Rather than breaking only before a date, try breaking before a date OR a header. [my_new_sourcetype] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(<<timestamp regex>>|-{5}) TRANSFORMS-drop_header = new_sourcetype_drop_header TIME_FORMAT = <<timestamp regex>> TIME_PREFIX = \( Be sure to replace <<timestamp regex>> with a regular expression that matches your timestamp strings. ... View more

Hi Blake. If you're looking at accreditations, it sounds like you might be working for a Splunk Partner. You can always contact accreditations@splunk.com for 1:1 assistance. Some customers do receive success plan credits with their license, which can be used for training (not certification), so it may be worth checking with your Splunk reps on what you do/don't have access to. ... View more

I've updated the regex above. Please try that. Should extract the sentences that you listed as examples. If it needs more modification, kindly share some sample data to create an accurate regex. ###If it helps, kindly consider mark as accepted answer###     ... View more

Thanks for clarifying 🙂   ... View more

I guess I should have said, this is in SignalFX, the email fields are all grey'd out, I'm not seeing a mechanism to update them.  ... View more

Please explain your use case.  Why are you parsing the data instead of letting Splunk do it? ... View more

The syntax for Windows event log stanza is: [WinEventLog://<channel-name>] ... View more

The column used as the Rising Column must change every time that row is modified.  If it does not change then Splunk will not read that row and the new data will not be indexed. ... View more

The AND operator in the where command must be in upper case. If you still don't get results, use the table command to examine the ts, info_min_time, and info_max_time fields. ... View more

Hello, Thank you so much for your quick response., truly appreciate it.  The main reason we wanted to use indexed fields is to optimize the search/base search. But, using indexed field and indexed time field extraction may cause some performance issues. We have huge volume of data and a several source types/indexes with unique  ACCOUNTID and IPAddress fields, do you have any recommendation how to optimize the base search (search) in real time as we require to search over a wide range/period of time. Thank you so much, any recommendations will be helpful and greatly appreciated. ... View more

It sounds like a problem with the EC2 security groups.  Verify the settings allow connections from the US peer's IP address. ... View more

I have a single Splunk instance running in Docker for this project. Scripted inputs appear to require Splunk Cloud or Splunk enterprise, which I don't have. So I guess it's back to the original plan - to have a script that gathers the data - which will then need to be ingested into Splunk.   ... View more

In case someone else looks at this, if you manually want to place the file: If you are manually going to download the update, you will grab the raw JSON from https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json Move this to the ES Search Head and place it in $SPLUNK_HOME/var/lib/splunk/modinputs/threatlist/ You will need to save this as mitre_attack for the file name. The mitre_attack file will contain this raw JSON that you downloaded. You should then just be able to run the Threat - Mitre Attack - Lookup Gen saved search and the output in the KV store will be properly populated. ... View more

You don't have to open the servers to the Internet.  All you have to do is allow them to send to a small number of Splunk Cloud indexers.  All incoming traffic can (and should) be blocked.  Splunk Cloud never initiates a connection to on-prem servers. Other customers have worked around this issue by using 2 or 3 intermediate forwarders (IFs).  The UFs connect to the on-prem IFs, which are permitted to connect to Splunk Cloud.  It's an extra layer of management and an additional point of failure, but it keeps the network security people happy. ... View more

As part of the search for the panel, add a done handler - note that the result field you want must be in the first row of the results - also note that if you use field names with a leading underscore, they won't show up in your table but should be available to the done handler </query> <done> <eval token="tokenname">$result._fieldname$</eval> </done> </search>   ... View more