Hi, I am working in a distributed environment with a SHC of 3 search heads and I am mapping vpn logs to fill certain datasets of my custom version of the Authentication data model (not accelerated for the moment). The datasets I added to the default authentication Data Model are "Failed_Authentication","Successful_Authentication" and "Login_Attempt", as you can see below:                       Then, I created an eventtype (with some associated tags) to match specific conditions for an authentication success, as shown below:     sourcetype=XX action=success signature IN ("Agent login","Login","Secondary authentication","Primary authentication") OR (signature="Session" AND action="success")     Then, I used the Eventtype as a constraint for the dataset "Authentication.Successful_Authentication" as shown below: To test if the constraint is working or not: I used the pivoting button offered by the GUI and it returns me some results! I run in the search app the following SPL and it also returns some results:    index=vpn* tag=authentication eventtype=auth_vpn_success​     However, if I try to retrieve the same information by using the following SPL (by using tstat), it returns no results:   |tstats summariesonly=f count from datamodel=Authentication where nodename=Authentication.Successful_Authentication   Even by running another SPL(based on tstat) to retrieve the eventtypes of the Authentication Data Model it returns no results:   | tstats count from datamodel=Authentication by eventtype     I tried to troubleshoot the issue with 2 different tests: Not using the field eventtypes as Dataset constraint.  Creating another eventtype and using a different Data Model (Change).   1) I created a dataset constraint for "Authentication.Failed_Authentication" which is not using either tag or eventtypes, as follow:   action=failure     And both of the aforementioned tstats SPLs are working now!   2) I created another eventtype related to a change log type, as follow:     index=vpn* sourcetype=XX AND "User Accounts modified."     And I added it as a constraint  for the dataset "All_Changes.Account_Change" : And by running the 2 aforementioned tstat SPLs  they return me some results!   In conclusion, I suspect there is an issue related to either the tag=authentication (maybe some conflict with other default apps?) or the Authentication Data Model (related to custom datasets I added?). Do you have any clue of what I could have done wrong ?    Kind Regard, Z   ... View more

Hi, I am sending logs without indexing on Splunk to another product by using the "SYSLOG_ROUTING" DEST_KEY on the transform.conf file. Looking at the documentation of "How Splunk licensing works",  it says: "When ingesting event data, the measured data volume is based on the raw data that is placed into the indexing pipeline." By looking on the monitor console I realized that the indexer pipeline is made by: syslog out, tcp out and indexer lines, so it seems that by using syslog_routing dest key I could also consume Splunk license. Can you confirm this? Kind Regards, Angelo      are those ... View more

Hi everybody, I would like to duplicate data coming from my sourcetype in such a way: - send the original data to Splunk for indexing. - send the duplicated events to an external server with "<DNS>" prefix string. How should I modify the transform.conf file in order to do that? Another question: is there a better way to forwards logs to external server while keeping the original source  host (source IP) instead of adding prefixes like what I'm trying to do.  Thanks in advance, Angelo ... View more