×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
seankoniarz
Explorer
Member since: ‎05-16-2019
‎01-16-2021
Community Statistics
Posts 6
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎05-16-2019
Activity Feed
View All

Re: VMWare Unified Access Gateway

by in Splunk Enterprise Security
‎09-19-2022 12:54 PM
1 Karma
‎09-19-2022 12:54 PM
1 Karma
@sheamus69  I've made some progress.  Initial work is getting the log ingestion from syslog and overriding the SourceType. Here is my inputs.conf   [monitor:///var/log/$mask_host1$/syslog] disabled = false #initCrcLength = 800 crcSalt = <SOURCE> index = test sourcetype = uag:syslog [monitor:///var/log/$mask_host2$/syslog] disabled = false #initCrcLength = 800 crcSalt = <SOURCE> index = test sourcetype = uag:syslog [monitor:///var/log/$mask_host3$/syslog] disabled = false #initCrcLength = 800 crcSalt = <SOURCE> index = test sourcetype = uag:syslog Here is props.conf on the HF. [uag:syslog] category = Custom TRANSFORMS-uag:syslog = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager   Here is transforms.conf the HF. [vmware:uag:admin] REGEX = uag-admin\: FORMAT = sourcetype::vmware:uag:admin DEST_KEY = MetaData:Sourcetype [vmware:uag:audit] REGEX = uag-audit\: FORMAT = sourcetype::vmware:uag:audit DEST_KEY = MetaData:Sourcetype [vmware:uag:esmanager] REGEX = uag-esmanager\: FORMAT = sourcetype::vmware:uag:esmanager DEST_KEY = MetaData:Sourcetype   Next, I'll update with field extraction if you're intrested. ... View more

Re: Finding proper frozen bucket

by in Getting Data In
‎09-12-2022 03:37 AM
‎09-12-2022 03:37 AM
https://github.com/mehransafari/Splunk_FrozenData_FIND_by_DATE_and_Restore   an script for finding frozen bucket files in time range you gave shows folders + size + start time and endtime of logs contains on  each folder log + asks to unfrozen log  it may help you ... View more

Re: Remove Health messages

by in Splunk Enterprise Security
‎01-07-2020 01:28 PM
‎01-07-2020 01:28 PM
Thanks! Looks like this message falls under the Might or Might Not be configurable ... View more

Re: Route to index based on source IP/Dest IP in l...

by in Getting Data In
‎05-16-2019 03:08 PM
‎05-16-2019 03:08 PM
So I might not need to redirect it after receiving the data if that is an option. But I guess let me better explain the use case. We act as an ISP essentially for some clients. They use traverse our firewalls and out to the internet. 1 FW for Multiple clients So the source device could be 10.1.1.6. But that device is going to have multiple client CIDR ranges. 10.2.0.0/16 = client1 10.3.0.0/16 = client2 10.4.0.0/16 = client3 sample log style Device(sourceHost) source dest 1. 10.1.1.6 client1 to google 2. 10.1.1.6 client2 to bing 3. 10.1.1.6 client3 to amazon Log #1 to index client1 Log #2 to index client2 Log #3 to index client3 Does that make more sense? If they all had separate firewalls this would be very simple, but that is not the case. If I can do this in a more efficient way I am all about doing that. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-16-2021 01:40 AM
Karma from
View All