cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
konka4
Splunk Employee
Member since: ‎02-05-2023
‎08-18-2023
Community Statistics
Posts 6
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-05-2023
Activity Feed
View All

Re: Help Splitting Sourcetypes

by Splunk Employee in Getting Data In
‎08-18-2023 03:09 AM
‎08-18-2023 03:09 AM
Hi @isoutamo  Thanks for your reply.   While I understand that diagram and believe that its correct as a baseline, it leaves me more confused. Take the popular Palo Alto TA, that you can get from Splunkbase. It's whole basis is based on splitting a singular sourcetype into many others. For example, an input is using pan:firewall as the sourcetype. The official docs say to use pan:firewall [pan:firewall] category = Network & Security description = Syslog from Palo Alto Networks Next-generation Firewall pulldown_type = true SHOULD_LINEMERGE = false TIME_PREFIX = ^(?:[^,]*,){6} MAX_TIMESTAMP_LOOKAHEAD = 32 TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_correlation, pan_userid, pan_globalprotect, pan_decryption   If we look at pan_threat it gets renamed to pan:threat within the TA, and then includes a TIME_FORMAT. [pan_threat] rename = pan:threat [pan:threat] SHOULD_LINEMERGE = false EVENT_BREAKER_ENABLE = true KV_MODE = none TIME_PREFIX = ^(?:[^,]*,){6} MAX_TIMESTAMP_LOOKAHEAD = 32 TIME_FORMAT = %Y/%m/%d %H:%M:%S   This suggests, that when the data comes in as [pan:firewall] it makes its way down to the typingQueue, applies the TRANSFORMS, in our case, we are focusing on [pan_threat], then applies all the configuration in the [pan:threat] stanza, including the TIME_FORMAT which is at the aggQueue, but that would be revisiting the queues again.   How is this TA doing it, but I can't? ... View more

Re: Help Splitting Sourcetypes

by Splunk Employee in Getting Data In
‎08-18-2023 12:41 AM
‎08-18-2023 12:41 AM
@gcusello Unfortunately I can't, as the product sends all its logs via syslog to one file per day. That file then represents 2 or more differently formatted data and is monitored by one singular monitor stanza. This doesn't seem very uncommon and I know Splunk can do it, its just that something is halting it. Theres nothing else in-between for the data to latch on to either. Its just: Syslog logs -> Syslog Server (with HF on it) -> IDX It's a very simple setup, yet having troubles with the indexing pipelines on the HF recognizing different sourcetypes have different settings to apply. ... View more

Re: Help Splitting Sourcetypes

by Splunk Employee in Getting Data In
‎08-18-2023 12:22 AM
‎08-18-2023 12:22 AM
Hi @gcusello  Appreciate the reply. The props.conf and transforms.conf are located within a custom app on the HF for the product. I've btool'd to make sure that they are being applied.  The timestamp config and Regex's up there are dummy data, the actual ones I do not have on me right now. However, I do know they are correct. The timestamps have been tested within Splunk's "Add Data" feature on a SH to confirm the timestamp settings are correct. The regex works as well, as I get 2 other sourcetypes: sourcetype_one and sourcetype_two based on my regex. I have no issues here.   My issue is that none of the other settings are working as soon as they are either in sourcetype_one or sourcetype_two. For example, sourcetype_one has: TIME_FORMAT = %m-%a-%d %H:%M:%S while sourcetype_two has: TIME_FORMAT = %C-%b-%a %M:%k:%S   Neither of them take effect and Splunk is left not correctly displaying the correct time for either sourcetype. I've done this in the past but for some reason, it's just not working anymore. Appreciate the recommendation, however I like to keep it as a staging area for when new "unannounced" data gets through my regex, it just means I need to either fine tune the other two or create another.   ... View more

How to split sourcetypes?

by Splunk Employee in Getting Data In
‎08-17-2023 11:16 PM
‎08-17-2023 11:16 PM
Hey Fellow Splunkers,   I'm having a bit of trouble perhaps understanding how this works and whether I'm doing this correct. Currently on version 9.0.2   Scenario Product Logs -> Syslog(Has a HF on it) -> IDX Syslog is writing to one singular file that I monitor and it has multiple time formats in it and different line breaking. I basically want to bring in all the syslog from this certain product into one sourcetype, kinda like a staging area, then split them out based on REGEX. This is what I've got so far. Most of this is dummy data so dont worry about scrutinizing it for typo's etc.    Configuration This is all on the HF Inputs.conf [monitor://path/to/product/syslogs] index = syslog sourcetype = product_staging   Props.conf [product_staging] TRANSFORMS = change_sourcetype_one, change_sourcetype_two   [sourcetype_one] LINE_BREAKER = A line breaking example TIME_FORMAT = %m-%a-%d %H:%M:%S TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 30   [sourcetype_two] LINE_BREAKER = A line breaking example TIME_FORMAT = %C-%b-%a %M:%k:%S TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 30   Transforms.conf [change_sourcetype_one] DEST_KEY = MetaData:Sourcetype REGEX = (DataOne) FORMAT = sourcetype::sourcetype_one [change_sourcetype_two] DEST_KEY = MetaData:Sourcetype REGEX = (DataTwo) FORMAT = sourcetype::sourcetype_two   I can get the data to split, easily, my issue is, when it splits off into the different sourcetypes, the INDEXING TIME features, like TIME_FORMAT, TIME_PREFIX, LINE_BREAKER etc don't take effect on the new sourcetypes that were made from a split.   Is it simply because the original sourcetype [product_staging] has touched the data with its own settings, and now the other sourcetypes can't apply their own? I honestly don't understand what I'm doing wrong. Any help would be greatly appreciated. ... View more

Solarwinds Add-on For Splunk with SHC

by Splunk Employee in Splunk Enterprise
‎05-23-2023 12:18 AM
‎05-23-2023 12:18 AM
Hi all,   Hoping to get some clarity on the Solarwinds Add-on for Splunk.   I'm trying to install this onto my SHC (4SH's) with a deployer. Pushing from the deployer is all good. I then jump onto a search head and create the inputs and account to talk to solarwinds and the SH's replicate those local changes throughout the cluster.   After that I get absolutely no data, no errors as well to say what's not working. I've tested this app on a separate Indexer on one site, another indexer on another site (different subnets) and on my deployer and it works instantly. As soon as I put it on my SHC via the deployer, it does not work at all.   Is this app suppose to work with a SHC or am I doing something completely wrong?  ... View more

How to resolve error's while installing Splunk SOA...

by Splunk Employee in Splunk SOAR (f.k.a. Phantom)
‎02-05-2023 04:46 PM
‎02-05-2023 04:46 PM
Hey everyone,   I'm at a loss for what this is, I always get stuck at install step 27 and then it throws these errors at me but I can't figure out what it is and how to fix it.   I followed these steps https://docs.splunk.com/Documentation/SOARonprem/5.5.0/Install/InstallUnprivileged   Its being run on Red Hat Linux 7 over googles GCP.   I've attached a photo of the errors.   Any help is appreciated.   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-18-2023 06:33 AM