Hi all, I recently installed this add-one on my cluster (hfs, idxs, shs). I copied props.conf and transforms.conf into local directory and uncomment the mappings to sourcetype elastic:auditbeat:log. But this action had no effect and yet I just see one sourcetype: elastic:auditbeat:log any ideas are appreciated. Thanks. ... View more

Hi all, I have a number a forwarder that sends a lot of logs to different indexes. For example, there are three indexes: Windows, Linux, and Firewall. A new cluster has been set up and I am planning to forward only some logs to the new cluster based on the index name. For example, consider that between the three indexes of Windows, Linux, and Firewall, I'm going to send only Firewall to the new cluster. This is the configuration that I tried to create:   [tcpout] defaultGroup = dag,dag-n [tcpout:dag] disabled = false server = p0:X,p1:Y [tcpout:dag-n] disabled = false server = pn:Z forwardedindex.0.whitelist = firewall forwardedindex.1.blacklist = .*   but unfortunately, some logs of both Windows and Linux indexes are still sent to the new cluster, and because an index is not considered for them in the new cluster, they frequently cause errors. The thing that came to my mind was that maybe I should empty the default whitelist and blacklist first. Anyone have any ideas? ... View more

Hi all, I have installed and configured  fortiweb for splunk app. The problem is that the time in the log is correct, but the time I receive in the Splunk time column is 7 hours different. It should be mentioned that there is a field in the logs called timezone_dayst that it differs from my time zone by exactly 7 hours. I also added TZ = MyTimeZone to the props.conf of the app but problem still exists. For example, in the image below, it can be seen that the time is equal to 8:37, while the log time is equal to 1:07, and of course timezone_dayst has a drift (-3:30 instead of +3:30).    Any ideas are appreciated. ... View more

Hi all, I have seen that pass4symmkey is optional when enabling indexer clustering. Some say that if someone knows this value, they can access the entire cluster, and it is necessary to consider a complex value for it. Would it be possible to clarify if this value should be complex and if it is simple it could cause a security breach or not? If someone knows this value, can it be a threat to the cluster and gain access to the cluster or not? Thank you ... View more

Hi all I installed and configured the FortiWeb app for Splunk. I also set a desired index on the heavy forwarder (named fortiweb). There is a problem that the predefined dashboards in the app read the information from the main index. I can edit dashboards and add index=fortiweb to each query but it seems not optimal. how can I chnage the main index to fortiweb index? Thanks ... View more

Hi all I created an environment with following instances: cluster master three search heads four indexers heavy forwarder license server deployment server deployer We have more that 50 clients so that I deployed the deployment server on a dedicated server. We have some indexes but one of them (say index named A) have about 35K per minute events. The heavy forwarder load balances the events between four indexers. The replication factor is 4 and the search factor is 3. A simple search like 'index=A' can return about 17M events at about 5 minutes. I want to speed up the search on the index A. I can change whole deployment and environment if anyone has an idea about speeding up the search.I would be grateful If anyone could help me about parameters like replication factor or search factor, number of indexers and... to speed up the search. Thank you. ... View more

Hi all, I have a forwarder in my cluster and it sends events to the indexers. The events are json formatted and I want to drop some events if a specific key has specific value. For example consider following event:   {"process_exec":{"process":{"exec_id":"xXXXXXXXXXx==","pid":1111111,"cwd":"/tmp","binary":"/bin/sleep","arguments":"10"}}}   I want to for example if the binary was equal to X, the forwarder drops the event and not send to indexers no index. I created props.conf and transforms.conf. The content of these files are:   [json_no_timestamp] TRANSFORMS-filter = filterLinux   and   [filterLinux] REGEX = process.process_exec.binary = '/usr/bin/timeout' DEST_KEY=queue FORMAT=nullQueue   But the events are not dropped. Any help is appreciated. ... View more

Hi all, I deployed Splunk and enabled indexer clustering. Then I created an index in master-apps and it has been replicated to peer nodes. Now I want to export some event from an index and import to the newly created index. I tested multiple methods: I export events using following command: ./splunk cmd exporttool /opt/splunk/var/lib/splunk/defaultdb/db/db_1305913172_1301920239_29/ /myexportpath/export1.csv -et 1302393600 -lt 1302480000 -csv and import the result using following command: ./splunk cmd importtool /opt/splunk/var/lib/splunk/defaultdb/db /myexportpath/export1.csv  but the data not replicated to indexers. I tried another method using UI in cluster master. I import my events to newly created index. In the cluster master search everything is OK but this events not replicated to the indexers. Note that my newly index does not shown in the indexes tab in indexer clustering: manger node. There are just three indexes: _internal, _audit, _telementry I think I did a wrong way to do this. Does anyone have an idea? ... View more

we have some services, each produces some logs. these logs aggregated and store in a minio bucket (not aws! just a on-perm minio deployment). I want to integrate splunk with minio such that splunk get these logs from bukcet (not minio pushes logs).    ... View more

1) I want to list top 10 usernames those got most 403 status codes.      for example a username named sigma got 2000 of this code. I want to this username be in the top of the list. 2) I want to list top 10 usernames those got most 403 status code on some obejcts.      for example username named sigma got 2000 of 403 status code on secret object.   fields: username, status_code, object_ref ... View more