How often do scripted inputs execute?  I want to implement some of these for exchange, but concerned that they will continually execute and cause performance impact. Scripted inputs [script://.\bin\exchangepowershell.cmd v14 get-publicfolderstats_2010.ps1] [script://.\bin\exchangepowershell.cmd v14 get-databasestats_2010.ps1] [script://.\bin\exchangepowershell.cmd v14 get-folderstats_2010.ps1] [script://.\bin\exchangepowershell.cmd v14 get-distlists_2010_2013.ps1] [script://.\bin\exchangepowershell.cmd v14 get-hoststats_2010_2013.ps1] [script://.\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] [script://.\bin\exchangepowershell.cmd v14 read-mailbox-audit-logs_2010_2013.ps1] [script://.\bin\exchangepowershell.cmd v14 get-mailboxstats_2010_2013.ps1] [script://.\bin\exchangepowershell.cmd v14 get-inboxrules_2010_2013.ps1]   Link to TA https://docs.splunk.com/Documentation/AddOns/released/MSExchange/TA-Mailboxinputs ... View more

On the topic of managing applications from Splunkbase, I have a few questions. Take the TA-Exchange-Mailbox as an example: Firstly, the installation documentation for this application seems incorrect. While it references the application being installed at the Collection tier/input phase, it doesn't mention anything about the Search Tier/Phase, despite the existence of stanzas in props/transforms. Is the installation location implied? Here are the links to the documentation for reference: https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Configurationparametersandthedatapipeline https://docs.splunk.com/Documentation/AddOns/released/MSExchange/About#Splunk_Add-on_for_Microsoft_Exchange_Component_Installation_Locations Secondly, how should I manage the application at the various tiers of my deployment? The TA-Exchange-Mailbox application has inputs, props, transforms, and so on. Should I delete inputs.conf before putting the application on my Search Head? Do I delete props or transforms before adding to my Universal Forwarders? If it doesn't matter because Splunk will only use what is appropriate at various phases, then I can manage a single app with all of the configs and deploy everywhere, which seems to be the least overhead. Thirdly, if I need to modularize the application and apply config files at their respective tiers, can I rename it? This way, I would have two separate applications to better manage changes in source control: TA-Exchange-Mailbox_inputs TA-Exchange-Mailbox_props (or parsing or whatever) I would appreciate any advice or best practices on managing applications from Splunkbase. Thank you! ... View more

I'm having difficulty ingesting log data from flat files into Splunk. I'm monitoring six different directories, each containing 100-1000 log files, some of which are historical and will require less ingestion in the future. However, I'm seeing inconsistent results and not all logs are being ingested properly. Here's an example of the issue: When all six monitors are enabled, I don't see any data from [file-monitor5] or [file-monitor6]. If I disable 1-3, I start seeing logs from [file-monitor5], but not [file-monitor6]. I have to disable 1-5 to get logs from [file-monitor6]. The configuration for each monitor is shown below: [file-monitor1] [file-monitor2] [file-monitor3] [file-monitor4] [file-monitor5] [file-monitor6] I'm wondering if Splunk doesn't monitor all inputs at the same time or if it ingests monitored files based on timestamp, getting the earliest file in each folder.  Here's my current config for the monitors: [file-monitor1://C:\example] whitelist=.log$|.LOG$ sourcetype=ex-type queue=parsingQueue index=test disabled=false Can anyone provide insight into what might be causing the inconsistent results and what I can do to improve the ingestion process? ... View more

  Can someone guide me in the right direction. I have an issue with src_ip extraction using the nix splunk TA. I see that the [syslog] stanza in props.conf contains the config below, but I'm unsure how src_ip is actually being extracted using the props and transforms code blocks below.   Futhermore, I'm not 100% certain what transforms is actually doing. I was trying to narrow down where the issue might be with the extraction, but having some difficultly figuring that out.  The regex seems very basic. search: `index=ap_os_nix sourcetype=syslog` sourcetype = `syslog` source = `/var/log/auth` This payload below parses incorrectly and also included the port number. Mar 16 11:36:43 apnmls02 sshd[21198]: Received disconnect from 172.16.5.49 port 51798:11: Session closed [preauth] `src_ip="172.16.5.49 port 51798:11"` The payload below has parses the source IP correctly. Mar 16 11:42:23 apcribl02 sshd[200646]: Connection closed by 172.16.5.49 port 56452 `src_ip = 172.16.5.49` ### Props for syslog sourcetype ``` ###### Syslog ###### [source::....syslog] sourcetype = syslog [syslog] EVENT_BREAKER_ENABLE = true ## Event extractions by type REPORT-0authentication_for_syslog = remote_login_failure, bad-su2, passwd-auth-failure, failed_login1, bad-su, failed-su, ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication EVAL-action = if(app="su" AND isnull(action),"success",action) REPORT-account_management_for_syslog = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse REPORT-password_change_for_syslog = pam-passwd-ok, passwd-change-fail REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf REPORT-routing = iptables EVAL-signature = if(isnotnull(inbound_interface),"firewall",null()) REPORT-signature_for_syslog_timesync = signature_for_nix_timesync REPORT-dest_for_syslog = host_as_dest LOOKUP-action_for_syslog = nix_action_lookup vendor_action OUTPUTNEW action REPORT-src_for_syslog = src_dns_as_src, src_ip_as_src FIELDALIAS-dvc = dest as dvc EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) ``` ### Transforms line referenced in Props ``` [src_ip_as_src] SOURCE_KEY = src_ip REGEX = (.+) FORMAT = src::"$1" ```       ... View more

I am getting the error below on my indexer.  I know which index / source is causing it, but have no idea how to fix it.  I've tried to open a ticket with support, but the "Select Cloud Stack" drop down has zero options, but is required.       The percentage of small buckets (100%) created over the last hour is high and exceeded the red thresholds (50%) for index=s1, and possibly more indexes, on this indexer. At the time this alert fired, total buckets created=12, small buckets=12           ... View more

I have several alerts that have been firing off an email. Everything has been working for several weeks. However, I noticed over the weekend that search results that should have triggered did not send an email. I don't see any errors in the scheduler.log file. Any other recommendations for troubleshooting this issue? ... View more