Hi jgorman_THG, It would be a good practice to collect these syslogs and write into the directories that can be accessible by splunk user. syslog-ng does have a lot of features where you can collect/filter and write the messages in appropriate dirs you wanted.This process makes it easier to configure the inputs on the UF and parsing the logs for the metadata like host field etc. ... View more

sarwshai, Can you elaborate your question? are you experiencing any issues with search results or the rates at which you are expecting? is it slow? ... View more

dw385, So are you saying this example Regex in your inputs.conf working or not working? to what you are trying to achieve? Can you clarify your question? ... View more

and if you have default access to any indexes and those are the ones show up in the data summary when you login. Hope that explains the last bit of your question. ... View more

Check your access controls settings->access controls - depending on how your groups/roles configured and which group your user fall under (for example) and see what is the role the group/user mapped to. Once that is figured, check that role settings to see if it has the access to that index and then default access to that index. These two are different settings for a role. If you have access to the role but not default access, then you still have to use index=xxx, if the user/group/role has the default access to that role then you don't have to explicitly say index=xxx. But in order to gain performance it's always better to use specific indexes in the search rather than just do "some strings". ... View more

Hi nbayko, Setting replication factor depends on many factors. is yours a multi-site or are you running it as a single site cluster? how many sites involved in the cluster. What is your high-availability requirements? With a replication_factor=3 with 2 sites (origin:2, total:3) seems like working fine in many cases as it provides site level HA and this is just an example. Increasing replication factor also comes with the cost of storage. So you need to check and validate your requirements with the settings you have. For the detailed analysis on multi-site and how the replication_factor setting comes into an action, you can refer to the below link. http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Sitereplicationfactor ... View more

pil321, anything with .* may be matching with lot more stuff than you think, to be precise if you just want to match with an IP address field, I wouldn't use .* I just did a quick test and below regex should solve yours, if all you are looking to drop the events with that IP match 192\.168\.1\.1 [null_1] REGEX = ,192\.168\.1\.1, DEST_KEY = queue FORMAT = nullQueue ... View more

I didn't test it myself, but a quick spot you missed a "\" in before one of the dots. may be you can try this one. I added "," as well to make sure it is getting from the right place. [null_1] REGEX = ,192\.168\.1\.1, DEST_KEY = queue FORMAT = nullQueue ... View more

Hi mmoermans, Since you mentioned you are using version 4.1 of OPSEC, when you noticed outage time, if you login to the Splunk UI and go to configuring inputs in the checkpoint add-on - you will see "StartTime". You can change that to the start time you want to pull the logs. (it can only go back to the beginning of the log fw.log on checkpoint side, but if the file is already rolled off on that side, you wouldn't be able to get those logs) You can have a standby Heavy forwarder with the same configurations (connections,certs, inputs etc) of the active forwarder, except in the case of outage, you can bring it online and have the startTime configured on the standby and start the forwarder. Basically you just need to configure the stanby similar to active and you only run it when needed ... View more

I don't think it is a recommended practice to install Cisco Security Suite app on the search head where you have ES (Enterprise Security). You should have ES running on it's own and no other apps should be interfering on that system. Try installing on a different search head and if you still get the error from the GUI upload, you can un-tar it via SSH into etc/apps and restart the SH if that is a possibility. ... View more

Are you sure of the configurations on this cluster where you don't see Cluster master as the search head? Do you see the cluster enabled when you login to the Cluster Master GUI? is the master configured with correct mode? your hostnames overlap between first and second cluster.. hopefully you have the right names in the configurations ... View more

dif2175509, When you configure the indexer cluster, cluster master will show up as one of the search heads. This is default behavior.In this case you can use the master node for the troubleshooting purposes and not really for production searches. ... View more

Yes, In order to use for the field to be SOURCE_KEY in the REPORT/transforms - you either get that through EXTRACT OR REPORT and make sure the stanza that is extracting the SOURCE_KEY evaluates before the stanza where you want to use it ... View more

Configs under system/local always gets precedence over the apps//system/local. In regards to authorize.conf, since these are clustered search heads and you use deployer, would be better to use under apps to avoid confusion. ... View more

how is the channel field getting extracted? using another transforms?KV_MODE? did notice something before it doesn't do much if it is from the KV_MODE. Can you paste sample transforms where you are using SOURCE_KEY? and also how the channel field getting extracted in this case? ... View more

rangineniarunkumar, Are you troubleshooting the migrated data to the new instance? or the new data flowing into the new instance? I would go through the instance and see what settings the old instance is running. splunkdata system/local etc/apps etc/deployment-apps (if it is all one single system does everything?) If this instance configurations managed from a deployment-server, then you can point the new instance to deployment-server and that will take care of some of the configurations. If this also a search head, then check all your dashboards etc. to see if any hard coded urls with your old hostname etc. ... View more

fer_tlaloc, Check if you some how enabled "DEBUG" . You can check "index=_internal DEBUG", if you spot these, may be you are running in DEBUG, logs grow faster when they are in debug and not recommended to enable in prod unless you are troubleshooting something for a shorter period. Next check your retention settings indexes.conf - every customer would like to have different retention policies for the internal logs. internal logs have default retention of 30days, unless you changed it. If you do find they have longer retention then reduce it to the times that better work for you and restart splunk, so they will be archived (if you have the frozen settings) or they will be deleted. Also check out other answers on the internal logs https://answers.splunk.com/answers/26834/audit-and-internal-index-data-retention.html ... View more

are you searching in the right index? you did not specify index name in your inputs.conf, which means you are expecting events in index=main? If you are sure there is nothing wrong on the forwarder side/path etc. may be try index=* sourcetype=iis OR may be search for index=* source="inetpub" May be you do have events, or search in the right place? ... View more