Dear splunkers, I need to ingest some apaches log files. Those log files are first sent to a syslog server by rsyslog rsyslog adds to each line of the log file its owns information. A UF is installed on this syslog server and can monitor the log file and send them to the indexers Each line of the log file looks like this :   2024-02-16T00:00:00.129824+01:00 website-webserver /var/log/apache2/website/access.log 10.0.0.1 - - [16/Feb/2024:00:00:00 +0100] "GET /" 200 10701 "-" "-" 228   As you can see, the first part of the log, until "/access.log " had been added by rsyslog, so this is something I want Splunk to filter out / delete. So far, I'm able to monitor the file and filter out the rsyslog layer of the events with a parameter, and I added TIME_PREFIX parameter, then Splunk automatically detects the timestamp. Like this :   SEDCMD-1=s/^.*\.log //g TIME_PREFIX=- - \[   I created a custom sourcetype accordingly. But the issue is that, the field extraction is not working properly. Almost no field beside the _time related fileds is being extracted. I guess it's because I'm using a custom sourcetype, so Splunk is not extracting the fields automaticaly as it should; But I'm not really sure... I'm a bit lost 😞 Thanks a lot for your kind help 🙂 ... View more

Hi, We have a internal wiki with tons of useful informations about hosts and IPs. I'm trying to set up a workflow that triggers a search of the value -IP or Hostname- on this internal wiki. First issue : Since this workflow action should work with a variety of fields (src_ip, dest_ip, host, src, dest, etc.) : What variable shall I use in order to return in the workflow action the selected value ? Is there a sort of global variable like $the_selected_value$ no matter it's an IP address, a hostname or whatsoever ? Second issue : I selected my workflow to be applied on any field with a * but the workflow action is just not available anywhere. Thanks in advance for your kind help on this matter ! Best ... View more

Hi all,   I created a correlation search in SPlunk ES and added a Notable Event in the Adaptative Response Actions. I'd like to include in the notable some information from the correlation search results, such as : orig_host, ip, and some other custom fields. I went to Incident Review Settings in order to add my custome fields in the Event Attributes I customized my correlation search query in order to name the returned fieds that are named according to the Event Attributes that already exist + the custom ones that I just created In the correlation search, into the "Notable" sub-menu, I added the fields I'd like to enrich my Notable with to Identity Extraction and Asset Extraction I then added a fiew variables in the title of the created Notable. Something like "the user $custom_field_1$ just connected to the account of the user $custom_field_2$, from the computer $orig_host$ that belongs to $orig_host_owner$. custom_field_1 and $custom_field_2 variables work and return the right values. orig_host, orig_host_owner don't and return the strings $orig_host$ and $orig_host_owner$. I'm a bit confused. Does anybody have had this before ?   Thanks for your kind help ! ... View more

Dear Splunkers, I just set up a little testing environment, with Splunk Enterprise running smoothly on a Debian server and a Universal Forwarder running on a Windows 10 machine. My goal is to send some sysmon logs into Splunk. I first started to follow this page from the official Splunk documentation : https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/Install But unfortunately, this page does not explain how to install the client side of the app (is there a client side anyway ? Well nothing is explained about it). What I did is that I set my inputs.conf file in etc/system/local on the client machine. It partially worked, as the data is being sent to the Splunk server, but none of the fancy dashboards and graphs that the Sysmon for Splunk add-on or app is supposed to display is available. I know I must have missed something on the client part, but I also have to mention here that the kafkaesque intricated tons-of-links Splunk documentation does not help me much, to say the least. It would be extremely nice if someone could turn on the light because so far, my Splunk journey is being black as midnight in a moonless night. Thanks a lot 🙂 Gargantua ... View more