Hi all,  I'm trying to do something that seems pretty easy conceptually.  I'm ingesting a .txt report into Splunk and I want to set the MetaData Host to the system that the report was generated from, not the host that Splunk is getting the log from. The problem is, every path I take, creates a different issue that I can't (or really don't want to) deal with.  I've looked through all the docs, and i'm either missing something, misconfiguring something, or it's not possible. From what I understand, there are only a couple ways to perform a host overwrite: 1) Specify a regex path in the inputs.conf stanza to extract the host from the source path, which could be either a folder or the filename; but is the "source" path nonetheless.  2) Specify a regex for the props.conf and transforms.conf, which overwrites the "host" metadata based on the hostname inside the log. 3) Force a specific hostname string through the configuration files, but then this would be a static hostname for the source or sourcetype.   I've gotten all of these solutions to work individually, but each one creates a separate issue which prevents me from using it: 1) Works well, but I end up with hundreds of "source" file paths inside Splunk, which eventually just makes everything cluttered when looking through the datasets, and confuses end-users. I can get around this issue by declaring a "source = <source>" in the inputs.conf, but then that changes the metadata that Splunk uses to regex extract the hostname from.  So instead of getting the hostname from "source::c:\\logs\\client1.txt" it tries to regex the host from "source::<source_name>", which of course it will never find. So it seems like for #1, I either have to deal with a ton of file paths inside Splunk, OR a working host regex extractions. 2) This also seems to work, but brings another issue.  The reports i'm ingesting are pretty large, so I have setup a custom LINE_BREAKER value.  I can successfully extract the hostname from inside the report using props and transforms, but for reasons I can't figure out, the hostname doesn't carry to the rest of the events as it is line broken.  So the first part of the txt file gets the correct host metadata (hostname is in first line of txt), but any line broken event after that, the regex fails and it defaults to the hostname of the system the log resides on.  This really seems to baffle me, because for the time settings, if it can't extract the time in subsequent line_breaks, then it will copy the field from the previous.  So the correct time metadata gets applied to all the events.  But it doesn't do that for the host.  And why would it not apply the host metadata to all event lines as it gets line broken, because Splunk should know, as it's ingesting, that this is all coming from the same "event"? 3) Works, but is not really an option because the reports come from different hosts, and this would just create erroneous data.   Transforms.conf: [SET_HOST_NAME] DEST_KEY = MetaData:Host REGEX = \,HostName\:(.\S[^,]+) FORMAT = host::$1 DEFAULT_VALUE = bonkers   Props.conf: [SCC_Report] TRANSFORMS-H1 = SET_HOST_NAME TIME_PREFIX = SessionID: TIME_FORMAT = %Y-%m-%d_%H%M%S LINE_BREAKER = (\s\s)Title.*\:\sV\- SEDCMD-remove_fluff = s/([\s]+?Weight[\s\Sa-zA-Z0-9~@#$^*()_+=[\]{}|\\,.?:]*?---------------)/\n\n<REDACTED DURING INGESTION>\n/g SHOULD_LINEMERGE = false category = Custom disabled = false   Fields.conf: [H1] INDEXED=true Any help is appreciated.  I can't tell if i'm trying to get Splunk to do something it can't do, or if i'm just going about it the wrong way. Preferred end-state is: 1) ingest *.txt Report 2) Set both "source" and "sourcetype" to something static (prevent a collection of filenames inside sources and sourcetypes) 3) Set the host metadata for all events created from that single txt report to be the host that is in the first line of the report. ... View more

Hi,  I'm running index-time field extractions for a large TXT report.  For this particular regex searches, I'm searching and capturing 3 fields, and then using the repeat_match = true flag to crawl the rest of the TXT file. My goal is to extract data, but also somehow keep the sets of data extracted together but separate from the next set of regex captures.  For example: repeat 0 regex: Title, CCI, FixText repeat 1 regex: Title, CCI, FixText repeat 2 regex: Title, CCI, FixText But I need to keep the repeat0 fields connected somehow, repeat1 fields connected somehow, and repeat2 fields connected somehow; but also separate the repeat0 set from the repeat1 set. In this example, I want to ensure that Title for repeat 0 doesn't end up being attached to the CCI in repeat 1.   In my current rendition, I get all the data I need, but they are inside giant fields, where "CCI" might contain 100 items, and "FixText" might contain 100 items.  But I can't seem to figure out how to divide/expand them so that i can ensure that each group has the correct correlated information. The "FixText" field could include 1 line or many lines, so I can't separate those from one another easily after the get grouped.   I would like to note, that I'm ok with expanding these at search time as opposed to index time, but i'm thinking it might be easier reference the fields if they get separated at index time? Maybe I could add a pipe or something to the end of each capture, and then use a delimiter to expand the fields? Any help is appreciated. Thank you   Transforms: [SCAP_FAIL_INFO] REGEX = Title\s+\:\s(?<scap_fail_title>V.+)[\s\S]+?NIST\sSP\s800\-53\sRev\s4\:\s(?<scap_cci>.+);[\s\S]+?Fix\sText\s+(?<scap_fix_text>[\S\s]*?)?\nSeverity LOOKAHEAD = 600000 REPEAT_MATCH = true WRITE_META = true     ... View more

Hey All,    I'm really struggling here.  I'm trying to get a universal forwarder to pull in txt logs, and edit the "host" field based on the filename/file path. Example file path: C:\SCAP_SCANS\Sessions\2023-02-04_1200\SERVER-test_SCC-5.7_2023-02-04_111238_Non-Compliance_MS_Windows_10_STIG-2.7.1.txt   Inputs.conf stanza: [monitor://C:\SCAP_SCANS\Sessions] disabled = false ignoreOlderThan = 90d host_regex = [^\\\]+(?=_SCC) SHOULD_LINEMERGE = true MAX_EVENTS = 500000 index = main source = SCC_SCAP_TXT sourcetype = SCC_SCAP_TXT whitelist = (Non-Compliance).*\.(txt)   Tried a few different regex's.  Checked btool to make sure there aren't any configs overwriting settings.  Tried with and without transforms and props files.  Verified regex works using the path and a makeresults query. Anyone have any suggestions? ... View more

I've been trying to find an answer to this, and it seems like it's supposed to work. So I'm not sure if I have a misconfiguration or if I'm doing something wrong. I have a deployment server setup to deploy 1 or 2 apps.  If I go to a machine that has the deployment server configured, and has had the configured app installed (Through the deployment server), and I delete configuration files, etc; the files never get replaced by the deployment server. It will replace files if i delete the entire app folder... but not individual files.   Would anyone have any clues on why this is happening? I have tried the "reload deploy-server" command but it didn't seem to do anything.  Am I being unrealistic to assume individual files would also be checked against the deployment server app?  I want to ensure that inputs, outputs, etc are uniform. And if some were to get deleted or changed, I would need the change to get pushed; for example if someone went in and deleted conf files intentionally or accidently. ... View more

Hi all, I'm trying to create a blacklist for an event after checking 2 different fields on different lines. I can get them filtered individually, but without an "AND" operator, like OR has "|", I'm struggling.     Sample Event     An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: SYSTEM Account Name: COMPUTER$ Account Domain: XXXX.NET Logon ID: 0x6C6C65F09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {970e0bf8-ccc7-18fd-7be9-d5efe2ab8b22} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0       So what I'm trying to do is filter on Logon Type=3 AND Account Name: xxx$   I have tried stuff that works on regex101, etc.  And it will work there, but Splunk doesn't seem to recognize it.     (?=.*?(Logon\sType:[\s]*3))(?=.*?(Account\sName:[\s]*.*\$))     Any help is appreciated   ... View more

Hi Everyone.  I'm expanding my blacklist and i'm having issues with a seemingly simple blacklist line. Here is my current blacklist: blacklist1 = EventCode="4688" Message="%%1936|%%1938|TokenElevationTypeDefault|TokenElevationTypeLimited" blacklist2 = EventCode="4673|4674|5447|4656|4658|4664|4690|5379|4627" blacklist3 = EventCode="4663|4660|4702|4762|4672|4799|4798|4670" Message="Security\sID:\s+NT\sAUTHORITY\SSYSTEM" blacklist4 = Eventcode="4624" Message="Logon\sType:\s\t5"   So everything seems to work as expected for #1-3.   But when adding blacklist4, the forwarder doesn't seem to filter the event.  Searching in Splunk with the exact same regex is pulling up all the events I want to filter.  And the syntax seems to be exactly like blacklist3 that is working as intended.  Does anyone have any suggestions? Thanks ... View more

Hi All,    I'm tweaking my inputs.conf file to exclude some events for the Windows Security log. I'm filtering EventCode 4688, by message.  For compatibility reasons, I want to use the same inputs.conf file for all windows machines.  But Windows 11 has tweaked a couple event logs, and one of those is 4688. For Windows 10 and below the following blacklist is working as expected: blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*%%1937)" This filters everything except %%1937. But this won't work for Windows 11, because they have changed the Token Elevation Type to "TokenElevationTypeFull" for the previously "%%1937".  Therefore if a windows10 inputs.conf file ends up on a windows 11, it blacklists all the 4688 logs. So simply, I would like to add the 2 lines together on a single line, so that if either TokenElevationType is found, it goes through.  But the "|" operator doesn't seem to be working, or I'm not doing the correct syntax. blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*%%1937)" blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*TokenElevationTypeFull)"   Can anyone help marry these 2 checks with an OR operator?   Thank you ... View more

Hi all, I'm a Splunk beginner and I'm having a hard time getting this particular search down. My objective is to get the "Account_Name" field from 2 different event codes (4624 type 10 & 4778).  This issue is I can't figure out how to get both the 2nd instance of Account_Name for only the 4624, but the first instance of it in the 4778.  This is because windows uses the Account_Name field twice in a lot of logs, but not in some.  So I need the first Account_Name in 4778, and the second Account_Name in 4624. Here is what I have so far.  Having trouble putting in that middle piece. index=main source="WinEventLog:Security" ("eventcode=4624" AND Logon_Type=10) | eval Acct=mvindex(Account_Name,1) ***Also find "eventcode=4778" Account_Name**** | rename Acct as "Account Used on Remote Machine" | rename Client_Name as "Source Machine" | rename ComputerName as "Destination Machine" | timechart count by "Account Used on Remote Machine"   ... View more