Here is a runanywhere example of it working | makeresults | eval _raw="Message=An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: ComputerAccount$ Account Domain: Domain Logon ID: 0x3E8 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: svc_account Account Domain: Domain Failure Information: Failure Reason: Account locked out. Status: 0xC0000236 Sub Status: 0x0" | rex "(?ms).*Account Name:\s+(?<Account_Name>\S+)" This assumes the events are as you have shown i.e. no extra characters such as quotes or other punctuation. ... View more

The recommend best practice for your case and pretty much all syslog setups is to send the syslogs to a central server, where a syslog daemon (preferrably syslog-ng, or rsyslog) collects all data, and writes it to disk, split by hostname, date, etc. You can then have a UF (or HF, if necessary) monitor those files and forward them to an indexer. This is best practice for a bunch of reasons: - Less prone to data loss, because syslog daemons are less frequently restarted, and restart much faster than Splunk - Less prone to data loss, because all data is immediatly written to disk, where it can be picked up by Splunk - better performance, because syslog daemons are better at ingesting syslog data than Splunk TCP/UDP inputs In this case, a network failure between UF/HF and IDX won't cause any problems, because the data is still being written to disk - UF/HF will just continue to forward it when the connection is available again. I'd prefer this over Splunk persistent queues, because it also allows for much easier troubleshooting - because the data is written to disk, and you can look at it. If something is wrong, you can check if you got bad data, or if something went wrong after that with your Splunk parsing. You can find more details in the .conf 2017 recording/slides for "The Critical Syslog Tricks That No One Seems to Know About", or in the blog posts Using Syslog-ng with Splunk and Splunk Success with Syslog. Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

Try DB Connector, make sure that ODBC-DS is machine based and not user based... Should be fine. ... View more

i get this error: "Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '31' of search query '| makeresults | eval info="" | [search index="doma'." The query: | makeresults | eval info="" | [search index="domain_event_agg_info" event_domain="XXXX.YYY."] | eval info=if(isnull(event_count),"0",'event_count') ... View more

Thank you for your reply, it help me to cut down on some things that i am confused about. For starters, right now after creating my APP i am trying to let my APP to automatically listen on port 514 TCP by default which i do not know how to implement. Also to simplify my previous question my goal is to set up a page UI in my APP somewhat similar to splunk default Local inputs where you can set it at the setting under TCP and UDP. However what i am looking for is to allow my users to easily access that page instead of splunk and set whatever configurations they want to such as any TCP or UDP port and also the sourcetype and index name they want. For my remote syslog host i have already configured a custom fowarder and is successful in using the default splunk setting to allow the logs to be sent through any port such as tcp port 8888 and receiving the logs as the source type i have named such as custom_logs into the default index. I hope to implement this setting as a page on my APP to tell my app to listen on whichever port the user would want and i have no idea where to start from. ... View more

Yes, you are absolutely right we can use this to parse and index the JSON data. ... View more

Hi @gedworksplunk I have some thoughts about your configuration. First of all NFS is not suggested by Splunk for using on the Indexers. If possible use local storage or reliable storage subsystem. In your setup you will only backup the replicated buckets, but you will never get the master buckets. So in your backup strategy you miss the original data. (Sitenote: We had some issues with replicated bucket when they were made searchable. Especially with buckets which contained Windows event logs) The backup strategy of Splunk is very simple, which is described here: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Backupindexeddata Just install a backup agent and implement Splunks recommendation. Another thought regarding Mulitsite Clustering Backup. If you backup all the data from each indexer you probably will backup more data as need. I would backup only the original buckets (db_) and write a blacklist for the replicated buckets (rb_). Why? The cluster will automatically replicate the original bucket if the clustermaster doesnt find any copies ... View more

Hi, no this was a crash of the UF implicating KERNELBASE.dll - the stack overflow caused other issues on the server, clearly there was a memory leak of some sort that affected everything else on the server. I will have a look at that, thanks. ... View more

http://blogs.splunk.com/2008/05/15/forwarder-and-indexer-metrics/ Here’s a sample query that you can run on each indexer instance to get a report on thruput by each forwarding entity: index=_internal metrics "group=tcpin_connections" | timechart span=30s avg(tcp_bps) by sourceHost ... View more

Hi @fdarrigo - I see your solution ingests the Windows event log. How were you able to resolve the accuracy of pages printed in the event log? I'm running a Windows Server 2016 print server, and I understand that some of the native print logging features were better on WS08/R2 than subsequent os releases - specifically with regard to pages printed. Currently, Event 307's Pages Printed (Param8) is 0. I've enabled print auditing and am not able to find anything indicating how to fix the event log's pages printed count. Any advice? How would one go about configuring Splunk to query the print queue instead? Any insight would be greatly appreciated. Thanks, Kayla ... View more

If you install universal forwarders on all your endpoints, as vanilla configuration just pointing back to your central server, you can then add a data input from the server and get it to start pushing logs up to central server. ... View more

Yes windows, 7 and 2012 I have tried this on. It's just a bit hacky that SEDCMD-replacespaces = s/()/^/g means to replace any character with ^ and including spaces. ... View more

Hi, what I was expecting was that the zip and the contents are both indexed as per the white/blacklist rules, and that the parsing I defined in props.conf would be carried out, none of this has happened... The zip file name itself was picked up however. The page you have pointed out has a very brief description that only indicates that zip files are processed and not how they are handled differently from other files. With most of this understood now, is anyone able to explain why the parsing is not working in props.conf? Thanks. ... View more

Hi, that command will work without transactiontypes.conf, I'm trying to figure this out now. ... View more