While rebuilding forwarder database might sometimes help if it becomes corrupted or contains too many orphaned entries, the question worth looking into is how your UFs are deployed and configured. Are you sure they aren't sharing the GUID and hostname? ... View more

Hi @kiran_panchavat  $10/GB? Where are you seeing that?  That would be nice.  (Edit - I see you've now removed this and replaced it with other content) Google suggests "Splunk typically costs between $1,800-$2,500 per GB/day for an annual license." but this is probably based on public pricing resources without any partner/volume discounts etc.  For what its worth, I agree with @isoutamo that Splunk Cloud would be a good option here, I thought smallest was 50GB but if its only 5GB then the annual cost for this is probably less than the cost of someone building, running and maintaining a cluster on-prem!  For what its worth - I did a conf talk in 2020 about moving to Cloud and the "cost" ("The effort, loss, or sacrifice necessary to achieve or obtain something") - TL;DR; Cloud was cheaper. https://conf.splunk.com/files/2020/slides/PLA1180C.pdf#page=37 The Free version wont suffice for the PoC because it doesnt have the features required such as clustering, authentication etc etc. Get in with Sales and they can help arrange a PoC license if they think you'll be looking to purchase a full license 🙂 https://www.splunk.com/en_us/talk-to-sales/pricing.html?expertCode=sales 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing     ... View more

It's just like @PickleRick said, you should never use splunk as termination point for syslog! You should setup a real syslog server to avoid this kind of issues. As said we haven't enough information yet to make any real guesses what have caused this issue. But as there is only one server which has have this issue, I start to looking it first. Also check that is it in same network segment than those other. Has it been up and running this time? Any FW changes in it. Could it have any time issue or anything else related that time has changed and fixed later? ... View more

One another comment. Don't use .../etc/system/local for (almost) anything! Create your own app and use it to store your conf files. In that way everything is working much better in long run. ... View more

Yes. If you don't have "holes" in your firewall to send data directly from the other components to Qradar, it won't work. You might try to use RULESET in props.conf on indexers instead of TRANSFORMS. ... View more

You got a lot of hints already. What have you compiled from them? ... View more

It's not that httpout is not supported for logstash, it's that logstash cannot do s2s. 😉 Yes, it is confusing but despite sharing some of the low-level mechanics, s2s over http (which is httpout) has nothing to do with "normal HEC" . ... View more

CLONE_SOURCETYPE works on all events on which it is fired regardless of the REGEX value. In other words - you cannot limit its scope. If you assign a transform with CLONE_SOURCETYPE to a sourcetype, source or host, it will clone your event without any filtering. And yes, the docs on CLONE_SOURCETYPE are a bit misleading and confusing. ... View more

The first thing would be to verify whether the scheduled searches were run in the first place. If they were and triggered alert actions, you should verify whether the emails were correctly sent (Ismo already provided links to other similar threads). Then you'll know where to start troubleshooting - if it's a Splunk issue because the mails weren't sent or if you need to search on the receiving end why they weren't delivered. ... View more

1. Normally a non-admin user should not have this capability. This is normally used for maintaining credentials which are used for third party integrations (modular inputs, custom alert actions). 2. This works for credentials managed in the official Splunk way. If - for some reason - an addon developer decided to do something "their own way" (for example - decided that for each run of an input, it will pull credentials from a github project; no, that's not a real example but nothing is forbidding an addon author from inventing anything, no matter how stupid), that will most probably not be limited by this capability. 3. Obviously if there are credentials for access stored for use in automated way, you should have additional controls implemented on the destination system mitigating risk of abuse of those credentials. Their use of course should based on the rule of least required privilege and ideally they should be limited per IP. At the very least, if there is no other way, their use in the destination system should be monitored and reviewed regularly. ... View more

Wait. You're mixing different things here. If you have very low memory usage and there are still some pages swapped out it means that you have huge chunks of process memory which has not been used for a long time (for example, a daemon which is just sleeping for most of the time and most of its code and data is never accessed). In that case it's indeed better for the OS to swap it out and use the freed memory pages for cache/buffers. One big caveat though - if at some point the process requests access to those swapped out pages the kernel will start loading them from the disk. If it's only at the price of dropping some cache pages probably noone will even notice. But if it needs to swap out some active memory pages... that might get ugly. And even with modern systems with NVMe disks (which are not that widespread yet) RAM access is way faster than disk transfer. ... View more

Hey @Dilsheer_P ,  did you find a way that worked for you?  Thanks! ... View more

[Solution] You can get the desired result by modifying transforms.conf as follows: [pan_src_user] INGEST_EVAL = src_ip=replace(_raw, ".*src_ip=([0-9.]+).*","\1"), src_user_idx=json_extract(lookup("user_ip_mapping.csv",json_object("src_ip", src_ip),json_array(src_user_idx)),"src_user")   Result: ... View more

@patelmc If the application field is a search-time extracted field it's unavailable during ingest-time processing. If you want to use it during indexing you have to first extract it as an indexed field (and can subsequently forget it so that it doesn't get indexed). Bonus points question - why extracting those indexed fields? @victor1004k Don't put settings in system/local. Put them into a separate app so they're easier to maintain. ... View more

You are absolutely correct with these words! There are pros and cons with SCP as there are also in Enterprise. And definitely there is a new way how you must to do things. Some of changes are really annoying and decrease your working performance and some of those are "Why I haven't those in onprem too" 😉 And as in any situation with Splunk, you must say It depends on which one is best for you and you must go through your use case to make correct decision. ... View more

That's true as you are sending over pure TCP which is not s2s. Those fields are part of s2s' metadata information. If you want send also those you must add those into your data stream's payload part. You can use props.conf and transforms.conf to modify that as needed. But what you are actually trying to do and why and where you try to send that data? Maybe there are some other way to get events there? I see some OTEL name here.... ... View more

I have explain this and also searchable buckets in this post https://community.splunk.com/t5/Deployment-Architecture/SF-and-RF-How-much-count-should-we-keep/m-p/580574/highlight/true#M25165. You didn't say if you have normal cluster in one site or multisite cluster have you a smart store in use If You have smart store then you must use SF=RF, otherwise it's possible that spunk try to upload your new bucket from replicate bucket which is not searchable and then it didn't work with S2. If you have multisite cluster then you will have also site replication factor and site search factor which manages  those copies over your sites. As @PickleRick already said your installation arise questions as you said that you have 9 indexers and 7 search head. I need to say that it's quite weird combination especially if those SHs are individual and not in SHC. ... View more

Thank you for all the input here. I was really getting caught up in the capture group without realizing that wasn't what I was even trying to figure out. ... View more

Just be aware - it is not an official download link (Splunk doesn't support and officially share such old products). It might stop working at any time. ... View more

Thanks for the suggestion PickleRick, I've also submitted a false positive report at https://www.clamav.net/reports/fp. ... View more

Hello @livehybrid . It works. Thanks a lot ... View more

There is most probably a better way to achieve your goal. Try to describe the logic behind what you're trying to do. Anyway,  | dedup A | table A is usually _not_ the way to go. You'd rather want to do | stats values(A) as A | mvexpand A   ... View more

See my response in your other thread. ... View more

Hi @dtsao  I'm afraid you lost me at transaction - I dont think I've seen a good usecase for transaction for a number of years, where stats would be much better. The way I would approach this is to use something like foreach to loop through your array/multival field to set a fixed field with the value you are trying to transaction against. Once you've got this you should be able to do things with stats like | stats range(_time) as timeRange, count, etc BY yourField If you're able to provide some sample data (redacted if needed) then I'd be happy to create a full query for you. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more