Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About BoscoBaracus
BoscoBaracus
Engager
Member since:
03-23-2022
07-17-2025
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 03-23-2022 |
Activity Feed
- Posted Re: Configure heavy forwarder to forward data to specific index on indexer cluster. on Getting Data In. 07-17-2025 02:01 AM
- Posted Re: Configure heavy forwarder to forward data to specific index on indexer cluster. on Getting Data In. 07-17-2025 02:00 AM
- Posted Re: Configure heavy forwarder to forward data to specific index on indexer cluster. on Getting Data In. 07-17-2025 01:57 AM
- Posted Re: Configure heavy forwarder to forward data to specific index on indexer cluster. on Getting Data In. 07-17-2025 01:29 AM
- Posted Configure heavy forwarder to forward data to specific index on indexer cluster. on Getting Data In. 07-17-2025 12:46 AM
- Posted Re: Dynamic eval mvindex. on Splunk Search. 09-30-2024 01:52 AM
- Posted Re: Dynamic eval mvindex. on Splunk Search. 09-27-2024 01:51 AM
- Posted Dynamic eval mvindex. on Splunk Search. 09-26-2024 11:25 PM
- Posted Re: Extracting sub fields or sub string in multiline log. on Splunk Search. 11-01-2023 11:34 PM
- Posted Extracting sub fields or sub string in multiline log. on Splunk Search. 10-31-2023 01:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
07-17-2025
02:01 AM
Good morning gcusello, Aha, makes sense. Will try to move the HF to a deployment server then:-) Much appreciated. Kind Regards, Mike.
... View more
07-17-2025
02:00 AM
Good morning livehybrid, Thank you very much for your suggestion. This sounds exactly something I was looking for. Could you please point me in the right direction on how to create such index definition? Will also try to research on the subject. Again, much appreciated. Kind Regards, Mike.
... View more
07-17-2025
01:57 AM
Good morning gcusello, Again, many thanks for your response and suggestion. Not sure why we have to install rsyslog to receive data locally on the HF and then monitor the ingress into a file just to forward to indexer group. SPLUNK has built in tons of data inputs options which should easily accommodate this. I can do this on Windoze server in about 5 mins using UF. Not sure why it is so difficult to forward data to dedicated index residing on remote indexer directly from HF. Will keep on digging. Again, many thanks for your time and suggestions. Kidn Regards, Mike.
... View more
07-17-2025
01:29 AM
Good morning gcusello, Many thanks for your prompt response. I'm not sure if I was unclear, but I do not understand your suggestion. We do not have any combined roles. Our indexer cluster (three indexers) are managed by dedicated, separate SPLUNK management node. Heavy forwarder is a separate, standalone SPLUNK HF managed by the management console. We also have separate search heads. All according to good practices as far as I'm concerned. I already have few applications installed on the HF which correctly forward data to the index group to specific indexes. I know how to configure inputs.conf for a particular application to forward to indexer group and specific index. My question is: how can I configure receiving port under Data Inputs (TCP or UDP) to forward to indexer group to a specific index. I may have several, different sources (SYSLOG etc) which I want to forward to indexer group into separate, dedicated indexes. I don't want to mix data from different data sources into the same index. I hope that clarifies things a bit. Kind Regards, Mike.
... View more
07-17-2025
12:46 AM
Good morning All, I have been trying to figure out how can I create a data input on a heavy forwarder to forward data to a specific index located on indexer cluster. I have three indexers organised in a cluster. The indexers and heavy forwarder are managed by management node. I have used Windows Universal forwarder to forward events to a particular index to indexers group (cluster) but I'm struggling to find a way of configuring similar thing on Linux based HF. Basically, what I'm trying to achieve is to configure SYSLOG port (this will be custom port, let's say 1514) to receive SYSLOG data from particular SYSLOG host and forward it to custom index created on indexers group (cluster). When adding a port in Data Inputs, I can specify local index, but not remote, clustered index. On the HF in Data Forwarding section, I can see All are forwarded to the indexer cluster. Would anyone know how I can achieve this? Any help would be much appreciated. Kind Regards, Mike.
... View more
Labels
- Labels:
-
heavy forwarder
09-30-2024
01:52 AM
Good morning ITWhisperer, Many thanks for the suggestion. This might actually work. I could first evaluate number of fields and then use mvindex. Will try that. Again, many thank. Kind Regards, Mike.
... View more
09-27-2024
01:51 AM
Good morning ITWhisperer, Thank you very much for the prompt response. The example I provided was for description purposes. The question is generally about using eval mvindex where number of fields (with the same name) changes depending on some circumstances. For simplicity, lets presume we have some logs with "Action" field. The Action field may appear several times in a log, having different values. We do not know exactly how many Action fields we have in a particular event. As I said, it could be one, two three or even 10. That's the challenge. I need to be able to operate on those fileds, but each of them will represent differnt step: Event 1: Action: scan Action: forward-sandbox Action: Release Action: Relay Event2: Action: scan Action: Release Action: Relay Event3: Action: scan Action: Reject In the example above, we have events containing Action fields. However, depending on the actions taken, number of those fields will vary. Therefore, it is difficult for me to use mvindex. I know how to use mvindex where number of fields with the same name or multivalued fields is known. In our case, we do not know how many occurences of Action we have in a given event. I hope this makes sense? Kind Regards, Mike.
... View more
09-26-2024
11:25 PM
Good morning fellow splunkers. I have a challenge and was wondering if anyone could help me. In some logs with multiple fields with the same label, we use eval mvindex to assign different label for those fields. For example, In a log, we have two fields labelled "Account Name", first one corresponding to computer account and second to user account. We use mvindex to assign labels appropriately. This works well for a known number of fields. Now, we also have logs, with groups of fields: action, module and rule: action: quarantine module: access rule: verified action: execute module: access rule: verified action: continue module: access rule: verified action: reject isFinal: true module: pdr rule: reject I would like to use mvindex to label those so I can use those fileds more easily. In the example above, we have four groups of those fileds, thefore I wold have: action1, action2 etc (same for module and rule). However, the number of groups changes. It could be one, two, three or more. Is there any way to use mvindex dynamically somehow? I imagine, we would have to first evaluate number of those fields (or group of fields) and then use mvindex to assign different labels? Unless there is a different way to achieve our goal. Many thnaks in advance for any advise. Kind Regards, Mike.
... View more
Labels
- Labels:
-
eval
11-01-2023
11:34 PM
Good morning yuanliu, Thank you very much for such detailed response. I will go through the proposed solutions and let you know how this worked for us. As to the format of the log, this is a standard Windows Active Direcotry log. There is no way we can change the format. Many other Windows / AD logs will have similar structure. Not much we can do about this. Again, thank you for your answer. Kind Regards, Mike.
... View more
10-31-2023
01:55 AM
Good mornign All, I have several logs with fields which have sibfield. I would like to be able to extract the subfield and append it to the parent. The example should clarify my query. I have a log of user modifications. The log would look something like that: Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 9/12/2023 7:30:15 AM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - I would like to be able to create a table which will have a column which will include the "parent" field: Changed Attributes as well as the child field, for example: CHanged Attributes: Password Last Set. Altenatively, I would also settle for a table with statically assigned column, lets call it changed data and a sa value have: Password Last Set: 9/12/2023 7:30:15 AM Another challenge I have (probably candidate for another question on the forum) is to add the value to a table column, only if it has value other than "-" to the right of it. The reason is that only one changed attribue (of all those in the list above) will have any value. I would like to report on what attribue for a user was changed. Thank you very much in advance for any direction. Kind Regards, Mike.
... View more
Labels
- Labels:
-
field extraction
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-17-2025
12:34 AM
|
