cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
MasteringIT
Explorer
Member since: ‎01-24-2022
‎02-01-2022
Community Statistics
Posts 6
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎01-24-2022
Activity Feed
View All

Re: forward index to new index

by in Getting Data In
‎02-01-2022 08:25 AM
‎02-01-2022 08:25 AM
Talking to my Cyber team, they would like the first option more.  I apologize for my ignorance, I have only been working on Splunk for the last month, how would I go about importing the raw data through my Heavy Forwarder? Most of the events I am parsing through are various Linux logs or Windows Event logs.  ... View more

forward index to new index

by in Getting Data In
‎02-01-2022 07:19 AM
‎02-01-2022 07:19 AM
I inherited an old splunk environment where all data was indexed into the main index. I have setup a new environment with multiple indexes and some parsing rules on a heavy forwarder (These configs work perfectly with the universal forwarders I have deployed).  How would I forward the data from the original main index, into the heavy forwarder for redistribution into the new indexes? ... View more
Labels

Re: Configuration Validation: Routing and Forwardi...

by in Getting Data In
‎01-26-2022 08:02 AM
‎01-26-2022 08:02 AM
Based upon your config, I went and troubleshot a little further. It looks like my issue is actually related to the setNull stanza in transforms.conf. I moved setNull to the end of the transform list in props.conf, and now events are routing properly, but there is no filtering happening (Event codes I specified and event codes I didnt specify are being routed). To troubleshoot why this happened, I went to my indexer, and tried separating EventCodes into separate indexes using the same REGEX as above, while keeping setNull to the end of my list. In doing so, the data was going to the proper index, but if it didnt meet any of the Event Code criteria, it got dumped into the main index, even though I have the setNull stanza in place. This behavior only applied while setNull was at the end of the props.conf transform list. (it is still the first entry in transforms.conf). This changes to not indexing any events at all once setNull is moved to the beginning of the transform list.  Upon reviewing the splunk documentation (specifically Route and Filter Data), I noticed there is never a mix of DEST_KEY in any props.conf stanza transform lists.  So, the question now is: Can I only specify one type of DEST_KEY in transforms.conf per stanza in props.conf? If so, what is the suggested way around this limitation? ... View more

Re: Configuration Validation: Routing and Forwardi...

by in Getting Data In
‎01-25-2022 06:48 AM
‎01-25-2022 06:48 AM
As of right now, I'm not. Once I prove that Splunk is capable of separating the "Critical" logs, I will add an additional tcpout stanza pointing to my syslog server, as well as replacing the current setnull transform to go to the syslog server. In this case, I'm trying to limit the complexities of troubleshooting, by validating and verifying the configuration in stages. There isn't much point in building the full configuration until this portion is working.  Also, updated my REGEX expression to the following, with no changes to the current behavior: REGEX = ^EventCode\=(EventCode1|EventCode2|EventCode3) ... View more

Re: Configuration Validation: Routing and Forwardi...

by in Getting Data In
‎01-25-2022 06:14 AM
‎01-25-2022 06:14 AM
I will give escaping the equals a shot.  Regarding the Universal Forwarders, its due to a mandate by our cyber team, that we must maintain a record of each and every log, and can not dispose of any. This is for the "Critical" logs that they want to review daily, whereas all other logs are going to get forwarded to our syslog server by this heavy forwarder. I didn't want to continue setting up additional features, until I could prove this worked. ... View more

Configuration Validation: Routing and Forwarding

by in Getting Data In
‎01-24-2022 09:17 AM
‎01-24-2022 09:17 AM
I am building a new Splunk environment, and due to the number of clients we have, we are building a simple distributed environment that consists of 1 Heavy Forwarder, universal forwarders all pointing to the Heavy Forwarder, and 1 indexer. I would like the heavy forwarder to only forward certain events on to the indexer. Based upon my research (Route and Filter Data ) I have built the below configurations. outputs.conf [tcpout] indexAndForward = 1 [tcpout:indexerGroup] server = <ip address>:9997 props.conf [default] TRANSFORMS-allNull = setnull [WinEventLog:Security] TRANSFORMS-WinEventLog=setNull,SendToUserAccountIndex,SendToGroupAccountIndex transforms.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [SendToUserAccountIndex] REGEX = ^EventCode=(4720|4722|4725|4738) DEST_KEY = _TCP_ROUTING FORMAT = indexerGroup [SendToGroupAccountIndex] REGEX = ^EventCode=(4727|4730|4728) DEST_KEY = _TCP_ROUTING FORMAT = indexerGroup   Unfortunately, even though the specified events are showing in my Windows Event Logs, and the universal forwarder is forwarding the events properly, the events are not showing in the locally indexed items of forwarded items. It is also not showing on the destination server. If I remove the default stanza from props.conf every event populates, including those events that do not meet the criteria listed above. Based upon this, I believe there is an issue with my source types.  My environment is Splunk Enterprise Version 8.0.3 and and installed on Windows Server 2016.  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-01-2022 12:21 PM
Karma given to
View All