Making buffers too big and removing thruput limits may not yield great results. Try flushing several gigabytes worth of buffers on forwarder's close. Try getting sudden peak of data when a site with several hundreds of endpoints comes back from a site network outage... There are pros and cons to everything 🙂 ... View more

That's one of the reasons why receiving syslog directly on the Splunk component is not a great idea. It's better offloaded to an external syslog receiver. ... View more

Did you check https://helpcenter.veeam.com/docs/security_plugins_splunk/guide/ ? I admit it's not very detailed. And it's not obvious what is inside the app. Contrary to the good practice of splitting the third party solution related functionalities into two modules - add-on for data input and parsing and app for visualization, this one seems to be a all-in-one approach. That means that you probably need it both on your SH tier servers as well as in the ingestion path (whether this means indexers or HF depends on your architecture, as always). Oh, and when I see "syslog through load-balancer", there's probably something suboptimal in your environment. ... View more

If you use "iterate" in a sentence you're probably not thinking about your problem in a splunky way. 😉 Paste a sample of your data (anonymized/sanitized if needed) to visualize your problem and the expected outcome. ... View more

As far as I remember, error 104 means problems on a tcp connection level. Troubleshoot the connection with your typical network-level tools (tcpdump, netcat...) and verify your firewall config/logs. ... View more

Just for the sake of clarity (and that's probably one of the reason there is so much confusion about this). It's not that you "drop" or "pull" the events. If you dropped the events you wouldn't have anything to pull back. Transforms just set metadata field which is used _after_ to route events. So you can manipulate this metadata at will and switch it back and forth. After you leave the transforms phase the data is getting routed or dropped according to the final state of the metadata fields. ... View more

Let me clarify it a bit. We have side A and side B of a TLS connection. When side A initiates a connection to side B (let's say a UF connects to an indexer or an indexer connects to the license master), side B presents a certificate. Normally this would be a certificate for a subject B (certBsub) issued by some intermediate CA (certinterCA), which in turn is normally issued by a root CA (with a certRootCA)- that's a most typical scenario. There might be more intermediate intermediate CAs in chain (certBsub<-certinter1CA<-cetinter2CA<-...<-certRootCA), but that's fairly rare. There might be a certificate directly issued by rootCA (certBsub<-rootCA) but that's also rare since it involves rootCA in operational work which is not very secure. So the proper setup of certificates in such environment would be like this: - side B should have and present to the clients when being connected to a certificate chain consisting of its own subject certificate (certBsub) and intermediate certificates which were used to issue that certificate. Without the rootCA certificate (in practice it's often also presented but it's not needed there) - side A needs to know only the rootCA certificate to be able to verify the whole path of certification from its trusted root to the subject certificate. So the sides do not actually share any certificates. They rely on the fact that side B has a certificate which has been issued by a CA which is trusted by sideA. If you also verify the client, another half of the mechanism works the other way around - apart from the client verifying the server as described above, the client on connection presents its own subject certificate along with possible certification chain up to but not including the rootCA and the server verifies the certification trust with a rootCA certificate it knows. It doesn't mean though that those rootCAs must be the same!   ... View more

I think you're having some serious problems on the source side and you're trying to "fix" them with some ugly hacks "outside". ... View more

Please don't share "ready to use" scripts based on serious assumptions without at least explaining what those assumptions are. In here your quite strong assumption is that there would be no files matching firewall-*.log.gz coming from other sources (possibly in other subdirectories. Also - you're mixing -name with -iname. ... View more

I don't understand. What's happening between those writes? Is it getting deleted and recreated? But why new entries appended to old content? ... View more

Yeah. But if your events are small enough, you can send them over UDP and have natural event breaking. If you don't have multiline events you can break on line endings. If you have long events you could try doing some magic with original line endings (substitute them with something?) and decode them on receiving side. ... View more

Then again - at transforms stage you will no longer have the raw contents of the original data stream. For example, on Windows the default CHARSET is AUTO which means that Splunk will try to guess based on whatever you throw at it. So it will happily convert CP-1250 or UTF-16 to UTF-8 and your "corrected" count will still not be the same as the original data size. On Linux it's UTF-8 by default but it can be overriden. OK. Scratch all that. You actually want to _send_ data. You want to use octet-count framing? That's kinda unusual. I know it's RFC-compliant and all but hardly anyone uses it in the wild. The only advantage over normal trailer-based framing is if you have multiline events. ... View more

But as @VatsalJagani said - there is no replication of KVstore between SH and indexer layers. True, if the particular collection is set to replicate, _its contents_ get replicated to indexers but they do that by pushing a csv file with a dump of the collection data. There it gets treated like a normal csv-backed lookup. There is no clustering (and clustering would be required for replication) of KVstores between SH tier and indexer tier. There is not even a clustering of KVstores at indexer tier if they are enabled there - each indexer runs its own 1-member mongo cluster. ... View more

I can think of one very border case (actually being a badly engineered environment) when you have an input running on indexer. And that input would use KVstore to store state. I can't tell from the top of my head which add-ons used that but there were ones out there in the wild that would do that. But again - this is a badly engineered environment since you shouldn't run such stuff on an indexer. The right way is to set up a separate HF for this. ... View more

Unfortunately, that seems to be the only viable solution. After the "entry point" to the pipeline where Splunk decodes the data stream into UTF-8, it works on code points so any text operations work on whole characters, regardless of their byte width. So you have to explicitly replace known ranges of codepoints with two-, three and four-char sequences. ... View more

Are you sure about this? | windbag | eval bytes=len(replace(sample, "[^\x00-\x7F]", "XX")) | eval len=len(sample) | table sample len bytes _raw If I check - for example, Tamil one, I get len=58 (which seems wrong; I remember a thread about eastern scripts so I picked this one deliberately 😉 ), bytes =108 but if I copy-paste the example into a text file on my disk. Additional question to OP is what is the goal you want to achieve? Because if it has something to do with measuring the actual input, it's already too late because transforms kick in after the initial UTF normalization. ... View more

When running a Splunk instance you have the license cost (which might be zero if you're using a trial/free license) and the infrastructure cost (the cost of hardware or cloud vm or container in which you spin up a Splunk instance, in cloud case maybe the cost of network traffic, the cost of someone to maintain it and so on). So on-prem vs. cloud vm covers the infrastructure costs. You still need to handle the license part according to your needs - either buy a properly sized license or use the free one (which has limitations) after the trial period ends. If you choose Splunk Cloud service however, you pay for the service subscription which covers both license and Splunk infrastructure costs. Be aware though that you still might need some self-managed components like forwarders or deployment server (for those you should get a so-called zero-bytes license for free but that's a completely different story) ... View more

It's an app for completely another product. You're looking for something for Splunk Enterprise while the app you pointed to is an app for SOAR (Security Orchestration Automation and Response). These are two different solutions. So that's one thing. Another thing is that custom commands are tricky, especially those calling external services. Theoretically, implementing a DNS lookup (because that's what IP to domain name mapping is; it has nothing to do with whois; whois database is a completely different thing - it shows you entity responsible for given IP, not the domain name) should be relatively easy but running it - especially if using external DNS server, not a local caching one - can be very expensive if run over a big dataset. ... View more

This is a simple SOAR app with just a handful of actions "This app implements investigative actions that query the whois database Supported Actions test connectivity: Validate the configuration for connectivity whois domain: Execute a whois lookup on the given domain whois ip: Execute a whois lookup on the given IP" What more do you need? ... View more

If you want to export search results, the easiest way is to use csv. ... View more

Come on. Don't blindly copy-paste LLM's hallucinations. You can't forward events to HEC. You can forward events to S2S over HTTP using httpout but only Splunk (and possibly one other solution which shall not be named here) supports receiving data this way. Modular inputs are for input, as the name says. If they were to forward data outward you'd need to implement it manually. That's kinda pointless. Forwarding via custom actions on alerts is not really a feasible solution. For small amounts of data it probably could be done but it's not a very intuitive and easy to maintain solution. Third party middleware is completely off-topic. The question was whether Splunk on its own can forward data to other systems. ... View more

No. For now there is no custom JS support. Period. BTW, while exporting results from a report makes sense, I don't see much point in trying to export whole dashboard.   ... View more