Hi SMEs, while checking the log from one of the log source i could see logs are not ending properly and getting clubbed all together. Putting the snap below and seeking your best advice to fix it     ... View more

HI SMEs,   I am having problem where logs coming from one of the syslog server are getting clubbed into one single raw event & not getting split. Sharing the below. Rather splitting it into 3 diff events it is coming under one single event. Kindly suggest any possible work around   Apr 14 17:30:50 172.10.10.10 %ASA-2-106006: Deny inbound UDP from 10.20.30.40/51785 to 172.10.10.10/162 on interface AI-VO-PVT Apr 14 17:30:50 10.20.30.40 12812500: RP/0/RP0/CPU0:Apr 14 17:30:50.489 IST: ifmgr[301]: %PK-5-UPDOWN : Line protocol on Interface GigabitEthernet0/0/0/18, changed state to Down Apr 14 17:30:50 10.225.124.136 TMNX: 258900 Base LOGGER-MINOR-tmnxLogFileDeleted-2009 [acct-log-id 18 file-id 22]: Log file cf3:\acttt\actof1822-20240414-075.xml.gz on compact flash cf3 has been deleted Apr 14 17:30:50 10.20.30.40 12812502: RP/0/RP0/CPU0:Apr 14 17:30:50.493 IST: fia_driver[334]: %PLATFORM-2_FAULT : Interface GigabitEthernet0/0/0/18, Detected Local Fault ... View more

Hi SMEs, Seeking help on the below field extraction to capture hostname1, hostname2, hostname3 & hostname4   Mar 22 04:00:01 hostname1 sudo: root : TTY=unknown ; PWD=/home/installer/LOG_Transfer ; USER=root ; COMMAND=/bin/bash -c grep -e 2024-03-21 -e Mar\ 21 /var/log/secure Mar 22 04:00:01 hostname2 sudo: root : TTY=unknown ; PWD=/home/installer/LOG_Transfer ; USER=root ; COMMAND=/bin/bash -c grep -e 2024-03-21 -e Mar\ 21 /var/log/secure 2024-03-21T23:59:31.143161+05:30 hostname3 caam: [INVENTORY|CaaM-14a669917c4a02f5|caam|e0ded6f4f97c17132995|Dummy-5|INFO|caam_inventory_controller] Fetching operationexecutions filtering with vn_id CaaM-3ade67652a6a02f5 and tenant caam 2024-03-23T04:00:17.664082+05:30 hostname4 sudo: root : TTY=unknown ; PWD=/home/caam/LOG_Transfer ; USER=root ; COMMAND=/bin/bash -c grep -e 2024-03-22 -e Mar\ 22 /var/log/secure.7.gz   ... View more

Hi SMEs, there are logs coming from one of the application in one single event. How to split it in a seperate log event. Like there are 3 diff logs which are tagged to one event log type=USER_ACCT msg=audit(Thu Sep 22 09:09:09 2023.333.12221): pid=12345 uid=0 auid=424242424 ses=6535872 subj=system_u:system_r:crond_t:s0-s0:c0.c1111 msg='op=PAM:accounting grantors=pam_access,pam_faillock,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_ACCT msg=audit(Thu Sep 22 09:09:09 2023.333.12223): pid=12345 uid=0 auid=424242424 ses=6535872 subj=system_u:system_r:crond_t:s0-s0:c0.c1111 msg='op=PAM:accounting grantors=pam_access,pam_faillock,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_ACCT msg=audit(Thu Sep 22 09:09:09 2023.333.12229): pid=12345 uid=0 auid=424242424 ses=6535872 subj=system_u:system_r:crond_t:s0-s0:c0.c1111 msg='op=PAM:accounting grantors=pam_access,pam_faillock,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'   ... View more

Hi SMEs, morning I have a situation where logs are coming from an application recently on-boarded in below format, seems like they are in JSON and should be parsed as per key:value mechanism. Any suggestion how to fix it. Many thanks in advance <11>1 2024-02-27T03:22:53.376823921Z hostname-1 ipsec ipsecd[85] log - {"time":"2024-02-27T03:22:53.376823921Z","type":"log","level":"error","log":{"msg":"et_backend: connection failed while getting et keys"},"process":"ipsecd[85]","service":"ipsec","system":"hostname-1","neid":"414399","container":"784722400000","host":"hostname-1","timezone":"UAT"} ... View more

Hi SMEs, Hope you are doing great, i am curious to know how to check the daily data consumption (GB/Day) from a specific Heavy Forwarder using Splunk search when there are multiple HFs are there in the deployment. thanks in advance ... View more

Hi SMEs,   I would like to create an alert on Splunk ES which should trigger if any of the Heavy forwarder reboot or shutdown by someone. thanks in advance  ... View more

Hi Team, I could see logs coming from UNIX devices in the below format   <38>Aug 1 13:20:29 dns.customer.net 10.32.9.5 sshd[14171]: Failed password for michal from 10.32.7.28 port 58255 ssh2   When i look into the selected events on the left panel these logs are not getting parse, like username, source ip , port, protocol. Any suggestion please. Logs are coming through rsyslog mechanism using TCP input from the device ... View more

Hi SMEs, I am getting some garbage/hexa format/ASCII format logs from one of the log source integrated with Splunk, it is customized linux platform and been integrated using TCP input. Sharing the sample log below. Seeking suggestions to find and fix it. thanks in advance      ... View more

Hi Team, I have to do auto field extraction of the fields coming inside the payload under <mTypes>....</mTypes> to the corresponding values which are coming under <Results>........</Results>   <mTypes>field_1 field_2 field_3 field_4</mTypes> some random paylod <Results>12 12 9 3</Results>   Kindly suggest, thanks in advance ... View more

Hi SMEs, I have a unique requirement which need one of my extracted filed name = actual_time to be mapped with _time field. As while searching past 30 days data i am also getting the older data while looking at actual_time field. I think if i map actual_time with _time or by other mean i should be able to get the actual outcome. thanks in advance ... View more