OK, normally license master is not a search peer for a production SH. License Master is however usualy a search peer for the Monitoring Console (but very often those two roles are combined on the same host to save on infrastructure along with another "small" role like SHC deployer; whether it's a good practice or not we'll not be discussing here, it's just what you can find "out there in the wild"). ... View more

Do you mean that you want to check how your specific setup is configured? You have to check your pipelines or whatever they are called in Cribl (I don't remember; I don't use Cribl on a daily basis) and see for yourself. ... View more

Yes, I've seen only too many times. But the thing is that it's a symptom of not well-enough defined processed and "undermanaged" environment. Ingest to specific indexes should be covered by proper onboarding process and it should be documented. Searching from an index generally should be covered by roles and therefore users' access.  Checking dashboards/reports is a task which might give you false feeling of completness. Let me give you an example. You have a dashboard. The dashboard uses  a base search `interesting_indexes` | stats count by host The "interesting_indexes" macro is defined with an app and resoves to "index IN (firewall,hips)". So far so good. But a particular user redefined this macro privately to say "eventtype=windows_logoff". How are you supposed to know that this particular dashboard works differently for that user? ... View more

As a rule of thumb, everything that affects ingestion (which means apps deploying inputs and index-time transforms) requires restart. For search-time settings it's usual enough to reload or debug/refresh. As a side note - since settings affecting ingest pipeline require restart, you might consider splitting parsing from indexers (push data through HFs first so that indexers receive already parsed data). This adds complexity and hardware to your environment but lowers load on the indexers and limits demands to restart indexers. ... View more

It depends. Cribl can handle outputting to Splunk in one of several ways. It can do raw event to /services/collector/raw - this way the event is ingested as raw and goes through all normal event processing except line breaking IIRC It can do HEC to /services/collector/event - this way the event goes directly into typingQueue (I'm not sure if you can tell Cribl to use the ?auto_extract_timestamp=true parameter to push the events earlier in the pipeline. And it can do s2s (either directly or over HTTP via /services/collector/s2s) in which case it sends data as cooked and parsed (not just cooked!). Anyway, it has nothing to do with search-time extractions. Search-time extractions happen - as the name says - during searching so it doesn't matter how the data was ingested (unless they rely on something that should have happened during indexing, like sourcetype rewrite). ... View more

Well, firstly, If I were doing such migration I'd make sure that I was _copying_ the data and had a working setup to fall back to in case anything went wrong with the new one. Secondly, Splunk itself should work pretty much the same on windows as on linux with some things you need to remember about. 1) Paths. There can be many paths across your configuration which point to different places. If your config mostly used $SPLUNK_HOME, $SPLUNK_DB and volume definitions, the migration should be easy. If you have - for example - hardcoded pahts for index locations, that can be more cumbersome to adjust There can also be paths to certs, for example... 2) Permissions/directory ownership. If you copy over old data, make sure Splunk can read the directories. 3) File/directory names case - Windows file handling is case preserving but case insensitive (which makes it sometimes difficult to handle filesystems exported from different OS-es where you can have multiple files with "the same" names with different case letters) whereas Linux is case sensitive. ... View more

Ha! I knew there was something fishy going on. Splunk shouldn't just restart out of the blue. Good you found it! ... View more

That's what limits and workload policies are for. ... View more

This is a third party app. in this case - developed by ServiceNow themselves. So that's a question for them. If you are their customer, approach their support or even better - sales team with that question. ... View more

The only "UCS" I can think of is Cisco Unified Computing System. I have no idea how you would be "connected to UCS domain" (maybe you're talking about some speciffic add-on, I have no idea).  Typically if you're a syslog receiver, you're just a receiver and sender's settings are beyond your reach. ... View more

Firstly, browse through all member SHs and check if they are indeed in a restart loop. If they are, you gotta dig into the logs why are the SH(s) restarting. But they might not be and the message might be just because of network (or TLS!) problems. ... View more

Unless there is some way to do it with Edge Processor (which full capabilities I'm not aware of yet), there's no reliable way to do so. 1. Splunk on its own doesn't store metadata on the connection. So you can't reliably tell which forwarder the data came from. 2. Splunk doesn't differentiate between data locally ingested and received on network inputs. So you can't do something like "those UFs can only send to specific set of indexes". You can set up a Heavy Forwarder receiving data from those untrusted UFs and create rulesets (transforms won't catch indexed extractions) globally limiting processing to given indexes (sending others to nullQueue). I think that's the only limit you can impose with such setup. ... View more

Wait. Are you aware how Splunk works? In a typical case Splunk indexes raw event but extractions are done in search-time. They are not - as with many other solutions on the market - done during ingestion process so they do not consume disk space. (With the exception of indexed fields and acceleration techniques like datamodel acceleration or report acceleration). Also license usage is measured (assuming we're talking about ingest-based licensing) based on raw data written to indexes. So however many indexed fields you would have along your raw event, they wouldn't consume any additional license. ... View more

Well, if your solution works, that's OK. Just remember that transaction is a "heavy" command and is not recommended, especially on bigger data sets. ... View more

OK. I'm not sure what are your boundary conditions (for example - can the same user have multiple concurrent connections? that breaks transaction). Also the last command seems strange for me - it should count distinct usernames by... username? Makes no sense. Anyway, if the users cannot have multiple overlapping connections, I'd go a completely different way. 1. There is a built-in command "concurrency". (even if there wasn't there's a way to count concurrent connections with streamstats. 2. For a non-concurrent connections per user  it's probably easiest to do something like that (don't have my Splunk available at the moment so it's a "dry run" code). index=myindex event IN (login,logout) ``` That's obvious ``` | eval login_time=if(event=="login",_time,null()) | eval logout_time=if(event=="logout",_time,null()) ```we create two artificial fields we'll soon use``` | streamstats current=f last(logout_time) as logout_time by username ```we copy the logout time to the login event; remember that events are returned in reverse chronological order so we have logouts first``` | search event="login" ```we don't need logouts anymore | eval duration=logout_time-login_time ```well, we could have skipped creating logout_time since it's equal to _time anyway but this way it's more verbose``` | concurrency duration=duration start=login_time That's a rough idea of how to approach this problem - carry over the logout time to the login event and then do your calculations. You could also emulate the concurrency command differently - using additional field to carrying -1 for login and 1 for logout (if going through the events in default order) and do streamstats sum on those values. ... View more

We're going into very off-topic directory but from my experience while linux packages often contain pre/post-(un)install scripts, unless they are horribly broken like a specific vendor's software which I'm not gonna name explicitly here, they usually behave quite well. The package manager tracks files which are getting installed, the scripts handle config entries pretty well (again - usually). I think there are two main culprit in case of windows. 1) MSI "happened" when there were already a lot of different installation tools on the market (and still are). And Building MSI has never AFAIR been very straightforward, well docummented and easy (at least compared to tons of docs and tutorials on building debs or RPMs). 2) There is that ugly beast of windows registry you have to deal with. And it's a great PITA not only regarding software (un)installation. ... View more

Generally, it would be easier if MSI worked properly. The issue with (un/re) installations is not specific to Splunk UF. I've seen so many misbehaving installation packages... ... View more

I'm sorry but whenever I see "we need to install version X.X.X because our vulnerability scanner reports a finding" I die a little inside. Has anyone bothered to read and understand what the finding is about? ... View more

The description of your problem is so vague that the only answer you can get at this point is "something is wrong". We have no idea what your setup is, what exactly are you trying to do, what is the exact result... Way, way too little information to work with here. ... View more

Yeah. "Directly" sourcetype-based stanza must match a single sourcetype literally. But apparently the engine matching event to relevant props.conf settings has something about treating everything containing :: as either source or host-based setting so it applies the setting anyway using the regex matching method. Since the :: appears literally in the stanza but is completely ignored in matching, that works. But boy, it's such an ugly hack... ... View more

Unfortunately, that introduces another SPOF in the form of said LB. syslog is a very simple solution (won't use the word "protocol" because "syslog" can mean many things) and was never meant to be very robust. Paraphrasing some well-known sayings - "R" in "syslog" stands for reliability. ... View more

If you go to job log, you'll see how it works. Firstly, Splunk converts the timestamp to a unix epoch-based number. So let's save him the effort and specify the timestamp explicitly index=whatever earliest=1 latest=86400 Let's see what the job log says. It repeats the "earliest=1 latest=86400" a few times but then you'll notice [...] INFO UnifiedSearch [1065424 searchOrchestrator] - Expanded index search = (index=whatever _time>=1.000 _time<86400.000) So you see that the lower search time boundary is inclusive and the upper boundary is exclusive. That's first thing. Second is that there is no "latest<=something" syntax. Searching like that would look for a field called "latest" and compare it lexicographically to the date string. It's most probably not what you want. And even if it did, you'd still not get the results from the last second because your timestamp translates to a full second. All events which are happening at 23:59:59.something are _later_ than that. So expecting that you'd get event from _after_ your specified latest time is simply wrong premise. Oh, and "various tutorials say so" doesn't make it right. Actually, the documentation article you point to doesn't say anywhere that latest=23:59:59 should cover entire day. The only thing that could be added to the article would be the explicit notion of include/exclude of the range ends. If you feel like helping the community you might contribute a feedback to the article.  ... View more

If you plan on sorting or do any other post-processing, don't use "du -h" because it doesn't yield results with consistent units. Use common units across all results with "du -m" or "du -k". ... View more