Hi， Now I want to forward data from HF to a single instance, can you tell me your steps? Thank you very much. ... View more

Hi @TheSteveBennett , don't attach a new question to an existing 8and closed) one because it's difficoult to have an answer, open a new question! Anyway, you have to serch in many inputs.conf files that you have in the Splunk Receiver (usually an Heavy Forwarder). If you want to use te same port for same logs (same index and sourcetype, you don't need to no anything, Remember that if you want to use a different port, you can do it by GUI, if instead you want to use the same port for a different sourcetype, you have to do it modifying the inputs.conf file and adding also an IP address of the receiver. Ciao. Giuseppe ... View more

Things don't happen by themselves usually. You must have sone something as root so that resulting files ended up being owned by root. ... View more

Hello @richgalloway,  Thanks for the information, I will try to do that ! Regards, GaetanVP ... View more

To add to the above details, the "thaweddb" folder is blank and doesn't contain any buckets. For now, I have increased the "frozenTimePeriodInSecs" by a few more months, but I'm not sure if it will work. Any other advice would be very helpful. ... View more

Hi @GaetanVP , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi I’m expecting that those are two different events and with your sample query you get only the 1st event not both? If this is true, you must first implement a SPL query which result contains both events. Then there must be something common on those events to connect those together. On your example events I can’t see anything like that! Probably you must find some other logs which you could use to combine all events on one transaction together? Only common factor between those event are D082923, but it seems to be part of file name or something? I assume that it’s using as this on many transactions and cannot use as identity only on transaction? r. Ismo ... View more

Hello @DataOrg, I do not know if it can cause the issue but truncate needs to be in capital letter : TRUNCATE = 0 The AUTO_KV_JSON = <empty> is also weird, try to remove it. Also what query are you using to search this json log after you had indexed it ? I used the following props.conf and the json was not truncated : [QualificationTests] DATETIME_CONFIG = CURRENT INDEXED_EXTRACTIONS = json KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Database disabled = false pulldown_type = 1 TRUNCATE = 0 Hope it helps, GaetanVP ... View more

There was on Splunk Slack just a discussion about this problematic https://splunk-usergroups.slack.com/archives/C77SVATMZ/p1691397606241949. I that this base TA + local TA is normal way to do it. Just check that you name those so that you have correct precedence if/when needed (use btool to check if needed). ... View more

Yes it should work like this. Personally I try to avoid windows dc dns, but that’s another story. ... View more

I confirm @richgalloway words. Local folders are designed to enable custom change without risks of update overrides; this help also to avoid custom/manual change in default folders, that shouldn't be changed as it's not a Splunk best pratice. ... View more

Hi you could set retention times etc. as any other indexes have. I prefer to use separate app/SA which contains these definitions. Then just install it on your indexer or via cluster master. r. Ismo ... View more

I'm sharing here the final version of syslog-ng.conf that worked on trimming part of fortigate logs. However i noticed that license is being consumed like before 😞    @version: 3.35 @include "scl.conf"   # Syslog-ng configuration file, compatible with default Debian syslogd # installation.   # First, set some global options. options {      chain_hostnames(off);      flush_lines(0);      use_dns(no);      use_fqdn(no);     owner("root");      group("adm");      perm(0640);      stats_freq(0);     bad_hostname("^gconfd$");     create_dirs(yes);     keep_hostname(yes);     log_fifo_size(2048);     log_msg_size(8192);     time_reopen(10); }; # Adding param to make syslog-ng listen on udp/514 for syslog source s_net {     udp(port(514)); }; # Adding destination for local file to receive FortiGate logs   destination d_fortinet_fortigate {     file("/root/syslog/logs/fortinet/fortigate/$HOST/$YEAR-$MONTH-$DAY-fortinet-fortigate.log" create_dirs(yes)); };   destination d_fortinet_fortiweb {     file("/root/syslog/logs/fortinet/fortiweb/$HOST/$YEAR-$MONTH-$DAY-fortinet-fortiweb.log" create_dirs(yes)); };   destination d_fortinet_fortiauthenticator {     file("/root/syslog/logs/fortinet/fortiauthenticator/$HOST/$YEAR-$MONTH-$DAY-fortinet-fortiauthenticator.log" create_dirs(yes)); };   destination d_fortinet_fortimail {     file("/root/syslog/logs/fortinet/fortimail/$HOST/$YEAR-$MONTH-$DAY-fortinet-fortimail.log" create_dirs(yes)); }; # Filter to instruct syslog-ng how to identify FortiGate syslog filter f_fortinet_fortigate {     match("devid=\"FG[A-Z0-9]+\"" value("MESSAGE")); };   filter f_fortinet_fortiweb {     match("device_id=FV[A-Z0-9]+" value("MESSAGE")); };   filter f_fortinet_fortiauthenticator {     match("subcategory=\"Authentication\"" value("MESSAGE")); };   filter f_fortinet_fortimail {     match("device_id=FE[A-Z0-9]+" value("MESSAGE")); };   # Trimming different parts together for logging   rewrite rewrite_fortigate {  #subst ( '^time=\d\d:\d\d:\d\d(\.\d{3,6})? ', "", value("MESSAGE") );  subst ( ' devid="[A-Z0-9]{16}" ', " ", value("MESSAGE") );  subst ( ' logid="[0-9]{10}" ', " ", value("MESSAGE") );  subst ( ' srcname="([\w-]+)\.example\.local" ', ' srcname="$1" ', value("MESSAGE") );  subst ( ' srcintfrole="[a-z]+" ', " ", value("MESSAGE") );  subst ( ' dstname="([\w-]+)\.example\.local" ', ' dstname="$1" ', value("MESSAGE") );  subst ( ' dstintfrole="[a-z]+" ', " ", value("MESSAGE") );  subst ( ' poluuid="[a-z0-9-]{36}" ', " ", value("MESSAGE") );  subst ( ' sessionid=[0-9]+ ', " ", value("MESSAGE") );  subst ( ' policytype="policy" ', " ", value("MESSAGE") );  subst ( ' appcat="unscanned"', "", value("MESSAGE") );  subst ( ' crscore=[0-9]+ craction=[0-9]+ crlevel="[a-z]+"', "", value("MESSAGE") );  subst ( ' attackid=[0-9]+ ', " ", value("MESSAGE") );  subst ( ' incidentserialno=[0-9]+ ', " ", value("MESSAGE") );  subst ( ' ref="http:\/\/www\.fortinet\.com\/ids\/VID[0-9]+"', " ", value("MESSAGE") );  subst ( ' msg="application[s]?([0-9]+)?:[^.]+.[^.]+.[^.]+.[^.]+.[^.]+"', " ", value("MESSAGE") ); };   # Creating the different parts together for logging   log {     source(s_net);     filter(f_fortinet_fortigate); rewrite(rewrite_fortigate);     destination(d_fortinet_fortigate); };   log {      source(s_net);     filter(f_fortinet_fortiweb);     destination(d_fortinet_fortiweb); };   log {      source(s_net);     filter(f_fortinet_fortiauthenticator);     destination(d_fortinet_fortiauthenticator); };   log {     source(s_net);     filter(f_fortinet_fortimail);     destination(d_fortinet_fortimail); }; ### # Include all config files in /etc/syslog-ng/conf.d/ ### @include "/etc/syslog-ng/conf.d/*.conf" ... View more

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf * To forward data from the "_internal" index, you must explicitly set '_TCP_ROUTING' to either "*" or a specific splunktcp target group. So it's a default setting so that the _internal index data does get sent out. You can of course overwrite it on a per-input level using config file precedence (https://docs.splunk.com/Documentation/Splunk/9.1.0/Admin/Wheretofindtheconfigurationfiles). ... View more

If the query worked, you can mark it as a solution. It'll will help someone who refers similar thing in future. Cheers!! ... View more

thanks ，this also works ... View more

The second is just SC4S which doesn’t contains HF. It receive events via syslog server and sends those via HEC.  When I said syslog server I actually means ha version if possible. That with LB can give you quite good service level. Also pure single node syslog server has much shorter restart/reload time. Based on that you have much better service level with these than you have with individual HF with TCT/UDP listener.  Wihout LB you cannot avoid data loss with tcp protocol (this needs correctly configured LB, depends by product). If you are using UDP, then you will lose events (“feature” of protocol). ... View more

Hello Gaetan, thanks for HEC solution however how do you add data the same way you add monitor stanza using app's inputs.conf on deployment server and attach it to particular serverclass using REST API? Best regards.   ... View more

Hello @dnikam, You could try the following : | <you_base_search> | rex field=<field_where_you_have_your_numerical_info> "^\D*(?<Field1>\d*)\/(?<Field2>\d*)" | eval ratio=Field2/Field1 | fields ratio, Field1, Field2 | where ratio > 0.8 If you run this search, it will display an event only if the ratio is actually above 0.8  You can simply click on the "save as" button, choose alert and complete the other info, be sure to trigger the alert when the number of results is greater than zero, and select the correct schedule time, for instance :  Hope it helps ! GaetanVP ... View more

thank you  I'm not familiar with transpose command and i couldn't get this to work but ended up using another command.  thank you for your input    P  ... View more

Hi @GaetanVP  the data is coming from a file. its once  a day so everyday you will have a new line appended to the file why the surprise, space in a drive doesn't mean it should always go linearly from 7  to 10. somedays some might copy total 13MB of files someday some might copy and delete so space in disk would change to 10MB  i hope it clears your confusion Thanks   ... View more

Hi @inventsekar  This is the sample xml: <form version="1.1"> <label>Color Theme</label> <fieldset submitButton="true"> <input type="time" token="field1"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="field2"> <label>Environment</label> <choice value="Prod">Prod</choice> <choice value="QA">QA</choice> <choice value="DEV">DEV</choice> </input> </fieldset> <row> <panel> <title>Fusion(XPDS, WMOS)-&gt;GI Adapter(XPDS,WMOS,BZ,LF)-&gt;Ship GW-&gt;NSP-&gt;SCPI Inbound-&gt;SCPI Outbound-&gt;S4</title> </panel> <panel> <title>Fusion(XPDS, WMOS)-&gt;GI Adapter(XPDS,WMOS,BZ,LF)-&gt;NSP Topic-&gt;Shipped BRE service / SQS in Ship GW -&gt;NSP-&gt;SCPI Inbound-&gt;SCPI Outbound-&gt;S4</title> </panel> </row> <row> <panel> <chart> <title>2nd Panel</title> <search> <query>index=main</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> </chart> </panel> <panel> <table> <title>First Panel</title> <search> <query>Index=main</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form> Reference image is attached in the beginning of the thread.     ... View more

Hello @kitkit321, You could try something like this (if you are connected on your Search Head, otherwise you'll need to replace https://localhost with the url of the Search Head you want to target).   curl -k -u admin:"<your_password>" https://localhost:8089/services/search/jobs -d search="| metadata type=sourcetypes index=<your_index> | table sourcetype" curl -k -u admin:"<your_password>" https://localhost:8089/services/services/search/jobs/<sid_returned_on_previous_command>/results   Hope it helps ! GaetanVP ... View more