Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About jo54
jo54
Explorer
Member since:
08-04-2021
04-14-2025
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 08-04-2021 |
Activity Feed
- Karma Re: Heavy Forward parses local file but does not forward it towards indexer. Index is already created on Indexers. for isoutamo. 07-30-2024 03:17 PM
- Posted Comparing differences in the same field depending on the row grouping field on Splunk Search. 04-15-2024 05:27 AM
- Posted Re: Heavy Forward parses local file but does not forward it towards indexer. Index is already created on Indexers. on Getting Data In. 09-19-2022 07:02 AM
- Posted Re: Heavy Forward parses local file but does not forward it towards indexer. Index is already created on Indexers. on Getting Data In. 09-19-2022 03:45 AM
- Posted Heavy Forward parses local file but does not forward it towards indexer. Index is already created on Indexers. on Getting Data In. 09-19-2022 03:14 AM
- Tagged Heavy Forward parses local file but does not forward it towards indexer. Index is already created on Indexers. on Getting Data In. 09-19-2022 03:14 AM
- Tagged Heavy Forward parses local file but does not forward it towards indexer. Index is already created on Indexers. on Getting Data In. 09-19-2022 03:14 AM
- Tagged Heavy Forward parses local file but does not forward it towards indexer. Index is already created on Indexers. on Getting Data In. 09-19-2022 03:14 AM
- Tagged Heavy Forward parses local file but does not forward it towards indexer. Index is already created on Indexers. on Getting Data In. 09-19-2022 03:14 AM
- Tagged Heavy Forward parses local file but does not forward it towards indexer. Index is already created on Indexers. on Getting Data In. 09-19-2022 03:14 AM
- Posted Re: Add on for Symantec Endpoint Security (Cloud based- API integration required) on All Apps and Add-ons. 07-22-2022 06:39 AM
- Posted Re: Do sourcetypes and indexes created in a Heavy Forwader replicate onto Indexers and Search Heads? on Getting Data In. 07-22-2022 05:01 AM
- Tagged Do sourcetypes and indexes created in a Heavy Forwader replicate onto Indexers and Search Heads? on Getting Data In. 07-21-2022 06:34 AM
- Tagged Do sourcetypes and indexes created in a Heavy Forwader replicate onto Indexers and Search Heads? on Getting Data In. 07-21-2022 06:34 AM
- Posted Do sourcetypes and indexes created in a Heavy Forwader replicate onto Indexers and Search Heads? on Getting Data In. 07-21-2022 06:33 AM
- Tagged Do sourcetypes and indexes created in a Heavy Forwader replicate onto Indexers and Search Heads? on Getting Data In. 07-21-2022 06:33 AM
- Tagged Do sourcetypes and indexes created in a Heavy Forwader replicate onto Indexers and Search Heads? on Getting Data In. 07-21-2022 06:33 AM
- Posted Adapt the information in my logs to the CIM model so that the data models work on Splunk Enterprise Security. 08-04-2021 01:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-15-2024
05:27 AM
I'll try to explain it with a basic example. As an output of a stats command I have: detection query search1 google.com yahoo.com search2 google.com bing.com I want to get which queries are not being detected by both search1 and search 2. Or else, getting rid of the queries that are in both searches, either way work. Like ok, search1 is detecting yahoo.com whereas search2 isn't, and viceversa with bing.com I thought about grouping by query instead of by search, the problem is I have dozens or even hundreds of queries. Any thoughts? Cheers
... View more
09-19-2022
07:02 AM
The source is a file on HF, where it have been parsed. My goal is to sent those parsed events to an index, located in the indexers. I believe that you mean creating the same index locally in the HF. Correct me if wrong, but that would store the data locally on HF rather than sending it over the indexers
... View more
09-19-2022
03:45 AM
Hi, Thanks for your answer. Yes, sorry, I'll try to make it more straight forward. I think the first question should be: - What index should I choose in the "Add data" menu of the HF -the screenshot- ? The index "test" is not appearing there even is created on indexers. By the way, also happens with other indexes.
... View more
09-19-2022
03:14 AM
We have a sample local ".txt" file to analyse some logs stored locally in the Heavy Forwarder, in its /tmp/ folder. For this purpose, a sourcetype has been configured in the Heavy Forwarder to parse the log as we wish. All this was set up from the web interface. Back in the day, we were wrong and created the index in the Heavy Forwarder to assign it from the "Input Settings" of the "Add Data" menu. But then we discovered that this should not be done this way. So, we created the index with name "test" in our cluster master and it was replicated correctly to the two peers indexers. The index is now created but with no information. And it does not appear in the Search Head. Unfortunately, when assigning the index where it should be saved from the menu Add Data of the Heavy Forwarder, the index "test" that is created in the Indexers does not appear. In addition, even when the index was created in both indexers and Heavy Forwaders the events wouldn't get to the indexers after selecting the "test" index. In that case it did appear on HF menu I guess because it was created locally there.
... View more
Labels
- Labels:
-
heavy forwarder
-
index
-
indexer
-
inputs.conf
07-22-2022
06:39 AM
Hi, I dealt with the identical issue. The only viable solution is to call an API. Or purchase Symantec's log parser exchange with a syslog output for SIEMS. This is purposely done. You can do so by following these steps: https://apidocs.securitycloud.symantec.com/#/doc?id=ses auth Generate an OAuth Key from the Symantec console in order to generate a bearer token with an expiration time for API calls. You have multiple alternatives, including Export Events and Export Stream Events, among others. The "Heavy Forwarder" server was what I used to execute these orders. The data can then be saved in a text file and parsed as desired. You can also design the Add-On yourself, but then you're responsible for its maintenance and updates... so it's not worth it.
... View more
07-22-2022
05:01 AM
Thanks a lot. I will definitely try this. I guess this can result in a rolling-restart scenario. Would the sourcetype be also synchronised?
... View more
07-21-2022
06:33 AM
In my HF, I parsed an example log from a local file and stored the parsing as a sourcetype. Then, I created an index for the events storage. However, I cannot locate this in the Search Head after searching for it. I am uncertain as to whether or not the index exists in the indexer. There are two HFs, two Indexers, two Search Heads, and one Cluster Master/Deployment Server/ License Manager. The outputs.conf should be properly set, as more integrations are already operational.
... View more
Labels
08-04-2021
01:11 AM
For example, one field of the email data model is "recipient" and it comes from the tag=email. However, my email information comes from the Microsoft O365 integration, where the recipient information is given in a field called "ExchangeDetails.Recipients{}". As far as I have been able to understand, I have to modify the "email" tag, in "Event Types" to look in "index=o365 Workload=Exchange" for email related logs. And after that, I have to create an alias so that "ExchangeDetails.Recipients{}" is equivalent to "recipient" as indicated in the data model. Is that correct? Thank you for your assistance
... View more
Labels
