Good Morning, I’m looking for the specification of the S2S protocol. We have some trouble with getting splunk uf data through a Palo Alto Firewall.  the firewall has a Application Profile Engine. So it not just looks at layer 4 for IP/Port and Protocol but also certain Aspekts of the packet like headers…. There is no predefined profile for splunk S2S so we need to create it, but I can‘t find the docs for Protocol definition.  We are aware of the fact that it is possible to bypass this App engine and do a layer 4 filtering. But it would be the only application in the company to do that and the fact that it would be for a Internet facing service and a security service seams  off. 🫣 We where adviced to use S2S over HEC for Stability reasons if it does not work out we have to switch but for now we want to try make it work.  ... View more

Hi Splunkers, I try to get a new internal field "_application" added to certain events. So i added a new field via the _meta to the inputs.conf on the forwarder.     [script:///opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/df_metric.sh] sourcetype = df_metric source = df interval = 300 disabled = 0 index = server_nixeventlog _meta = _application::<application_name>     I also added a new stanza to the fields.conf     [_application] INDEXED = false #* Set to "true" if the field is created at index time. #* Set to "false" for fields extracted at search time. This accounts for the # majority of fields. INDEXED_VALUE = false #* Set to "true" if the value is in the raw text of the event. #* Set to "false" if the value is not in the raw text of the event#.     The fields.conf is deployed to indexer and SH. But i still do not see the event. I tried searching for "_application::<application_name>" "_application=<application_name>" _application::* _application=* Nothing....  Can somebody explain to me where is the Problem?     ... View more

Gooood Morning 🙂 I need some advice, we have several sources of Information about our Company assets, i know not ideal but better then dont know any. So i wrote a script thats collects everything from these Asset sources and writes the Info to a big KV Store. (1.5GB) on the Splunk-ES SH. The script does that every 6h.  No i want to add these Info to the Splunk ES Asset- und Identitäts-Management. How do i aliase a kvstore field name so its CIM compliance with the required fieldnames as stated here. https://docs.splunk.com/ ? I thought about fieldaliases in a props.conf as per normal datasources. But im not sure to use the collection name as a source in the stanza?        [source::ipam_assets_collection] FIELDALIAS-asset_ip = Address AS ip         Is there a better way? ... View more

Hello Splunkys  i Face some challanges right now. We run a Splunk Installation with about 50 Active Users with 10Different Roles. Now we have the need for allowing them to send them selfs alert Messages via EMAIL. First Problem:  According to to the Docs its not possible to send a email if your not a Admin and the SMTP server needs authentication.  Secound Problem, you can not set up per role or per user sender info only system wide via GUI.   I found out that you can supply username= and Password= parameters via SPL search but this do not apply to alerts. And the Creds then show up in plaintext in the logs.  I found that you can supply creds via alert_action.conf file per app. But then the creds would show up in the git_repo where we version our apps.    Some .conf files honor ENV variables but i did not find if alert_action.conf would do so? And then they would be still accessable by CLI.   Can it be so hard for Splunk to implement something so basic as per User email sending?   Has somebody accived something similar ?    ... View more