Wondering if there's a blacklist parameter I can add to one of my Azure inputs so that Splunk will ignore pulling the event across the WAN. I already have a working ingest action, but the amount of data that's coming across is causing memory issues on my forwarder ... my working ingest action is this ... NETWORKSECURITYGROUPS\\/NSGBLAHBLAH.*?(IP\\.IP\\.IP\\.IP|IP\\.IP\\.IP\\.IP) but is there an inputs.conf parameter I can set to this regex so that the data will be ignored at the source. ... View more

I have multiple formats of json data coming in from Azure Keyvault. I can't seem to get the linebreaking to work properly and Splunk AddOn for Microsoft Cloudservices doesn't provide any props for many of these json blobs. ( multiple matching lines per ingested event } { "count": 1, "total": 1, "minimum": 1, "maximum": 1, "average": 1, "resourceId": "/SUBSCRIPTIONS/blah/blah", "time": "2025-05-07T14:08:00.0000000Z", "metricName": "ServiceApiHit", "timeGrain": "PT1M"} { "count": 1, "total": 14, "minimum": 14, "maximum": 14, "average": 14, "resourceId": "/SUBSCRIPTIONS/blah/blah", "time": "2025-05-07T14:08:00.0000000Z", "metricName": "ServiceApiLatency", "timeGrain": "PT1M"} And some look like this: { "time": "2025-05-07T14:07:58.7286344Z", "category": "AuditEvent", ....... "13"} { "time": "2025-05-07T14:08:02.8617508Z", "category": "AuditEvent", ....... "13"} I've tried numerous combinations of regexes ... nothing's working. LINE_BREAKER = (\}([\r\n]\s*,[\r\n]\s*){|\{\s+\"(count|time)\") Any suggestions would be greatly helpful. ... View more

Ever since upgrading Windows clients above to 9.0 we've had access issues. We've resolved some of that by adding the "SplunkForwarder" user (which gets provisioned at the time of the install) to the Event Log Readers group. Unfortunately, that hasn't resolved all access issues. IIS logs for instance .. When I deploy a scripted input to a test client to provide a directory listing of C:\Windows\System32\Logfiles\HTTPERR ... the internal index gets a variety of errors, one of which is included below. (yes, the directory exists) Get-ChildItem : Access to the path 'C:\Windows\System32\Logfiles\HTTPERR' is denied  So, other than having our IT staff reinstall the UF everywhere to run as a System privileged user as it has run in every version I've ever worked with ... How are we to know what Group the SplunkForwarder user needs to be added to read data that is not under the purview of "Event Log Readers" ... View more

I'm trying to remove some Windows events from being ingested ... example below: The regex I've tried in both Ingest Actions and the old method works both at regex101 and in my SPL index=win* EventCode=4103 Message=*Files\\SplunkUniversalForwarder* | regex "EventCode=4103(.|\r|\n)+\s+Files.SplunkUniversalForwarder.bin.splunk-powershell.ps1" Yet, when I configure an ingest action ruleset, nothing gets removed. [_rule:ruleset_WinEventLogSecurity:filter:regex:ft7j3fkn] INGEST_EVAL = queue=if(match(_raw, "EventCode=4103(.|\\r|\\n)+\\s+Files.SplunkUniversalForwarder.bin.splunk-powershell.ps1"), "nullQueue", queue) STOP_PROCESSING_IF = queue == "nullQueue" same goes for trying to do it "the old way" [drop_4103_splunkpowershell] DEST_KEY = queue REGEX = EventCode=4103(.|\r|\n)+\s+Files.SplunkUniversalForwarder.bin.splunk-powershell.ps1 FORMAT = nullQueue   04/04/2024 07:02:28 PM LogName=Microsoft-Windows-PowerShell/Operational EventCode=4103 EventType=4 ComputerName=redacted User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-PowerShell Type=Information RecordNumber=1258288151 Keywords=None TaskCategory=Executing Pipeline OpCode=To be used when operation is just executing a method Message=CommandInvocation(Start-Sleep): "Start-Sleep" ParameterBinding(Start-Sleep): name="Milliseconds"; value="200" Context:         Severity = Informational         Host Name = ConsoleHost         Host Version = 5.1.17763.5576         Host ID = 222d8490-3c1f-486d-94ed-47f91e59da32         Host Application = powershell.exe -command $input |C:\Program` Files\SplunkUniversalForwarder\bin\splunk-powershell.ps1 C:\Program` Files\SplunkUniversalForwarder e20c0be00a8583fe         Engine Version = 5.1.17763.5576         Runspace ID = 87084a50-365f-409b-aed6-d666c6c6b2b         Pipeline ID = 1         Command Name = Start-Sleep         Command Type = Cmdlet         Script Name = .......  ... View more

The configtracker index contains a json path of: data.changes{}.properties{} In that path, there are numerous objects ...  data     changes          properties                + ( contains name, old_value, new_value )                + ( contains name, old_value, new_value )                + ( contains name, old_value, new_value ) I've tried numerous ways of parsing data.changes{}.properties{} ... but am still finding myself unable to display the name, old_value, and new_value of each object beneath data->changes->properties ... Ultimately, I'd like to be able to render a table of "name" where an old_value exists so that we can alert on changed correlation searches in ES. ie: where "name" = search (and both old_value and new_value are not empty) { [-]              name: search              new_value: `sysmon` foo              old_value: `sysmon` bar            } or: where "name" = cron_schedule (and both old_value and new_value are not empty) { [-]              name: cron_schedule              new_value: 6-56/10 * * * *              old_value: */10 * * * *            }  or: where a search schedule was enabled { [-]              name: enableSched              new_value: 1              old_value: 0            } ... View more

We recently upgraded to Splunk 9.0.0 on our platform and the Splunk Add-On for Active Directory stopped working. We connect to our Active Directory instance using SSL ... and we're getting errors like this one now 2022-10-20 08:05:03,580, Level=ERROR, Pid=5668, File=search_command.py, Line=390, Abnormal exit: (LDAPSocketOpenError('socket ssl wrapping error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)'),)   What needs to be changed in order to make this work with Splunk 9? ... (We still have an instance running 8.2.6 and the AddOn still works perfectly fine there with the exact same configuration)   ( we're using the most recent version {3.0.5} of SA-ldapsearch )   Thank you ... View more

Does anyone have a solution for a query that will return the daily event count of every index, index by index, even the ones that have ingested zero events? | tstats count WHERE index=* OR index=_* by index ... only returns indexes that have > 0 events.   ... View more