log_level::$1 request_id::$2 component::$3 message::$4 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing   ... View more

Hi @LearningGuy  Yes you can use output_mode=hec - see below: | windbag | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}" | eval source="answersDemo" | collect index=main output_format=hec Then when I search index=main source=answersDemo: Note - you need to ensure you have the run_collect capability for your role and also access to the index you are collecting in to. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing   ... View more

Hi @LearningGuy  Ah yes you do need access to the index you search but it can be any index.  You might actually be able to use the "windbag" command instead like this: | windbag | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}"   🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @LearningGuy  When using makeresults which is a report-generating command you get a table output. When I want to get a JSON tree view you need it to be an eventbased output, I use this little tricky to get an event and then override with eval _raw like this: index=_internal | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}"   🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @ranandeshi  I've posted an updated SPL directly on the question, but you can make this a single EVAL with: | eval formatted_time = strftime((tonumber(substr(identifier,2,16),16) - tonumber("4000000000000000",16) + tonumber(substr(identifier,18,8),16) / 1000000000), "%Y-%m-%d %H:%M:%S") . "." . printf("%03d", round(tonumber(substr(identifier,18,8),16) / 1000000, 0)) This means you could possible use INGEST_EVAL to overwrite the _time field: == props.conf == [yourSourcetype] TRANSFORMS-taiTime = taiTimeExtract == transforms.conf == [taiTimeExtract] INGEST_EVAL = _time:=strftime((tonumber(substr(identifier,2,16),16) - tonumber("4000000000000000",16) + tonumber(substr(identifier,18,8),16) / 1000000000), "%Y-%m-%d %H:%M:%S") . "." . printf("%03d", round(tonumber(substr(identifier,18,8),16) / 1000000, 0))  However this assumes "identifier" is a field it can eval against. You might need to extract this first. Do you have a sample event I can work on to help or is this enough to get you started? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi To accurately convert TAI64N to a human-readable timestamp in Splunk, you need to: Subtract the TAI64 epoch offset (0x4000000000000000) from the first 16 hex digits (seconds) Add the nanoseconds (next 8 hex digits) as a fractional part Format the result using strftime and printf Here's the corrected SPL: | makeresults | eval identifier="@4000000068022d4b072a211c" | eval tai64n_hex = substr(identifier, 2) | eval tai64_seconds = tonumber(substr(tai64n_hex, 1, 16), 16) - tonumber("4000000000000000", 16) | eval tai64_nanoseconds = tonumber(substr(tai64n_hex, 17, 8), 16) | eval tai64_epoch = tai64_seconds + (tai64_nanoseconds / 1000000000) | eval formatted_time = strftime(tai64_epoch, "%Y-%m-%d %H:%M:%S") . "." . printf("%03d", round((tai64_nanoseconds/1000000),0)) | table formatted_time tai64_seconds extracts and normalises the seconds since Unix epoch. tai64_nanoseconds extracts the nanoseconds. tai64_epoch combines seconds and fractional seconds. strftime formats the timestamp, and printf ensures milliseconds are zero-padded. Note: TAI64N timestamps are based on TAI, not UTC. TAI is ahead of UTC by a number of leap seconds (currently 37). Splunk and most systems use UTC, so your converted time may be offset by this difference. If you need exact UTC, subtract the current TAI-UTC offset (e.g., 37 seconds) from tai64_epoch 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @ws  Is the full path for the JSON file the same from each time you have indexed it? If the path is different then this might explain why it has indexed twice instead of just continuing from where you last ingested. I'm pleased that you were able to get your events split out! Please consider adding Karma / "Liking" the posts which helped 🙂 Thanks Will ... View more

Hi @danielbb  Please could you share a sample event and screenshot of this so we try and repeat this issue and/or diagnose? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @bapun18  Your user will need a role which has write permissions in the app that you want them to be able to upload a lookup to. You can update your app's read/write permissions at https://YourSplunkInstance/en-US/manager/permissions/search/apps/local/<YourAppName>   You also need the 'upload_lookup_files' capabilty which is part of the default "user" role and anything which inherits the user role. This does also mean that a user can upload a lookup to any app which their role has write permissions to. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing   ... View more

Hi @Nicolas2203  Soo...if you want to redact your logs sent to one place but not redact them sent to the other then I think you would have to use CLONE_SOURCETYPE and then apply some redaction and routing of this new sourcetype as required. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @gpalau  Please could you confirm the permissions that you have on the installation? ls -ltr /Applications/SplunkForwarder Are you intending to run Splunk as your own user?  According to the docs (https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#:~:text=for%20this%20platform.-,Mac%20operating%20systems,-The%20table%20lists) Mac OS 15.4 Sequoia is not yet supported *however* I am running this myself on an M1 Silicon Mac running 15.4 without issue, so it should work, but consider that it might not be officially supported. For reference, on my installation the permissions are as follows: ls -l /Applications/ | grep SplunkForwarder >> drwxr-xr-x@ 17 MyUsername wheel 544 17 Apr 17:07 SplunkForwarder ls -l /Applications/SplunkForwarder drwxr-xr-x 27 MyUsername wheel 864 20 Feb 19:41 bin -r--r--r-- 1 MyUsername wheel 57 20 Feb 16:30 copyright.txt drwxr-xr-x 32 MyUsername wheel 1024 17 Apr 17:07 etc -rw-r--r--@ 1 root wheel 0 17 Apr 17:06 Icon? drwxr-xr-x 3 MyUsername wheel 96 20 Feb 19:23 include drwxr-xr-x 32 MyUsername wheel 1024 17 Apr 17:06 lib -r--r--r-- 1 MyUsername wheel 59708 20 Feb 16:30 license-eula.txt drwxr-xr-x 5 MyUsername wheel 160 17 Apr 17:07 openssl -r--r--r-- 1 MyUsername wheel 522 20 Feb 18:01 README-splunk.txt drwxr-xr-x 4 MyUsername wheel 128 20 Feb 19:23 share -r--r--r-- 1 MyUsername wheel 53332 20 Feb 19:41 splunkforwarder-9.4.1-e3bdab203ac8-darwin-universal2-manifest drwxr-xr-x 3 MyUsername wheel 96 20 Feb 19:24 swidtag -rw-r--r-- 1 MyUsername wheel 0 20 Feb 19:23 uf drwx--x--- 7 MyUsername wheel 224 17 Apr 17:07 var 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing   ... View more

Hi @tangtangtang12  I presume you are using ITSI/ITEW which is where you have installed the content pack? The content pack is only KPIs and relies on specific data to be available - The content pack itself does not onboard the data. Please check out the docs around the content pack data requirements here: https://docs.splunk.com/Documentation/CPWindowsMon/latest/CP/DataReqs That docs page gives an inputs.conf sample and other info about the data required for these KPIs to run, including the metrics you are looking for. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Haleb  *Yes* - This is to be expected, this is based on how the Splunk instance was started.  Essentially if Splunk started by "$SPLUNK_HOME/bin/splunk start" it will appended with "start", if it was "$SPLUNK_HOME/bin/splunk restart" it will be appended with "restart". If you use systemd then it could be something like "splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd" Check out the following Community post with a little more info if interested: https://community.splunk.com/t5/Monitoring-Splunk/Difference-between-splunkd-p-8089-restart-or-splunkd-p-8089/m-p/255553 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Nicolas2203  You are referencing _SYSLOG_ROUTING which is for syslog routing, whereas your input is using _TCP_ROUTING. Did you mean to use _TCP_ROUTING in your transforms? Another thing is that this will not clone your data, it will only *change* the routing.  When you specify multiple items in a TRANSFORMS they are processed in order, meaning that your network guest route is applied, then the second one. In your scenario the second transform applies to ALL events because of the "." in the REGEX which means that will be the routing which is applied. I think what you are looking for is the following: == props.conf == [fw:firewall] TRANSFORMS-clone = fwfirewall-route-network-guest, fwfirewall-clone == transforms.conf == [fwfirewall-clone] DEST_KEY = _TCP_ROUTING FORMAT = distant_HF,local_indexers REGEX = . [fwfirewall-route-network-guest] REGEX = \bNETWORK-GUEST\b DEST_KEY = _TCP_ROUTING FORMAT = local_indexers How this works is by specifying both outputs in _TCP_ROUTING when the REGEX matches "." (always) and then changes it to local_indexers IF the event contains NETWORK-GUEST. This could actually be simplified by setting the duplicate output in the input, then just overriding for the local_indexers if it contains NETWORK-GUEST: == inputs.conf == [tcp://22000] sourcetype = fw:firewall index = fw_index _TCP_ROUTING = distant_HF,local_indexers == props.conf == [fw:firewall] TRANSFORMS-redirectLocal = fwfirewall-route-network-guest == transforms.conf == [fwfirewall-route-network-guest] REGEX = \bNETWORK-GUEST\b DEST_KEY = _TCP_ROUTING FORMAT = local_indexers 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @EFonua  It seems that something must have changed in either the field extractions for your users, or the source data.  Have you updated any apps recently or made any field extractions changes? Without the actual search you are running it is hard for us to determine the issue here, but I would start out by running the search manually to see what user values you get, then work back from there to determine why the correct value isnt appearing. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @ws  For All-in-one then you are good, and then yes - once ready to deploy you would put this on your HF. One things Ive just notice which I missed before is that you are changing the sourcetypes. The second set of props probably arent applying to the new sourcetype name (you cant have 2 bites of the same cherry...) so try applying the event breaker props to the original sourcetype in the [preprocess_case] stanza. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @sabollam  I think you first need to address the issue of the multiple JSON events displaying in a single event as per your screenshot. I suspect that the reason you are getting the "none" value is because its failing to do the json_extract to get the timestamp value because the JSON is not valid/there are multiple events. If you are able to get the event breaking properly then I think the INGEST_EVAL should work. As others have said, its worth making sure you are consciously doing this based on valid decision - there may be other ways to achieve this. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @ws  Can you confirm where you applied those props/transforms and what your architecture looks like? They need applying to either HF or Indexers depending where the data lands. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Praz_123  To access the HF via REST you need to make sure they are setup in MC but also be able to reach their REST endpoints. If you just want to see the health by host then you can try the following which will report hosts with red health checks: index=_internal host=* source="*/var/log/splunk/health.log" | stats latest(color) as color by feature, node_path, node_type, host | stats values(node_path) by color host node_type | where color="red"   🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @RSS_STT  Use a stats command like this: | chart values(utilization) over Host by drive_Name   | makeresults count=3 | streamstats count | eval Host=case(count=1 OR count=3, "aaa", count=2, "bbb"), drive_Name=case(count=1 OR count=2, "D:", count=3, "E:"), utilization=case(count=1, 20, count=2, 30, count=3, 60) | fields - count _time | chart values(utilization) over Host by drive_Name 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @ws  You need to setup the linebreaker to distinguish between different events starting with the attributes key. == props.conf == [yourSourcetype] SHOULD_LINEMERGE=false TRUNCATE = 100000 LINE_BREAKER=([\r\n]+)\s*{(?=\s*"attribute":\s+{) Note: TRUNCATE can be a high number but should ideally NOT be 0! 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing     ... View more

Hi @MsF-2000  You may be able to use $job.latestTime$ in your subject - however I believe this is a unix timestamp so it may be hard for the receiver to know what it really means. Instead, you could use add_info to your search to get the search time and use the $result.search_time$   index=_internal | stats count | addinfo | eval search_time=strftime(info_search_time,"%c") | fields - info_* This is a simple example to help you get started. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Prajwal_Kasar 1. Include the WinRM library (and its dependencies) in your app bundle before installing it on Splunk Cloud. #Within your app mkdir lib pip install --target=lib winrm 2. Prepend lib to sys.path in your alert script # bin/alert_winrm.py - For example import os, sys vendor_dir = os.path.join(os.path.dirname(__file__), "../lib") sys.path.insert(0, vendor_dir) import winrm def clean_old_files(TargetServer, FolderPath, FileThresholdInMinutes, UserName, Password): session = winrm.Session(TargetServer, auth=(UserName, Password), transport='ntlm') # … your cleanup logic … if __name__ == "__main__": # parse args and call clean_old_files()   3. Package & deploy as you would normally 4. Note WinRM’s may require additional deps (requests, xmltodict, six) but I think pip should install these. Ensure Splunk Cloud can reach your Windows host on port 5985/5986 - this can be managed with ACS. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Praz_123  As described by @PickleRick  and @isoutamo  - it can sometimes be possible to add these to MC but not always practical, and a bit hacky!  If you are wanting a high level view of a forwarder then you can use the health.log using the following SPL index=_internal host=yourFowarderHost source="*/var/log/splunk/health.log" | stats latest(color) as color by feature, node_path, node_type, host   If you have a number of forwarders to monitor then you could adapt this to score the colours and show the worst? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more