Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About sigma
sigma
Path Finder
Member since:
07-23-2023
07-29-2025
Community Statistics
| Posts | 25 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 0 |
| Member Since | 07-23-2023 |
Activity Feed
- Karma Re: Index time field extraction problem with space for livehybrid. 07-29-2025 02:22 AM
- Posted Index time field extraction problem with space on Getting Data In. 07-28-2025 02:29 AM
- Posted Re: Issue with Searching by Sourcetypes in Splunk on Getting Data In. 07-28-2025 02:06 AM
- Posted Regex works but transforms.conf extracts only part of the last field on Getting Data In. 07-27-2025 07:22 AM
- Posted Re: Issue with Searching by Sourcetypes in Splunk on Getting Data In. 07-09-2025 01:47 AM
- Posted Issue with Searching by Sourcetypes in Splunk on Getting Data In. 07-08-2025 02:35 PM
- Posted Re: Auditbeat add-one does not sourcetype log on Getting Data In. 06-25-2024 03:35 AM
- Posted Auditbeat add-one does not sourcetype log on Getting Data In. 06-24-2024 01:27 AM
- Tagged Auditbeat add-one does not sourcetype log on Getting Data In. 06-24-2024 01:27 AM
- Tagged Auditbeat add-one does not sourcetype log on Getting Data In. 06-24-2024 01:27 AM
- Posted Re: search header cluster on Deployment Architecture. 05-16-2024 03:26 PM
- Posted Index whitelisting and blacklisting not work in forwarders on Getting Data In. 05-16-2024 03:05 PM
- Tagged Index whitelisting and blacklisting not work in forwarders on Getting Data In. 05-16-2024 03:05 PM
- Tagged Index whitelisting and blacklisting not work in forwarders on Getting Data In. 05-16-2024 03:05 PM
- Karma Re: Transfer existing events to new volume for richgalloway. 04-09-2024 09:21 AM
- Posted Transfer existing events to new volume on Getting Data In. 04-09-2024 05:34 AM
- Tagged Transfer existing events to new volume on Getting Data In. 04-09-2024 05:34 AM
- Posted Time drift between logs and time column on Getting Data In. 03-16-2024 02:35 PM
- Tagged Time drift between logs and time column on Getting Data In. 03-16-2024 02:35 PM
- Tagged Time drift between logs and time column on Getting Data In. 03-16-2024 02:35 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-28-2025
02:29 AM
Hi all, I want to extract fields from a custom log format. Here's my transforms.conf: REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+\d{1,3}(?:\.\d{1,3}){3}\s+\d+\s+\S+\s+(\S+)(?:\s+(iLO\d+))?\s+-\s+-\s+-\s+(.*)
FORMAT = name::$1 version::$2 message::$3
DEST_KEY = _meta This regex is supposed to extract the following from a log like: Jul 27 14:10:05 1.2.3.4 1 2025-07-27T14:09:05Z QQQ123-G12-W4-AB iLO6 - - - iLO time update failed. Unable to contact NTP server. Expected extracted fields: name = QQQ123-G12-W4-AB version = iLO6 message = iLO time update failed. Unable to contact NTP server. The regex works correctly when tested independently, and all three groups are matched. However, in Splunk, only the first two fields (name and version) are extracted correctly. The message field only includes the first word: iLO. It seems Splunk is stopping at the first space for the message field, despite the regex using (.*) at the end. Any idea what could be causing this behavior? Is there a setting or context where Splunk treats fields as single-token values by default? Any advice would be appreciated!
... View more
Labels
- Labels:
-
field extraction
-
transforms.conf
07-28-2025
02:06 AM
Unfortunately No! And after weeks yet I don't know what the problem is!
... View more
07-27-2025
07:22 AM
I'm working on a transforms.conf to extract fields from a custom log format. Here's my regex: REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+\d{1,3}(?:\.\d{1,3}){3}\s+\d+\s+\S+\s+(\S+)(?:\s+(iLO\d+))?\s+-\s+-\s+-\s+(.*)
FORMAT = srv::$1 ver::$2 msg::$3
DEST_KEY = _meta This regex is supposed to extract the following from a log like: Jul 27 14:10:05 x.y.z.k 1 2025-07-27T14:09:05Z QQQ123-G12-W4-AB iLO6 - - - iLO time update failed. Unable to contact NTP server. Expected extracted fields: srv = QQQ123-G12-W4-AB ver = iLO6 msg = iLO time update failed. Unable to contact NTP server. The regex works correctly when tested independently, and all three groups are matched. However, in Splunk, only the first two fields (srv and ver) are extracted correctly. The msg field only includes the first word: iLO. It seems Splunk is stopping at the first space for the msg field, despite the regex using (.*) at the end. Any idea what could be causing this behavior? Is there a setting or context where Splunk treats fields as single-token values by default? Any advice would be appreciated!
... View more
Labels
07-08-2025
02:35 PM
Hi all, I'm collecting iLO logs in Splunk and have set up configurations on a Heavy Forwarder (HF). Logs are correctly indexed in the ilo index with sourcetypes ilo_log and ilo_error, but I'm facing an issue with search results. When I run index=ilo | stats count by sourcetype, it correctly shows the count for ilo_log and ilo_error. Also, index=ilo | spath | table _raw sourcetype confirms logs are indexed with the correct sourcetype. However, when I search directly with index=ilo sourcetype=ilo_log, index=ilo sourcetype=ilo_error, or even index=ilo ilo_log, I get zero results. Strangely, sourcetype!=ilo_error returns all ilo_log events and the same for ilo_error. props.conf: [source::udp:5000] TRANSFORMS-set_sourcetype = set_ilo_error SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) transforms.conf: [set_ilo_error] REGEX=(failure|failed) DEST_KEY=MetaData:Sourcetype FORMAT=sourcetype::ilo_error WRITE_META = true
... View more
Labels
- Labels:
-
heavy forwarder
-
sourcetype
06-25-2024
03:35 AM
Thank you. Yes I was wrong about transforms.conf actually I wan to generate sourcetype from elastic:auditbeat:log based on events as This link has specified.
... View more
06-24-2024
01:27 AM
Hi all, I recently installed this add-one on my cluster (hfs, idxs, shs). I copied props.conf and transforms.conf into local directory and uncomment the mappings to sourcetype elastic:auditbeat:log. But this action had no effect and yet I just see one sourcetype: elastic:auditbeat:log any ideas are appreciated. Thanks.
... View more
- Tags:
- sourcetype
- splunk
Labels
05-16-2024
03:26 PM
Hi, Did you check sslVersions in authentication.conf and server.conf? Check that the SSL version is consistent among cluster members. Regards.
... View more
05-16-2024
03:05 PM
Hi all, I have a number a forwarder that sends a lot of logs to different indexes. For example, there are three indexes: Windows, Linux, and Firewall. A new cluster has been set up and I am planning to forward only some logs to the new cluster based on the index name. For example, consider that between the three indexes of Windows, Linux, and Firewall, I'm going to send only Firewall to the new cluster. This is the configuration that I tried to create: [tcpout]
defaultGroup = dag,dag-n
[tcpout:dag]
disabled = false
server = p0:X,p1:Y
[tcpout:dag-n]
disabled = false
server = pn:Z
forwardedindex.0.whitelist = firewall
forwardedindex.1.blacklist = .* but unfortunately, some logs of both Windows and Linux indexes are still sent to the new cluster, and because an index is not considered for them in the new cluster, they frequently cause errors. The thing that came to my mind was that maybe I should empty the default whitelist and blacklist first. Anyone have any ideas?
... View more
Labels
- Labels:
-
blacklist
-
heavy forwarder
-
index
-
whitelist
04-09-2024
05:34 AM
Hi all, I created a volume and changed all homePath for all indexes to use this volume. Now I can't search on events that existed before this volume was created, and the search heads only show events that are on this volume. How can I move old and existing events to this volume so I can search on them? Thank you.
... View more
- Tags:
- splunk
03-16-2024
02:35 PM
Hi all, I have installed and configured fortiweb for splunk app. The problem is that the time in the log is correct, but the time I receive in the Splunk time column is 7 hours different. It should be mentioned that there is a field in the logs called timezone_dayst that it differs from my time zone by exactly 7 hours. I also added TZ = MyTimeZone to the props.conf of the app but problem still exists. For example, in the image below, it can be seen that the time is equal to 8:37, while the log time is equal to 1:07, and of course timezone_dayst has a drift (-3:30 instead of +3:30). Any ideas are appreciated.
... View more
Labels
03-11-2024
01:12 AM
Hi all, I have seen that pass4symmkey is optional when enabling indexer clustering. Some say that if someone knows this value, they can access the entire cluster, and it is necessary to consider a complex value for it. Would it be possible to clarify if this value should be complex and if it is simple it could cause a security breach or not? If someone knows this value, can it be a threat to the cluster and gain access to the cluster or not? Thank you
... View more
- Tags:
- splunk
Labels
- Labels:
-
authentication
-
encryption
-
permissions
03-04-2024
03:45 AM
Hi all I installed and configured the FortiWeb app for Splunk. I also set a desired index on the heavy forwarder (named fortiweb). There is a problem that the predefined dashboards in the app read the information from the main index. I can edit dashboards and add index=fortiweb to each query but it seems not optimal. how can I chnage the main index to fortiweb index? Thanks
... View more
- Tags:
- splunk
Labels
- Labels:
-
configuration
-
troubleshooting
02-24-2024
10:15 AM
Hi, I installed Splunk in a linux server on /opt/splunk. The server has two disks, one 50 GB (sdb1) and another 6 TB (sda1). I want to save /opt/splunk/var folder (and all of its contents) of Splunk to /splunk/var (sda1) which second huge partition is mounted. Actually I want to separate etc and var in case of partition. etc remain on sdb1 and var be in sda1. I need a detailed solution Thanks
... View more
- Tags:
- splunk
Labels
- Labels:
-
resource usage
01-11-2024
12:07 PM
Hello all, I send some logs from multiple endpoints to a standalone Splunk HTTP Event Collector. Many logs are sent successfully but some of them (same index, same endpoint, ...) . But some of them get 403 when sending and are not sent. I think maybe it's for threads or sockets. Any ideas are appreciated 🙂
... View more
- Tags:
- splunk
Labels
- Labels:
-
HTTP Event Collector
12-11-2023
06:58 AM
Thank you. But I think this causes the index go out of the cluster so that we can use clustering features with it. doesn't it?
... View more
- Tags:
- .
12-11-2023
03:51 AM
Hi all, I deployed splunk in multi site clustering fashion. everything is good but there are some challenges. There are many indexes in my case. Some indexes are very important, but they generally have a small volume and replication is needed for these indexes. On the other hand, there are indexes that are less important but very bulky. Replication is not required for these indexes. My question is what would you suggest to solve this problem. Thank you
... View more
- Tags:
- replication
- splunk
Labels
- Labels:
-
configuration
11-18-2023
12:39 AM
Hi all I created an environment with following instances: cluster master three search heads four indexers heavy forwarder license server deployment server deployer We have more that 50 clients so that I deployed the deployment server on a dedicated server. We have some indexes but one of them (say index named A) have about 35K per minute events. The heavy forwarder load balances the events between four indexers. The replication factor is 4 and the search factor is 3. A simple search like 'index=A' can return about 17M events at about 5 minutes. I want to speed up the search on the index A. I can change whole deployment and environment if anyone has an idea about speeding up the search.I would be grateful If anyone could help me about parameters like replication factor or search factor, number of indexers and... to speed up the search. Thank you.
... View more
10-31-2023
05:01 AM
Hi all, I have a forwarder in my cluster and it sends events to the indexers. The events are json formatted and I want to drop some events if a specific key has specific value. For example consider following event: {"process_exec":{"process":{"exec_id":"xXXXXXXXXXx==","pid":1111111,"cwd":"/tmp","binary":"/bin/sleep","arguments":"10"}}} I want to for example if the binary was equal to X, the forwarder drops the event and not send to indexers no index. I created props.conf and transforms.conf. The content of these files are: [json_no_timestamp]
TRANSFORMS-filter = filterLinux and [filterLinux]
REGEX = process.process_exec.binary = '/usr/bin/timeout'
DEST_KEY=queue
FORMAT=nullQueue But the events are not dropped. Any help is appreciated.
... View more
Labels
- Labels:
-
field extraction
-
fields
-
regex
10-07-2023
01:47 AM
Hi all,
I deployed Splunk and enabled indexer clustering. Then I created an index in master-apps and it has been replicated to peer nodes. Now I want to export some event from an index and import to the newly created index. I tested multiple methods:
I export events using following command:
./splunk cmd exporttool /opt/splunk/var/lib/splunk/defaultdb/db/db_1305913172_1301920239_29/ /myexportpath/export1.csv -et 1302393600 -lt 1302480000 -csv
and import the result using following command:
./splunk cmd importtool /opt/splunk/var/lib/splunk/defaultdb/db /myexportpath/export1.csv
but the data not replicated to indexers.
I tried another method using UI in cluster master. I import my events to newly created index. In the cluster master search everything is OK but this events not replicated to the indexers.
Note that my newly index does not shown in the indexes tab in indexer clustering: manger node. There are just three indexes: _internal, _audit, _telementry
I think I did a wrong way to do this. Does anyone have an idea?
... View more
Labels
- Labels:
-
indexer clustering
09-02-2023
08:23 AM
Hero of the day. Thank you @gcusello that was exactly I wanted. what is I want to get events between timastamps (A and B)? for example I have a time say ''2023-09-02T15:22:04.001854200Z' and one '2023-09-02T15:27:04.001854200Z'. I want those query except to set the time myself. Thank you.
... View more
09-02-2023
02:33 AM
I have an index A and another index B. logs in A have a correlation to logs in B. But the only common field between them is 'timestamp'. There is a field 'fa' in index A and field 'fb' in index B. timestamp in index A logs has a +5 minutes drift with index B. Now I want to write a query to match field 'fa' in index A and find corresponding log based on timestamp (with +5 minutes drift) on index B and get me field 'fb' in index B.
... View more
07-31-2023
03:00 PM
we have some services, each produces some logs. these logs aggregated and store in a minio bucket (not aws! just a on-perm minio deployment). I want to integrate splunk with minio such that splunk get these logs from bukcet (not minio pushes logs).
... View more
Labels
- Labels:
-
administration
-
configuration
07-23-2023
10:46 AM
thanks @ITWhisperer I'm very new to Splunk. I tried following search but it did not work: index="XXX"
| stats count(eval(status_code=="403")) as count by username
| sort 10 -count it gives me a list of all usernames with count 0 each.
... View more
07-23-2023
05:29 AM
1) I want to list top 10 usernames those got most 403 status codes. for example a username named sigma got 2000 of this code. I want to this username be in the top of the list. 2) I want to list top 10 usernames those got most 403 status code on some obejcts. for example username named sigma got 2000 of 403 status code on secret object. fields: username, status_code, object_ref
... View more
Labels
- Labels:
-
field extraction
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-29-2025
02:22 AM
|
