Hi @Dawn , I think the usage of syslog and the Splunk UF could do the job. NAS sends data to syslog Splunk UF "collects" data from syslog and forward it to Splunk NAS -> syslog-ng <- Splunk UF -> Splunk (Enterprise|Cloud) Install and setup syslog (for e.g syslog-ng) on a server Install and setup Splunk UF on a server (this could be the same server as in step 1); the UF should monitor the file(s) which will created by the syslog-ng and forward them to you Splunk instance (Enterprise or Cloud) Configure your NAS to send the data to the syslog-ng server Here some useful links: https://community.splunk.com/t5/Getting-Data-In/Best-practices-Syslog-ng-to-splunk/m-p/470405 https://www.splunk.com/en_us/blog/tips-and-tricks/using-syslog-ng-with-splunk.html
... View more
Hello, I've create a search which contains (...(CallerCountry="CN")). When I take a look in the search log in the job inspector (to getting information about my search), I wonder why Splunk change the original (...(CallerCountry="CN")) to (...(__f!=v OR CallerCountry="CN")). The result of this search is "better" then the result of my original search. Did anybody knows what __f!=v means? I couldn't find anything about it in the Splunk documentation? PS: I use Splunk Enterprise 8.0.8 Thanks for your support Manuel
... View more
Hello @andrewtrobec , I've tested HEADER_FIELD_ACCEPTABLE_SPECIAL_CHARACTERS = . and it doesn't work (I think this has something to do with ACSI above 128). But if I use HEADER_FIELD_ACCEPTABLE_SPECIAL_CHARACTERS = ä,Ä,ü,Ü,ö,Ö,ß it worked 👍 @arowsell_splunkare there any disadvantage of using this? Regards Manuel
... View more
Hi, While using split I am facing an issue, in my events I have null values for a filed sometimes. for sexample - f1,f2,f3,f4,f5 - this works perfectly but below data with missing values in few fields giving issues. f1,f2,,,f5 split commands suggests f5 is f4 Can this be handled ? Thanks in advance!!!
... View more
Hello @Learner, at first you need to setup the monitoring console: https://docs.splunk.com/Documentation/Splunk/8.0.5/DMC/DMCoverview If you have a distributed environment heres a guide: https://docs.splunk.com/Documentation/Splunk/8.0.5/DMC/Configureindistributedmode The monitoring console is a Splunk Enterprise monitoring tool. It lets you view detailed topology and performance information about your Splunk Enterprise deployment. The search is taken from the monitoring console. You can find the search performance dashboards at "Search->Activity". The macro is defined in the context of the monitoring console. I hope this helps you.
... View more
Hello,
like described above, I have tried the INGEST_EVAL command. I forgot to mention, that I also create the entry in the fields.conf:
[c_ip_hash]
INDEXED=true
... View more