1. Use regex101.com - it's a great tool for testing regexes. 2. Remember to escape backslashes and quotes if you use regex as a sting argument to the rex command. 3. Your regex would match three-digit-long parts of request path after the "//rest/" part (which doesn't appear in yiur events anyway), not the http method. 4. You need something like | rex "\\]\\s+(?<ActionTaken>\\S+)\\s/" (If you want to test it on regex101.com, remove extra backslashes) ... View more

It's a bit more complicated than that. Forwarder has (oversimplifying a bit) inputs, outputs and some queueing and buffering mechanics in between. Some inputs can (depending on their configuration) block or not if they have nowhere to send to for further processing because, for example, the output isn't connected to anything and internal queues and buffers are full. Some input's can't (there's no possibility to block, for example, udp packets received from external sources). Typically file inputs block (it doesn't make much sense configuring them otherwise usually) of they have nowhere to send events downstream. But events already read don't have to be immediately sent to downstream receiver(s). They might be held in forwarder buffer. If you want to check the file inputs configuration and their state, do splunk list monitor and splunk list inputstatus ... View more

When you use indexed extractions, the events are parsed on the UF and are not touched on subsequent components (with some exceptions which we're not getting into here). So your props on indexers do not have any effect on parsing. You're interested in TIMESTAMP_FIELDS (along with TIMESTAMP_FORMAT of course) on the UF. ... View more

It actually depends on your network environment and your configuration. The general answer is - you must have network connectivity between the environments and the proper traffic must be allowed on local OS-level firewall  In this aspect SOAR and Splunk Enterprise are not different from any other network services - you must have an ability to connect to a port to be able to use it as simple as that. So it's not that I'm trying to be rude or something, it's just that there are so many variables here that it'd be better if you engaged your local network/linux guru to help you because that's something that's not Splunk-specific and local help will be much more responsive than ping-ponging stuff over internet forum. ... View more

It's not just "because they are in different networks" but because your internal network is organized the way it is. You might try to set up a VPN to your Azure environment to allow for connectivity or try to do some DNATs in your home network but as you're asking a kind of very basic network-related questions, you'd better not do that without fully understanding the risks. ... View more

You're asking for trouble. While you might try to use subsearch to return a set of criteria for the main search it is a very unreliable way to do it and you're bound to have unexplained wrong search results especially if searching over larger datasets due to subsearch limitations. Additionallly there are several problems with your searches. Both are highly inefficient due to wildcard use at the beginning of search term. You can't do arithmetics on a string-rendered timestamp. This is not a right format for earliest/latest (to be safe it's best to just use epoch timestamps for those parameters if calculating them from subsearch). Your first search contains several separate search terms instead of - as I presume - a single string. After this overly long introduction - It's probably best done completely differently - for example with streamstats marking subsequent events. ... View more

UF does not do parsing. Except for indexed extractions or when you set force_local_processing=true. So unless you turn your UF into a kind of a poor-man's-HF, your parsing and time extraction settings will not work on UF. If you have access to HEC endpoint though you could consider using another method (like third-party solution like filebeat or even your own python script to pre-parse those events a bit and send them via HTTP. ... View more

It's not clear how the health field is calculated. One way is what @ITWhisperer showed but it won't match your mockup results - you have health=bad all acros the board. ... View more

1. Other than the fact that you're holding the events in Splunk the question as such is completely unrelated to Splunk. It's a question about ObserveIT. 2. There is no general one-size-fits-all answer. Different organizations have different sensitivity to those things ... View more

Check those events - my hunch is there is something wrong with formatting in those rows - some inconsistent quoting or something like that. ... View more

Oh. This is something we in Poland call "shooting the sparrow with a cannon". If you really want to modify user's input, you should do so on client's side using the <change> functionality of the dashboard. But I'm still asking what's the point in doing so. If you want to have predefined choices you use different inputs. If you let the user type in something freely honor their choice (and/or educate the users to add the wildcard by themselves). ... View more

Ok. Aren't you perchance searching in fast mode? Oh, and I of course assume you have your TA_windows installed in all required places, right? ... View more

Upper/lowercase doesn't matter with search term. Splunk matches case-insensitively (with search command; where command is case-sensitive). And looking for something is definitely not the same as looking for something*. ... View more

But are the events indexed but the fields are not extracted or are the events not ingested at all? ... View more

You skipped the first point which says that early versions must be upgraded one by one until you reach 4.10.something. From there on you don't have to go version by version, you can skip straight to 6.2.1. But you can't upgrade from other version than 6.2.1 to 6.2.2. That's how I read it. ... View more

OK. I'd try to verify whether the transform is called at all. I have a feeling that it is not for some reason. You can for testing create some "sure fire" transform and check if it is being applied. Are you sure you're doing it on the right component? ... View more

AFAIR I had mixed results with transform not containing anything in the REGEX field. Try to explicitly add REGEX = . to match anything to the transform.   ... View more

Yes, change of the data format can cause incompatibilities with earlier data. That's true. The issue with your data in general (possibly not in the presented example) is - as I said - that you have separate arrays which splunk can parse into separate multivalued fields which are not related to one another. If you are absolutely sure that both of those multivalued fields are of the same cardinality and are 1-1 related with one another you can try to do join them using the mvzip() function. Then do mvexpand and split those values back to get corresponding pairs. One caveat though - since the values get merged into a single value, if they contain the delimiter you choose for mvzipping, it's gonna get ugly when you'll be trying to split them again. So it's possible but pretty ugly (and working only with some strong assumptions. ... View more

About the number of files - yes, I figured as much. It was suppose to be a little joke to lighten the mood a bit. Maybe a missed one. Nevermind. "What It Does: This setting includes the file's last modification time in the checksum calculation." - No, it does not. It includes literal "DATETIME" string in CRC calculation (which doesn't change the situation much). The only possible "dynamic" setting specified in the spec file for inputs.conf is the <SOURCE> setting which is substituted with each file's path. Other than that, the strings are constant literals. Are the files updated or fully rewritten? As usual with any problems with ingesting files, the first debugging steps are to run splunk list monitor and splunk list inputstatus and see if there's something unusual about those files ... View more

Depends on your environment. If you have an all-in-one installation, the easiest method would be to go to settings->indexes ... View more

1. You obviously can't read data from 8 files if you have input set for just one of them 😉 2. Leave the crcSalt setting alone. It is very very rarely needed. Usually you should rather set initCrcLength if the files have common header/preamble 3. What do you mean by "small set of data is being ingested"? 4. Did you check splunk list monitor and splunk list inputstatus ... View more

Well... there is a possibility of defining an output using a short-ttl DNS name (dyn-DNS), it's not something I'd recommend. Static addresses definitely make your life easier. ... View more

Interesting Fields is just a GUI feature that shows fields present in at least 10 (15?) percent of events. Just because field is not listed there doesn't mean it's not being parsed out from the event. Actually with renderXml=true you get xml-formatted events from which all fields should be automatically parsed. ... View more

Of course. With a single disk installation a single disk also takes down whole machine 😉 But seriously - it's just a matter of risk and cost management. Some users can accept the risk of the whole machine going down knowing that the machine is cheaper (and possibly a bit faster). But I agree, the storage is relatively cheap nowadays. One important caveat: I'm of course talking about components which are replicated (indexers, search heads). You probably don't want a RAID0-based machine as CM. ... View more