Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About sureshkumaar
sureshkumaar
Path Finder
Member since:
10-01-2019
3 weeks ago
Community Statistics
| Posts | 83 |
| Solutions | 1 |
| Karma Given | 14 |
| Karma Received | 0 |
| Member Since | 10-01-2019 |
Activity Feed
- Posted props.conf not showing the output using EVAL on Splunk Enterprise. 3 weeks ago
- Tagged props.conf not showing the output using EVAL on Splunk Enterprise. 3 weeks ago
- Posted Re: Receiving blocked=true while syslog/heavy forwarder trying to send data through indexer servers on Splunk Enterprise Security. 04-23-2025 09:17 PM
- Posted Re: Receiving blocked=true while syslog/heavy forwarder trying to send data through indexer servers on Splunk Enterprise Security. 04-21-2025 11:29 PM
- Posted Receiving blocked=true while syslog/heavy forwarder trying to send data through indexer servers on Splunk Enterprise Security. 04-21-2025 05:35 AM
- Posted Re: traffic events not getting routed to nw_fortigate and non-traffic events not getting routed to os_linux on Getting Data In. 03-24-2025 08:35 PM
- Tagged Re: traffic events not getting routed to nw_fortigate and non-traffic events not getting routed to os_linux on Getting Data In. 03-24-2025 08:35 PM
- Tagged Re: traffic events not getting routed to nw_fortigate and non-traffic events not getting routed to os_linux on Getting Data In. 03-24-2025 08:35 PM
- Posted Re: traffic events not getting routed to nw_fortigate and non-traffic events not getting routed to os_linux on Getting Data In. 03-24-2025 06:42 AM
- Posted traffic events not getting routed to nw_fortigate and non-traffic events not getting routed to os_linux on Getting Data In. 03-24-2025 12:15 AM
- Posted Re: host value to be picked from the source log file on Splunk Enterprise Security. 03-22-2025 02:05 AM
- Karma Re: host value to be picked from the source log file for PickleRick. 03-22-2025 02:04 AM
- Posted host value to be picked from the source log file on Splunk Enterprise Security. 03-21-2025 11:02 PM
- Posted Re: 4688 event code to be excluded from universal forwarder directory path alone on Splunk Enterprise. 03-13-2025 12:47 AM
- Posted Re: 4688 event code to be excluded from universal forwarder directory path alone on Splunk Enterprise. 03-07-2025 12:41 AM
- Tagged Re: 4688 event code to be excluded from universal forwarder directory path alone on Splunk Enterprise. 03-07-2025 12:41 AM
- Posted Re: 4688 event code to be excluded from universal forwarder directory path alone on Splunk Enterprise. 03-07-2025 12:40 AM
- Tagged Re: 4688 event code to be excluded from universal forwarder directory path alone on Splunk Enterprise. 03-07-2025 12:40 AM
- Posted Re: Data not getting ingested into Splunk for multiple sources on Getting Data In. 03-06-2025 11:02 PM
- Posted 4688 event code to be excluded from universal forwarder directory path alone on Splunk Enterprise. 03-06-2025 12:43 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
3 weeks ago
Below is props.conf for a sourcetype, where we getting results for raw_action and tag1 fields. But considering/based upon the inputs received from raw_action and tag1 while we try to get the result for the field "action" receiving BLANK results. Kindly someone help EXTRACT-raw_action = (?<raw_action>Failed|Stopped|Deactivated|Login failed|USER_LOGGED_OUT|Logged out|Accepted|Log
ged in|USER_LOGGED_IN|dnf-makecache.service: Succeeded|TASK_FINISHED|modified|acl_modified|Succeeded|success=yes|Link is Up|repaired|allowed|receive)
EVAL-tag1 = case(match(raw_action,"(?i)\b(Failed|Stopped|Deactivated|Login failed|USER_LOGGED_OUT|Logged out)\b"),"authentication", match(raw_action,"(?i)\b(Accepted|Logged in|USER_LOGGED_IN)\b"),"authentication", match(raw_action,"(?i)\b(dnf-makecache.service: Succeeded)\b"),"change", match(raw_action,"(?i)\b(TASK_FINISHED|modified|acl_modified|Succeeded)\b"),"change", match(raw_action,"(?i)\b(success=yes|Link is Up|repaired|allowed|receive)\b"),"network")
EVAL-action = case(tag1=="authentication" AND match(raw_action,"(?i)(Failed|Stopped|Deactivated|Login failed|USER_LOGGED_OUT|Logged out)"),"failure", tag1=="authentication" AND match(raw_action,"(?i)(Accepted|Logged in|USER_LOGGED_IN)"),"success", tag1=="change" AND match(raw_action,"(?i)(dnf-makecache.service:Succeeded)"),"modified", tag1=="change" AND match(raw_action,"(?i)(TASK_FINISHED|modified|acl_modified|Succeeded)"),"modified", tag1=="network" AND match(raw_action,"(?i)(success=yes|Link is Up|repaired|allowed|receive)"),"allowed")
... View more
- Tags:
- props.conf
Labels
- Labels:
-
configuration
04-23-2025
09:17 PM
as per the monitoring console could see indexing queue and splunktcpin queue is high
... View more
04-21-2025
11:29 PM
Thanks @livehybrid for your inputs, I did checked the blocked=true for all the 4 heavy forwarder and could see in one of the heavy forwarder which acts as syslog server collecting the network related data where the typing queue is found which is considered as a bottleneck as i went through the PDF. And as per the PDF i grepped the metrics.log to see which sourcetype and host consuming more CPU 04-22-2025 05:19:58.017 +0700 INFO Metrics - group=per_sourcetype_regex_cpu, series="cp_log", cpu=604, cpupe=0.0005149352537121802, bytes=1072305900, ev=1172963 04-22-2025 05:19:58.011 +0700 INFO Metrics - group=per_host_regex_cpu, series="networkserver", cpu=596, cpupe=0.0005081981051714273, bytes=1072185809, ev=1172771 Kindly let me know what to do next
... View more
04-21-2025
05:35 AM
Hi All, I have 4 Heavy forwarder servers sending data through 5 indexers server1 acts as syslog server which has autoLBFrequency as 10 and maxQueueSize as 1000MB server2 acts as syslog and heavy forwarder which has autoLBFrequency as 10 and maxQueueSize as 500MB server3 acts heavy forwarder which has autoLBFrequency as 10 and maxQueueSize as 500MB server4 acts heavy forwarder which has autoLBFrequency as 10 and maxQueueSize as 500MB Receiving blocked=true in metrics.log while syslog/heavy forwarder trying to send data through indexer servers. Due to this index ingestion is getting delayed and data is coming to Splunk 2-3 hours late. And in one of the 5 indexer servers CPU is always highly utilized from 99-100% consistently which has 24 CPU, other indexer servers also running with 24 CPU. Planning to upgrade highly utilized indexer server alone from 24 to 32 Kindly suggest by updating below in outputs.conf will reduce/stop the "blocked=true" in metrics.log and CPU load on indexer will be normal before upgrading the CPU. OR we need to do both, changes in outputs.conf and upgrading the CPU. If both can be done which is the first we can try. Kindly help. autoLBFrequency = 5 maxQueueSize = 1000MB aggQueueSize = 7000 outputQueueSize = 7000
... View more
Labels
- Labels:
-
using Enterprise Security
03-24-2025
08:35 PM
Hi @PickleRick - Yes i did the changes accordingly. Now i am facing below 1. Able to get the expected results running without sourcetype, but while running the search with sourcetype=nix:messages OR sourcetype=fortigate_traffic 0 results returning. 2. the host extraction from the source which was there earlier now it's not working props.conf ### to send traffic and non-traffic events ### [source::.../TUC-*/OOB/TUC-*(50M)*.log] TRANSFORMS-routing = route_nix_messages, route_fortigate_traffic TRANSFORMS-sourcetype = set_nix_sourcetype_if_not_traffic, set_fortigate_sourcetype_if_routed ### to extract host from source ### [nix:messages] TRANSFORMS-set_host = set_custom_host [fortigate_traffic] TRANSFORMS-set_host = set_custom_host transforms.conf ### to send traffic and non-traffic events ### [route_nix_messages] DEST_KEY = _MetaData:Index REGEX = .* FORMAT = os_linux [set_nix_sourcetype_if_not_traffic] DEST_KEY = MetaData:Sourcetype REGEX = .* FORMAT = nix:messages [route_fortigate_traffic] DEST_KEY = _MetaData:Index REGEX = (?i)\b(traffic|session|firewall|deny|accept)\b FORMAT = nw_fortigate [set_fortigate_sourcetype_if_routed] DEST_KEY = MetaData:Sourcetype REGEX = (?i)\b(traffic|session|firewall|deny|accept)\b FORMAT = fortigate_traffic ### to extract host from source ### [set_custom_host] REGEX = /TUC-[^/]+/[^/\n]+/([^-\n]+(?:-[^-\n]+){0,5})-(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})-\d{2}-\d{2}-\d{4}\.log FORMAT = host::$1 DEST_KEY = MetaData:Host SOURCE_KEY = MetaData:Source
... View more
03-24-2025
06:42 AM
Hi @livehybrid and @isoutamo Below is the complete conf data. requirement is from same log file "traffic|session|firewall|deny|accept" related events should get indexed in "index=nw_fortigate" sourcetype=fortigate and other events should get indexed in "index=os_linux" sourcetype=os Kindly let me know do i need to any corrections in the conf and change the order in the transforms as well. inputs.conf [monitor:///TUC-RST50/OOB/TUC-RST50M*.log] disabled = false props.conf [source::.../TUC-*/OOB/TUC-*(50M)*.log] TRANSFORMS-routing = route_fortigate_traffic, route_nix_messages transforms.conf [route_fortigate_traffic] DEST_KEY = _MetaData:Index REGEX = (?i)\b(traffic|session|firewall|deny|accept)\b FORMAT = nw_fortigate [route_nix_messages] DEST_KEY = _MetaData:Index REGEX = .* FORMAT = os_linux
... View more
03-24-2025
12:15 AM
traffic events not getting routed to nw_fortigate and non-traffic events not getting routed to os_linux Can someone help? props.conf [source::.../TUC-*/OOB/TUC-*(50M)*.log] TRANSFORMS-routing = route_fortigate_traffic, route_nix_messages transforms.conf [route_fortigate_traffic] REGEX = (?i)traffic|session|firewall|deny|accept DEST_KEY = _MetaData:Index FORMAT = nw_fortigate [route_nix_messages] REGEX = .* DEST_KEY = _MetaData:Index FORMAT = os_linux
... View more
Labels
- Labels:
-
configuration
03-22-2025
02:05 AM
Thanks @PickleRick - it worked out [set_custom_host] REGEX = /TUC-[^/]+/[^/\n]+/([^-\n]+(?:-[^-\n]+){0,3})-(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})-\d{2}-\d{2}-\d{4}\.log FORMAT = host::$1 DEST_KEY = MetaData:Host SOURCE_KEY = MetaData:Source
... View more
03-21-2025
11:02 PM
in regex101.com, tested below REGEX it was working Updated below props.conf and transforms.conf in deployment server and 2 heavy forwarders as well, but not working props.conf [nix:messages] TRANSFORMS-set_host = set_custom_host transforms.conf [set_custom_host] REGEX = /TUC-[^/]+/[^/\n]+/([^-\n]+(?:-[^-\n]+){0,3})-(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})-\d{2}-\d{2}-\d{4}\.log FORMAT = host::$1 DEST_KEY = MetaData:Host /TUC-RST50/OOB/TUC-RST50M01ZTDCGDG01-01U-01-55.66.77.888-20-03-2025.log /TUC-SNK50/OOB/TUC-RST50N03ZTLEFCG02-20U-SRV02-44.55.66.777-21-03-2025.log /TUC-TYB50/OOB/TUC-RST50S03ZTLEFDB0B-20U-SRV01-33.44.55.666-21-03-2025.log /TUC-RST50/firewall/TUC-RST50M01ZTCOMDE0C-30U-EMSFW01-22.33.44.555-22-03-2025.log /TUC-SNK50/OOB/TUC-RST50M01FTIFW-11.22.33.444-22-03-2025.log BELOW output should get updated in the host field TUC-RST50M01ZTDCGDG01-01U-01 TUC-RST50N03ZTLEFCG02-20U-SRV02 TUC-RST50S03ZTLEFDB0B-20U-SRV01 TUC-RST50M01ZTCOMDE0C-30U-EMSFW01 TUC-RST50M01FTIFW
... View more
Labels
- Labels:
-
configuration
03-13-2025
12:47 AM
Issue is fixed, below excluded the events when splunk*.exe is found for 4688 event code. blacklist3 = EventCode="4688" Message=".*(splunk-.*\.exe|splunk\.exe|splunkd\.exe).*"
... View more
03-07-2025
12:41 AM
below is inputs.conf before blacklist lines [WinEventLog://Security] disabled = 0 checkpointInterval = 5 disabled = 0 start_from = oldest renderXml = false evt_resolve_ad_obj = 1
... View more
- Tags:
- inputs.conf
03-07-2025
12:40 AM
Below is the events for 4688 where the code gets captured in a field called "EventCode" A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SERVERNAME$ Account Domain: TRUE Logon ID: 0x3E7 Target Subject: Security ID: Account Name: Account Domain: Logon ID: Process Information: New Process ID: 0x2650 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0xf7c Process Command Line:
... View more
- Tags:
- inputs.conf
03-06-2025
11:02 PM
Below stanza's are collecting data related to firewall logs. first stanza is from one deployment servers and last 2 stanza's are from another same deployment server. But only 2nd stanza is working [monitor:///SERVER50/firewall/] whitelist = SERVER50M01ZT*\.log$ index = nw_fortigate sourcetype = fortigate_traffic disabled = false [monitor:///SERVER51/firewall/] whitelist = SERVER51M01ZT.*\.log$ disabled = false index = nw_fortigate sourcetype = fortigate_traffic [monitor:///SERVER52/firewall/] whitelist = SERVER52M01ZT.*\.log$ disabled = false index = nw_fortigate sourcetype = fortigate_traffic
... View more
03-06-2025
12:43 AM
Tried below regex to blacklist OR ignore 4688 event codes from the *.exe coming from the splunk forwarder path/directory But not working, it's considering 4688 from splunk and non-splunk path OR not sending events from both splunk and non-splunk path. Looking for a regex to be added as blacklist to ignore 4688 coming from *.exe files part of splunk universal forwarder path/directory blacklist = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)" blacklist = EventCode="4688" Message="New Process Name: (?:[a-zA-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.+\.exe)" blacklist = EventCode="4688" Message="New Process Name: (?:[a-zA-Z]:\\\\Program Files\\\\Splunk(?:\\\\UniversalForwarder)?\\\\bin\\\\.+\\.exe)" blacklist = EventCode="4688" Message="New Process Name: C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\" blacklist = EventCode="4688" Message="New Process Name: C:\\Program Files\\SplunkUniversalForwarder\\bin\\" blacklist = EventCode="4688" Message="New Process Name: (?i)[A-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.*\\.exe)" blacklist = EventCode="4688" Message="New Process Name:\s*[A-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.+\\.exe)" blacklist = EventCode="4688" Message="New Process Name:\s*[A-Z]:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\.*\\.exe"
... View more
- Tags:
- inputs.conf
Labels
- Labels:
-
using Splunk Enterprise
02-24-2025
01:36 AM
I have configured an app and added 7 different source files in a single inputs.conf with the same index name and sourcetype name Parent directory name is same for all 7 source files and sub directory name changes. The log file resides in has an extension of *.log. But i am able to get only one log file sending events to Splunk. sample inputs.conf provided below. [monitor:///ABC-DEF50/Platform/*.log] disabled = false index = os_linux sourcetype = nix:messages crcSalt = <SOURCE> Last week's data for the remaining 6 source files i was able to see in the Splunk after 2-3 days only. I checked and could see delay in indexing is happening. How to fix this? kindly help
... View more
- Tags:
- inputs.conf
Labels
- Labels:
-
configuration
02-17-2025
10:17 PM
Hi @livehybrid , Thanks for the reply. I have 2 questions 1. The If condition which is given it will pick the events where ever the keyword matches right being the keyword whether at the start, middle, end of the events "systemd", "rsyslogd" and "auditd" In my case i am looking for the events to be picked to a sourcetype when those keywords are there after the server name server-server-server-server systemd server-server-server-server rsyslogd 2. we need to have below one also right in props.conf to ignore other events getting forwarded to the sourcetype? [sourcetype] TRANSFORMS-set = setnull
... View more
02-17-2025
02:23 AM
Feb 3 11:10:15 server-server-server-server systemd[1]: Removed slice User Slice of UID 0. Feb 3 04:14:23 server-server-server-server rsyslogd[679024]: imjournal: 16021 messages lost due to rate-limiting (20000 allowed within 600 seconds) Feb 3 11:01:01 server-server-server-server CROND[3905399]: (root) CMDEND (run-parts /etc/cron.hourly) Feb 3 11:10:55 server-server-server-server esfdaemon[3938104]: 0 Feb 3 10:24:36 server-server-server-server auditd[2689]: Audit daemon rotating log files Is there a way to capture the whole line where systemd, rsyslogd and auditd keyword matches using props.conf and transforms.conf? Below captures till the specific keyword, how about remaining lines after the keyword? [setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = ^\w{3}\s\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s+(?:[+\-A-Z0-9]*\s+)?(systemd|rsyslogd|auditd)
DEST_KEY = queue
FORMAT = indexQueue
... View more
Labels
- Labels:
-
using Enterprise Security
02-16-2025
10:06 PM
Hi @gcusello - Will this work if we give some more values to be considered for indexing in transforms.conf? [setparsing] REGEX = systemd | auditd | CROND DEST_KEY = queue FORMAT = indexQueue [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue
... View more
03-21-2023
06:22 AM
My issue here is actually, the below line is actually has to be covered under a field called "Failure Reason" and when i am giving the below mvindex command it's working fine but not all the failure reason occupy in 2 mvindex values, some are occupying in 1 and some are occupying more than 1 (2 OR 3 OR 4) | eval "Failure Reason"=mvindex(_raw,19,20) "Error occurred in Disk Media, For more help, please call your vendor's support hotline.<br>Source: CVLT-NGDC-E11-MA05, Process: cvd" and another issue here is if we have 2 empty values, and when i am giving the below mvindex it's picking the value which is supposed to get update in the 23rd mvindex (i.e. data time stamp getting updated) instead of staying blank | eval "Failure Reason"=mvindex(_raw,21) "" "" "Mar 20, 2023, 10:41:49 AM"
... View more
03-21-2023
05:55 AM
Hi @ITWhisperer This is the raw event coming from a CSV file The values which ever coming in double quotes has to be separated and get updated in unique field names Even if there are empty within the double quotes it shouldn't skip Some times characters are lengthy which shouldn't get updated in another field "17449551","pmqcd1p3","SAP for Oracle","PMQ","N/A","default","(Logcommand line)","Backup 3RD","Full(Log)","Mar 20, 2023","Mar 20, 2023, 10:21:16 AM","20","","0","Failed","CVLT","Error occurred in Disk Media, For more help, please call your vendor's support hotline.<br>Source: CVLT-NGDC-E11-MA05, Process: cvd","","","Mar 20, 2023, 10:41:49 AM"
... View more
03-21-2023
03:59 AM
We have multiple lines within double quotes and to be updated in the different field names according to the name we have.
All values has to be in different field names separately which is within double quotes
the below regex is working and but picking all the values and updating in one field, i am looking for
1. where the value within first double quotes getting picked in one common field name
2. where the value within second double quotes getting picked in second common field name
3. where the value within third double quotes getting picked in third common field name
| rex "\\\"(?<JobId>[^\\\"]+)"
"17449551"
"pmqcd1p3"
"SAP for Oracle"
"PMQ"
"N/A"
"default"
"(Logcommand line)"
... View more
03-20-2023
08:21 AM
Hi @richgalloway - How about in this case? Where we have multiple lines within double quotes and to be updated in the different field names according to the name we have. All values has to be in different field names separately which is within double quotes "17449551" "pmqcd1p3" "SAP for Oracle" "PMQ" "N/A" "default" "(Logcommand line)"
... View more
- Tags:
- splunk
03-08-2023
04:34 AM
Hi @gcusello Yes file names are different, as i mentioned earlier strings will remain as it is and the numbers will keep changing. But able to get only data from one stanza, the other stanza not forwarding data. I created separate app and tested by creating a file and added input to the file manually and able to get the data. Having in same app wasn't working, is that because of same sourcetype using for 2 different sources in the inputs.conf??? the extension is "*.csv" yes it's the network path works from the windows server
... View more
03-08-2023
03:24 AM
Hi All,
Having these 2 monitor stanze in one inputs.conf, but able to get data only for latest one monitor stanza.
In both the file names strings are similar but numbers are changing
Is that because of the crcSalt, it's considering only one "Backup*" file name?
Also do the sourcetype needs to be different incase if we are adding "Backup*" in monitor stanza?
File name for first stanza - BackupJobSummaryReport_3696_6883300_1588_1678235411
File name for second stanza - BackupJobSummaryReport_19068_455837_9176_1678233614
[monitor://\\A11FLSCOMMVAULT\commvault_reports\Final_Report\Backup*] index = backup disabled = 0 sourcetype = commvault crcSalt = <SOURCE>
[monitor://\\A11FLSCOMMVAULT\commvault_reports\LISTAPAC\Backup*] disabled = 0 index = backup sourcetype = commvault crcSalt = <SOURCE>
... View more
Labels
- Labels:
-
inputs.conf
01-27-2023
06:43 AM
I am looking for a Alert query for monitoring the windows process
below is the scenario
1. Lookup having fields called host and Process
2. index showing events for process monitoring in "host" and "Name" field
Requirement is, initial line of the search, query needs to pick the values from "host" and "Process" field from the lookup first and check the index query, if the matching value isn't found, then results should be displayed in the Splunk
Kindly assist.
... View more
Labels
- Labels:
-
alert condition
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
3 weeks ago
|
Karma given to
