Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About nmohammed
nmohammed
Builder
Member since:
03-02-2015
07-10-2025
Community Statistics
| Posts | 156 |
| Solutions | 10 |
| Karma Given | 6 |
| Karma Received | 27 |
| Member Since | 03-02-2015 |
Activity Feed
- Posted Re: Split JSON array into individual events on HF on Getting Data In. 05-09-2025 12:16 PM
- Posted Re: Split JSON array into individual events on HF on Getting Data In. 05-08-2025 06:07 PM
- Posted Re: Split JSON array into individual events on HF on Getting Data In. 05-07-2025 11:28 AM
- Posted Re: Split JSON array into individual events on HF on Getting Data In. 05-06-2025 02:23 PM
- Posted Split JSON array into individual events on HF on Getting Data In. 05-01-2025 02:48 PM
- Posted Re: timestamp assignment not working ELB logs Splunk Add-on for AWS on Getting Data In. 01-27-2025 11:42 AM
- Posted Re: timestamp assignment not working ELB logs Splunk Add-on for AWS on Getting Data In. 01-24-2025 10:26 AM
- Posted timestamp assignment not working ELB logs Splunk Add-on for AWS on Getting Data In. 01-23-2025 02:32 PM
- Posted Re: Easy question.. how do I get just the HTTP response from this log? on Security. 08-21-2024 01:59 PM
- Posted Re: Json logs not parsing properly. on Dashboards & Visualizations. 08-21-2024 01:46 PM
- Posted Re: Updating Windows UF to 9.2.0.1 via SCCM - 1603 errors on Installation. 08-21-2024 12:29 PM
- Posted Re: Universal Forwarder not sending Directory Service and other logs. on Getting Data In. 08-21-2024 12:18 PM
- Posted Re: Change Index for some of the logs coming from HEC on Splunk Search. 08-19-2024 02:05 PM
- Posted Re: What is this Splunk dashboard javascript error? on Dashboards & Visualizations. 08-19-2024 01:20 PM
- Posted Re: Palo Alto custom JavaScript error caused an issue loading your dashboard. on All Apps and Add-ons. 08-19-2024 01:15 PM
- Got Karma for Re: Why does Splunk fails to start with error message "The certificate generation script did not generate the expected certificate file"?. 11-10-2023 03:26 AM
- Posted Re: How to replicate CSV(lookup) from heavy forwarder to Search Head/Indexer? on Getting Data In. 03-01-2023 05:38 PM
- Got Karma for Re: Why am unable to uninstall Splunk universal forwarder?. 01-25-2023 02:33 PM
- Got Karma for Re: extract all "cause by". 01-08-2022 10:51 PM
- Got Karma for Re: How to display limited results from a field. 11-04-2021 12:39 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-09-2025
12:16 PM
There are a lot of events and there being sent in chunks to save on the lambda processing cost.
... View more
05-08-2025
06:07 PM
Yes, I realized that . The data is processed by Lambda to extract only relevant information and then sent over HEC. We did try with /raw and it instead sent log encapsulated in an root event field like the below screenshot (masked some fields)- I tried the following based on suggestion - [source::http:lblogs]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n\s]+){
SEDCMD-remove-extras = [\s\n\r]*\][\s\n\r\]*}
NO_BINARY_CHECK = true
TIME_PREFIX = \"timestamp\":\s+\"
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 100
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N
TRUNCATE = 1000000
... View more
05-07-2025
11:28 AM
Thanks. I will try to update the HEC URL to /raw instead and test with the new line breaker configuration.
... View more
05-06-2025
02:23 PM
HI @PickleRick we're using /event in the HEC endpoint ; but even with that some of the events are getting transformed (splitting as shared in screenshots earlier).
... View more
05-01-2025
02:48 PM
We've logs coming to HEC as nested JSON in chunks; We're trying to break them down into individual events at the HEC level before indexing them in Splunk. I had some success to remove the header/footer with props.conf and breaking the events, but it doesn't work completely. Most of the logs are not broken into individual events. Sample events - {
"logs": [
{
"type": "https",
"timestamp": "2025-03-17T23:55:54.626915Z",
"elb": "someELB",
"client_ip": "10.xx.xx.xx",
"client_port": 123456,
"target_ip": "10.xx.xx.xx",
"target_port": 123456,
"request_processing_time": 0,
"target_processing_time": 0.003,
"response_processing_time": 0,
"elb_status_code": 200,
"target_status_code": 200,
"received_bytes": 69,
"sent_bytes": 3222,
"request": "GET https://xyz.com",
"user_agent": "-",
"ssl_cipher": "ECDHE-RSA-AE",
"ssl_protocol": "TLSv1.2",
"target_group_arn": "arn:aws:elasticloadbalancing:us-west-2:XXXXX:targetgroup/XXXXX",
"trace_id": "Root=XXXX"
},
{
"type": "https",
"timestamp": "2025-03-17T23:56:00.285547Z",
"elb": "someELB",
"client_ip": "10.xx.xx.xx",
"client_port": 123456,
"target_ip": "10.xx.xx.xx",
"target_port": 123456,
"request_processing_time": 0,
"target_processing_time": 0.003,
"response_processing_time": 0,
"elb_status_code": 200,
"target_status_code": 200,
"received_bytes": 69,
"sent_bytes": 3222,
"request": "GET https://xyz.com",
"user_agent": "-",
"ssl_cipher": "ECDHE-RSA-AE",
"ssl_protocol": "TLSv1.2",
"target_group_arn": "arn:aws:elasticloadbalancing:us-west-2:XXXXX:targetgroup/XXXXX",
"trace_id": "Root=XXXX"
},
{
"type": "https",
"timestamp": "2025-03-17T23:57:39.574741Z",
"elb": "someELB",
"client_ip": "10.xx.xx.xx",
"client_port": 123456,
"target_ip": "10.xx.xx.xx",
"target_port": 123456,
"request_processing_time": 0,
"target_processing_time": 0.003,
"response_processing_time": 0,
"elb_status_code": 200,
"target_status_code": 200,
"received_bytes": 69,
"sent_bytes": 3222,
"request": "GET https://xyz.com",
"user_agent": "-",
"ssl_cipher": "ECDHE-RSA-AE",
"ssl_protocol": "TLSv1.2",
"target_group_arn": "arn:aws:elasticloadbalancing:us-west-2:XXXXX:targetgroup/XXXXX",
"trace_id": "XXXX"
}
]
} I am trying to get {
"type": "https",
"timestamp": "2025-03-17T23:55:54.626915Z",
"elb": "someELB",
"client_ip": "10.xx.xx.xx",
"client_port": 123456,
"target_ip": "10.xx.xx.xx",
"target_port": 123456,
"request_processing_time": 0,
"target_processing_time": 0.003,
"response_processing_time": 0,
"elb_status_code": 200,
"target_status_code": 200,
"received_bytes": 69,
"sent_bytes": 3222,
"request": "GET https://xyz.com",
"user_agent": "-",
"ssl_cipher": "ECDHE-RSA-AE",
"ssl_protocol": "TLSv1.2",
"target_group_arn": "arn:aws:elasticloadbalancing:us-west-2:XXXXX:targetgroup/XXXXX",
"trace_id": "Root=XXXX"
}
{
"type": "https",
"timestamp": "2025-03-17T23:56:00.285547Z",
"elb": "someELB",
"client_ip": "10.xx.xx.xx",
"client_port": 123456,
"target_ip": "10.xx.xx.xx",
"target_port": 123456,
"request_processing_time": 0,
"target_processing_time": 0.003,
"response_processing_time": 0,
"elb_status_code": 200,
"target_status_code": 200,
"received_bytes": 69,
"sent_bytes": 3222,
"request": "GET https://xyz.com",
"user_agent": "-",
"ssl_cipher": "ECDHE-RSA-AE",
"ssl_protocol": "TLSv1.2",
"target_group_arn": "arn:aws:elasticloadbalancing:us-west-2:XXXXX:targetgroup/XXXXX",
"trace_id": "Root=XXXX"
}
{
"type": "https",
"timestamp": "2025-03-17T23:57:39.574741Z",
"elb": "someELB",
"client_ip": "10.xx.xx.xx",
"client_port": 123456,
"target_ip": "10.xx.xx.xx",
"target_port": 123456,
"request_processing_time": 0,
"target_processing_time": 0.003,
"response_processing_time": 0,
"elb_status_code": 200,
"target_status_code": 200,
"received_bytes": 69,
"sent_bytes": 3222,
"request": "GET https://xyz.com",
"user_agent": "-",
"ssl_cipher": "ECDHE-RSA-AE",
"ssl_protocol": "TLSv1.2",
"target_group_arn": "arn:aws:elasticloadbalancing:us-west-2:XXXXX:targetgroup/XXXXX",
"trace_id": "XXXX"
} props.conf [source::http:lblogs]
SHOULD_LINEMERGE = false
SEDCMD-remove_prefix = s/^\{\s*\"logs\"\:\s+\[//g
SEDCMD-remove_suffix = s/\]\}$//g
LINE_BREAKER = \}(,\s+)\{
NO_BINARY_CHECK = true
TIME_PREFIX = \"timestamp\":\s+\"
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 100
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N
TRUNCATE = 1000000 Current Result in Splunk are below in the attached screenshot. The header ({ logs [) and footer are removed from events, but then split (line break) maybe just working for one event in the chunk and others are ignored.
... View more
Labels
- Labels:
-
JSON
-
props.conf
01-27-2025
11:42 AM
on HEC - I tried the following by moving the TIME definitions under the source (for all 3 sources) in props.conf and removed them from sourcetype. Restarted Splunk, but still did not work. [source::http:aws-lblogs]
EXTRACT-elb = ^\s*(?P<type>\S+)(\s+(?P<timestamp>\S+))(\s+(?P<elb>\S+))(\s+(?P<client_ip>[\d.]+):(?P<client_port>\d+))(\s+(?P<target>\S+))(\s+(?P<request_processing_time>\S+))(\s+(?P<target_processing_time>\S+))(\s+(?P<response_processing_time>\S+))(\s+(?P<elb_status_code>\S+))(\s+(?P<target_status_code>\S+))(\s+(?P<received_bytes>\d+))(\s+(?P<sent_bytes>\d+))(\s+"(?P<request>[^"]+)")(\s+"(?P<user_agent>[^"]+)")(\s+(?P<ssl_cipher>\S+))(\s+(?P<ssl_protocol>\S+))(\s+(?P<target_group_arn>\S+))(\s+"(?P<trace_id>[^"]+)")(\s+"(?P<domain_name>[^"]+)")?(\s+"(?P<chosen_cert_arn>[^"]+)")?(\s+(?P<matched_rule_priority>\S+))?(\s+(?P<request_creation_time>\S+))?(\s+"(?P<actions_executed>[^"]+)")?(\s+"(?P<redirect_url>[^"]+)")?(\s+"(?P<error_reason>[^"]+)")?
EVAL-rtt = request_processing_time + target_processing_time + response_processing_time
priority = 1
SHOULD_LINEMERGE = false
TIME_PREFIX = ^.*?(?=20\d\d-\d\d)
TIME_FORMAT =
MAX_TIMESTAMP_LOOKAHEAD = 28
[aws:elb:accesslogs]
... View more
01-24-2025
10:26 AM
Thanks @isoutamo , As I understand ; Since these definitions are used only at search time , then I only need the add-on installed on the search Head. On the HEC I will put the props.conf with the TIME PREFIX related regex , so time will be extracted from the incoming logs and sent to the indexers.
... View more
01-23-2025
02:32 PM
We're sending AWS ELB Access logs (Classic ELB, NLB and ALB) using Lambda to HEC. I have installed the Splunk add-on for AWS on SH and HEC . The add-on has regexes to parse the access logs and all the fields extractions from REGEX for access logs seems to be working fine. However, we're having issues with the timestamp of the event, which is also extracted as "timestamp" field and the _time is getting assigned as ingestion time instead of actual time from the event. I tried to add timestamp PREFIX in the props.conf in Splunk_TA_AWS for the aws:elb:access logs sourcetype, however, it doesn't work. Sample events - NLB - tls 2.0 2025-01-15T23:59:54 net/loadbalancerName/guid 10.xxx.xxx.1:32582 10.xxx.x.xx:443 1140251 85 3546 571 - arn:aws:acm:us-west-2:026921344628:certificate/guid - ECDHE-RSA-XXXX-GCMXXX tlsv12 - example.io - - - 2025-01-15T23:40:54 ALB - https 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.086 0.048 0.037 200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1" "curl/7.46.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337281-1d84f3d73c47ec4e58577259" "www.example.com" "arn:aws:acm:us-east-2:123456789012:certificate/12345678-1234-1234-1234-123456789012" 1 2018-07-02T22:22:48.364000Z "authenticate,forward" "-" "-" "10.0.0.1:80" "200" "-" "-" TID_123456 ELB - 2018-12-31T00:08:01.715269Z loadbalancerName 187.xx.xx.xx:48364 - -1 -1 -1 503 0 0 0 "GET http://52.x.xxx.xxx:80/ HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" - - props.conf ## Classic Load Balancer ##
[source::http:lblogs]
EXTRACT-elb = ^\s*(?P<timestamp>\S+)(\s+(?P<elb>\S+))(\s+(?P<client_ip>[\d.]+):(?P<client_port>\d+))(\s+(?P<backend>\S+))(\s+(?P<request_processing_time>\S+))(\s+(?P<backend_processing_time>\S+))(\s+(?P<response_processing_time>\S+))(\s+(?P<elb_status_code>\S+))(\s+(?P<backend_status_code>\S+))(\s+(?P<received_bytes>\d+))(\s+(?P<sent_bytes>\d+))(\s+"(?P<request>[^"]+)")(\s+"(?P<user_agent>[^"]+)")(\s+(?P<ssl_cipher>\S+))(\s+(?P<ssl_protocol>\S+))
EVAL-rtt = request_processing_time + backend_processing_time + response_processing_time
sourcetype = aws:elb:accesslogs
## Application Load Balancer ##
[source::http:aws-lblogs]
EXTRACT-elb = ^\s*(?P<type>\S+)(\s+(?P<timestamp>\S+))(\s+(?P<elb>\S+))(\s+(?P<client_ip>[\d.]+):(?P<client_port>\d+))(\s+(?P<target>\S+))(\s+(?P<request_processing_time>\S+))(\s+(?P<target_processing_time>\S+))(\s+(?P<response_processing_time>\S+))(\s+(?P<elb_status_code>\S+))(\s+(?P<target_status_code>\S+))(\s+(?P<received_bytes>\d+))(\s+(?P<sent_bytes>\d+))(\s+"(?P<request>[^"]+)")(\s+"(?P<user_agent>[^"]+)")(\s+(?P<ssl_cipher>\S+))(\s+(?P<ssl_protocol>\S+))(\s+(?P<target_group_arn>\S+))(\s+"(?P<trace_id>[^"]+)")(\s+"(?P<domain_name>[^"]+)")?(\s+"(?P<chosen_cert_arn>[^"]+)")?(\s+(?P<matched_rule_priority>\S+))?(\s+(?P<request_creation_time>\S+))?(\s+"(?P<actions_executed>[^"]+)")?(\s+"(?P<redirect_url>[^"]+)")?(\s+"(?P<error_reason>[^"]+)")?
EVAL-rtt = request_processing_time + target_processing_time + response_processing_time
priority = 1
sourcetype = aws:elb:accesslogs
## Network Load Balancer ##
[source::http:lblogs]
EXTRACT-elb-nlb = ^\s*(?P<type>\S+)(\s+(?P<log_version>\S+))(\s+(?P<timestamp>\S+))(\s+(?P<elb>\S+))(\s+(?P<listener>\S+))(\s+(?P<client_ip>[\d.]+):(?P<client_port>\d+))(\s+(?P<destination_ip>[\d.]+):(?P<destination_port>\d+))(\s+(?P<connection_time>\S+))(\s+(?P<tls_handshake_time>\S+))(\s+(?P<received_bytes>\d+))(\s+(?P<sent_bytes>\d+))(\s+(?P<incoming_tls_alert>\S+))(\s+(?P<chosen_cert_arn>\S+))(\s+(?P<chosen_cert_serial>\S+))(\s+(?P<tls_cipher>\S+))(\s+(?P<tls_protocol_version>\S+))(\s+(?P<tls_named_group>\S+))(\s+(?P<domain_name>\S+))(\s+(?P<alpn_fe_protocol>\S+))(\s+(?P<alpn_be_protocol>\S+))(\s+(?P<alpn_client_preference_list>\S+))
sourcetype = aws:elb:accesslogs
[aws:elb:accesslogs]
TIME_PREFIX = ^.*?(?=20\d\d-\d\d)
TIME_FORMAT =
MAX_TIME_LOOKAHEAD
... View more
Labels
- Labels:
-
props.conf
08-21-2024
01:46 PM
Try adding a limits.conf with the following [kv]
maxchars = 40000
... View more
08-21-2024
12:29 PM
What does you msiexec command look like that you're using to install the Splunk UF ?
... View more
08-21-2024
12:18 PM
Do you have any other app or add-on configured with the inputs. Run the following to see all inputs that may be present on your forwarder $SPLUNK_HOME$/bin/splunk btool inputs list --debug
... View more
08-19-2024
02:05 PM
Try this : [hecpaloalto_in]
INGEST_EVAL = index=if(match(sourcetype, "pan:logs"), "palo_alto", "aws")
... View more
08-19-2024
01:20 PM
@marcoscala were you able to fix the Palo Alto Splunk app throwing JS errors ?
... View more
08-19-2024
01:15 PM
@shawno were you able to fix the error ?
... View more
03-01-2023
05:38 PM
@mbachhav - did you get this done ? I am running into similar challenge and thinking best way of getting this from HF to SHC/Indexer
... View more
10-28-2021
04:50 PM
Try this - "Account\sName:\s(?P<account_name>.+)\sAccount Domain"
... View more
10-26-2021
04:47 PM
1 Karma
index=star env=prod |
chart count(eval(time <100)) AS "<100ms", count(eval(time >100 AND time <200)) AS "<200ms", count(eval(time >200 AND time <300)) AS "<300ms"
| stats count by time try that query and select pie chart under visualizations.
... View more
10-26-2021
04:37 PM
1 Karma
Can you share the exception with multiple Caused by : ? meanwhile, you can try this - base search
| rex field=_raw "Caused by:\s*(?P<exception_cause>.*)"
... View more
10-26-2021
02:03 PM
@Sharzi try this to return records where DB is NOT "unknown" base_search [ inputlookup myLookup | fields TenantName, tenantId | where tenantId!="Unknown" AND TenantName=TenantName] | lookup myLookup tenantId TenantName output TenantName, tenantId, Region, DB |
| table _time TenantName tenantId Region Status DB updated reply to correct spellings and missing fields
... View more
10-21-2021
01:47 PM
@gitingua can you share your search query that you're trying for this result ?
... View more
10-21-2021
01:14 PM
1 Karma
you could probably do the lookups at the end of the tstats search & all transforms | tstats ...
| search [| inputlookup field1 lookup1.csv | ... ] | search [| inputlookup lookup2.csv | ... ]
... View more
10-21-2021
12:54 PM
@Susha Is your forwarder sending disk space data and are you able to see any data in index=os ? breakdown the search query into individual parts and check index=os sourcetype=df host=de1secsplfwd002.dc-r.security.vodafone.com index=os sourcetype=df host=de1secsplfwd002.dc-r.security.vodafone.com
| strcat host '@' Filesystem Host_FileSystem
... View more
10-21-2021
12:47 PM
@pavanae can you share your search query ? But you should be able to search the host like following - | inputlookup answers-571895.csv
| where Host="*"
... View more
10-21-2021
12:37 PM
1 Karma
It should work, I tried it out with csv file you shared. It can either be permissions (but you're able to see contents of lookup using inputlookup). Check the fieldnames (case-sensitive) & also spell-check Try another way (replace with your filename) - | inputlookup answers-571716.csv
| where failcode="g-ab" OR failcode="c-cd" OR failcode="d-dd"
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-10-2025
11:23 AM
|
Karma from
