sorry there was a typo in the above reply  splunk@so2:/opt/splunk$ splunk  shcluster_config  should read splunk@so2:/opt/splunk$ splunk  init shcluster_config ... ... View more

I ran into this also and found that I had a syntax error in the command, once I fixed that it ran. I would say that the error message is misleading at best.  This produced the "Command error: 'init' is not a valid command...." splunk@so2:/opt/splunk$ splunk  shcluster_config  The correct syntax in my case was  this:  splunk@so2:/opt/splunk$ splunk init  shcluster-config.... What changed above was the _ to a - in shcluster-config  My guess is that if any part of the command is not right,  it says "init is not invalid command."    HTH.      ... View more

See KB 65 at  (https://my.phantom.us/kb/65/) There is a specific statement about additional modules “Note for AWS Users: RPM's will look different. For AWS Red Hat images, the repo name for the packages in RedHat's rhel-7-server-optional-rpms will appear as: rhui-REGION-rhel-server-optional These can be enabled in the /etc/yum.repos.d/redhat-rhui.repo file. “ Go into the repo file and set enable to 1 and retry the phantom install.  ... View more

I had the same problem going doing an upgrade from 8.2.4 to 8..5 I went to the directory where the permission error was shown at the end of the Traceback like this     f = open(path, 'w') PermissionError: [Errno 13] Permission denied: '/opt/splunk/etc/system/local/indexes.conf' Some of the files where read only so I did a  chmod 660 * and that fixed it. ... View more

I had events coming from WEF in the required xml format. The Message field was massive and redundant. In the 6.0 version of the Windows there are example sedcmd commands for removing text. I based the one below on one of those. This was put in the TA's local directory and it had the desired effect of reducing the size of these events by ~78 % counting bytes. [XmlWinEventLog] SEDCMD-clean_msg_text_from_winsecurity_events = s/[\S\s\r\n]+$/-<\/Message><\/RenderingInfo>/g I elected to replace all the text with - just in case that would be of use. I kept the Renderinginfo tag so that the Message field would be extracted. Here is a example of the reduction. foobar> ls -ldb Ev* -rw-r--r--@ 1foobar staff 2764 Oct 20 17:25 EventCode4642-Nottrimmed.xml -rw-r--r--@ 1 footer staff 602 Oct 20 17:18 EventCode4642-Trimmed.xml foobar ... View more

Hi Bryan, One way to test connectivity is to use the webhook.site as a test end point. That site will provide a url that you can POST to and see if it gets there. Here is an example using curl. curl -X POST -H 'Content-Type: application/json' --data '{"username":"foo", "password":"bar"}' https://webhook.site/40767741-9583-4cc6-8934-163ffab666ef Nice Job! The URL was generated by the webhook.site which makes it easy to copy and paste as above. I set it up to return the Nice Job! result string. I did nothing else other then that. On the webhook.site you will see the json data displayed along with some connectivity meta-data. If the curl example works, then the same URL will work with an alert. I tested it and conformed it. The json doc sent by the alert looks like this on the webhook site. I just pasted the URL into the form for creating a webhook in the Splunk UI. Here is the result shown at the URL endpoint on the webhook.site. { "owner": "admin", "app": "search", "sid": "rt_scheduler_adminsearchRMD5c915be116e89b766_at_1539791034_150.118", "search_name": "my_alertTest2", "results_link": "http://shd1:8000/app/search/@go?sid=rt_scheduleradminsearchRMD5c915be116e89b766_at_1539791034_150.118", "result": { "date_minute": "13", "timestartpos": "0", "_raw": "2018-10-17 18:13:13 127.0.0.2 22 127.0.0.12 2200 tomg 4624 - \"login success\" - - -", "_serial": "2", "_sourcetype": "mytransform:alerts", "date_zone": "local", "index": "alert_test", "sourcetype": "mytransform:alerts", "date_second": "13", "date_month": "october", "punct": "--::......__-\"\"---", "source": "/var/tmp/alert_sample.log", "host": "ufd1", "_confstr": "source::/var/tmp/alert_sample.log|host::ufd1|mytransform:alerts", "date_hour": "18", "date_wday": "wednesday", "_kv": "1", "_si": [ "idx1", "alert_test" ], "date_mday": "17", "_indextime": "1539799995", "splunk_server": "idx1", "date_year": "2018", "_time": "1539799993", "timeendpos": "20" } } ... View more

Thanks for the above. While I am sure the search would do what you explain, my time_stamping of events during input is still not right. I need a TIME_FORMAT technique that will get the correct date and time from the raw data. I get partial success with these lines in a props.conf file. LINE_BREAKER = ([\r\n]*)(?=Incident\ Number:\s) TIME_PREFIX = Date Of Incident: TIME_FORMAT = %m/%d/Y% %H:%M:%S" Time of Incident: "%H%M TIME_FORMAT = %H%M MAX_TIMESTAMP_LOOKAHEAD=46 The above TIME_FORMAT that is active gives me the correct date but the time part %H:%M:%S is constant. So every event is on the right day but always at the some time. If I use commented out TIME_FORMAT in conjunction with a I get the correct time by the date is not set from the wrong data. Again the raw data looks like this: Incident Number: 150126705 Date Of Incident: 12/02/2015 12:00:00 AM, Time of Incident: 0150 [snip] What I need is the date 12/02/2015 and the ending 0150. Those two will get me the correct timestamp. I think I need a props.conf solution ... View more