Hi Splunkers,   My team is tackling an ingestion issue where we are seeing an overworked HF and I wanted to get the community's best practice on this type of problem.   My team is bringing in Crowdstrike FDR logs via Crowdstrike add-on (Python Script API query) on our heavy forwarder. If we were to not filter, it would bring in 20+TB a day of logs, so we filter pretty heavily. Currently, our approach is to send everything to nullQueue and then pick events via Regex and send them to the indexQueue. We are seeing typingQueue blocks on this heavy forwarder which makes me think the approach may not be the best route. I think that the regex being performed in the pipeline may be overworking the HF. Any advice would be great! Our props for the sourcetype:   [CrowdStrike:Replicator:Data:JSON] INDEXED_EXTRACTIONS = JSON MAX_TIMESTAMP_LOOKAHEAD = 1024 TIME_FORMAT = %s%3N TZ=UTC TIME_PREFIX=\"timestamp\":\" LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false BREAK_ONLY_BEFORE_DATE = false TRUNCATE = 150000 TRANSFORMS-setcsfdr= csfdr_log_setnull,csfdr_log_setparsing,csfdr_log_setfilter,csfdr_log_setfilter2   TRANSFORMS:   [csfdr_log_setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [csfdr_log_setparsing] REGEX = (?:"event_simpleName":".*Written"|"event_simpleName":"DnsRequest"|"event_simpleName":"NetworkConnectIP4"|"event_simpleName":"OciContainerInfo"|"event_simpleName":"ProcessRollup2"|"event_simpleName":"UserLogon.*"|"event_simpleName":"RemovableMediaVolumeMounted"|"event_simpleName":"FsVolumeUnmounted"|"event_simpleName":"FsVolumeMounted"|"event_simpleName":"SyntheticProcessRollup2"|"event_simpleName":"DmpFileWritten"|"event_simpleName":"OsVersionInfo") DEST_KEY = queue FORMAT = indexQueue [csfdr_log_setfilter] REGEX = (?:("ParentBaseFileName":("TPython\.exe"|"TANIUMCLIENT\.EXE"|"[Tt]anium[Cc]lient\.exe"|"[Tt]anium[Ee]xec[Ww]rapper\.exe"|"[Tt]anium[Cc]lient"|"[Ss]plunkd\.exe"))|("CommandLine":"\/bin(\/bash|\/sh)\s\/opt\/[Tt]anium\/[Tt]anium[Cc]lient)|("CommandLine":".*[Tt][Pp]ython\.exe\\")|("CommandLine":".*[Tt]anium.*")|("GrandParentBaseFileName":"[Tt]anium[Cc]lient\.exe")) DEST_KEY = queue FORMAT = nullQueue [csfdr_log_setfilter2] REGEX = (?:([Tt][Aa][Nn][Ii][Uu][Mm])) DEST_KEY = queue FORMAT = nullQueue ########NLSN ... View more

Hi Splunk folks,   My team is seeing a pesky issue with Palo Alto logs where a small subset are not being sourcetyped into pan:traffic/threat, etc. As the pan:log is the default, we have a few logs that keep this sourcetype. We have attempted to regex and nullQueue out the remainder of the pan:log logs, but no success. When we implement this TRANSFORMS/Props.conf entry, we place it at the end as we understood the order followed a left to right priority. Example of a log that is being sourcetyped as "pan:log", and we would want to drop. It seems as if this is fragmented from Syslog, but nonetheless, junk to us.   000-1823048e98,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2021-11-10T10:04:03.905+00:00,,,infrastructure,networking,network-protocol,3,"used-by-malware,has-known-vulnerability,pervasive-use",,dns,no,no,0   Palo Alto props.conf: [pan_log] pulldown_type = false SHOULD_LINEMERGE = false TIME_PREFIX = ^(?:[^,]*,){5} MAX_TIMESTAMP_LOOKAHEAD = 100 TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_correlation, pan_userid, pan_globalprotect, pan_decryption   We added a new nullQueue entry into the transforms.conf and then inserted the pan_discard after the last entry in the transforms above. [pan_discard] REGEX = . DEST_KEY = queue FORMAT = nullQueue   Any suggestions? ... View more