@pwoehl Did this worked? Just curious if its resolved and if you found the solution. ... View more

1. This is a 5-year-old thread. Post your question as a new thread to give it visibility. 2. Be a bit more descriptive. I suspect I know what you mean but it's nice to be sure that all parties are on the same page. ... View more

1. This is a very old thread. Starting a new one would give you more visibility. 2. Well, not every type of input supports this parameter so I'm not sure if specifying it here is syntactically correct. Try and see (with btool check) ... View more

1. This is a very old thread. You have a new problem, possibly only partially (if at all) connected to the original question. Please create a new thread describing your goal and what you tried so far. 2. Speaking of "what you tried so far" - have you checked the docs? Have you tried doing anything on your own yet? ... View more

Do you know what is the frequency of arriving umbrella dns logs into s3 bucket? ... View more

Hi, Anyone figured out the way to integrate please?  ... View more

There is no need to rename buckets in this case. ... View more

Any idea? how to hide in studio dashboard? ... View more

And even back to single-site https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Converttosinglesite.   ... View more

https://www.cisco.com/c/en/us/td/docs/security/firesight/540/api/estreamer/EventStreamerIntegrationGuide/IS-DCRecords.html maybe this helps? I am not really familiar with estreamer in details. What I understood from a splunk perspective is that, rec_type is the main identifier for the firewall events. The TA also use it to break the events. In the python script you are able to filter out rec_types and fields, based on rec_types. David ... View more

Hi, please specify what to insert in Transforms.conf ... View more

@harsmarvania57  I'm also having same problem. I'm doing it in HF. Note: My logs has headers. Does it causes the problem though? Props: [sourcetype::aws:cloudwatchlogs:vpcflow] TRANSFORMS-vpc = vpc_flowcustom Transforms: [vpc_flowcustom] REGEX = ^\s*(?P<account_id>[^\s]+)\s+(?P<version>[^\s]+)\s+(?P<interface_id>[^\s]+)\s+(?P<src_ip>[^\s]+)\s+(?P<dest_ip>[^\s]+)\s+(?P<src_port>[^\s]+)\s+(?P<dest_port>[^\s]+)\s+(?P<protocol_code>[^\s]+)\s+(?P<packets>[^\s]+)\s+(?P<bytes>[^\s]+)\s+(?P<start_time>[^\s]+)\s+(?P<action>[^\s]+)\s+(?P<end_time>[^\s]+)\s+(?P<log_status>[^\s]+)\s+(?P<vpc_id>[^\s]+)\s+(?P<subnet_id>[^\s]+)\s+(?P<instance_id>[^\s]+)\s+(?P<tcp_flags>[^\s]+)\s+(?P<type>[^\s]+)\s+(?P<pkt_srcaddr>[^\s]+)\s+(?P<vpc_region>[^\s]+)\s+(?P<pkt_dstaddr>[^\s]+)\s+(?P<az_id>[^\s]+)\s+(?P<sublocation_type>[^\s]+)\s+(?P<sublocation_id>[^\s]+)\s+(?P<flow_direction>[^\s]+)\s+(?P<traffic_path>[^\s]+)\s+(?P<pkt_src_aws_service>[^\s]+)\s+(?P<pkt_dst_aws_service>[^\s]+) WRITE_META = true ... View more