Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About ucorral
ucorral
Loves-to-Learn
Member since:
08-25-2023
10-01-2023
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 08-25-2023 |
Activity Feed
- Posted Re: Universal Forwarder failing to forward logs to Splunk Enterprise. on Getting Data In. 09-30-2023 07:16 PM
- Posted Re: Universal Forwarder failing to forward logs to Splunk Enterprise. on Getting Data In. 09-30-2023 09:30 AM
- Posted Re: Universal Forwarder failing to forward logs to Splunk Enterprise. on Getting Data In. 09-30-2023 08:53 AM
- Posted Re: Universal Forwarder failing to forward logs to Splunk Enterprise. on Getting Data In. 09-30-2023 08:11 AM
- Posted Re: Universal Forwarder failing to forward logs to Splunk Enterprise. on Getting Data In. 09-30-2023 05:03 AM
- Posted Universal Forwarder failing to forward logs to Splunk Enterprise. on Getting Data In. 09-30-2023 03:55 AM
- Posted How to forward logs from Splunk Enterprise to Splunk Cloud? on Deployment Architecture. 08-25-2023 01:14 PM
Topics I've Started
09-30-2023
07:16 PM
Hello @PickleRick Thanks for the heads up, I'll delete them from the props.conf, however the information is still reaching 6 hours late, What could be the best recommendation? Thanks,
... View more
09-30-2023
09:30 AM
Hi @gcusello I can explain with some screenshots the problem: The logs are related with an Antivirus (policies, detected viruses and so on), in the first image you can see the file was created at 00:35:00 , this is an Antivirus Scan This is the content of the file: ....but as you can see timestamp shows 06:35 (That's why I added the TZ option in the props.conf) Finally this is an image of the Splunk search, the _time column is aligned with the timestamp with the log content The register was supposed to arrive at 00:35, but was entered at 06:35. (6 hours after the scan) The hour is set at GMT-6. I tried to look the AV settings to set the time at GMT-6 but it does not have that option.
... View more
09-30-2023
08:53 AM
@gcusello I added the INDEXED_EXTRACTIONS=csv, then I restarted the splunk daemon. [my_custom_sourcetype]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
TIME_FORMAT=%Y-%m-%dT%H:%M:%S,
TIME_PREFIX=^
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TZ=America/Mexico_City
disabled=false But I continue receiving logs from 6 hours ago. Copying the last log received in Splunk 9/30/23
6:35:02.000 AM
2023-09-30T06:35:02,Time of completion: 00:35:02 ***** 0 sec (00:00:00)
host = ******* source = /var/log/****/*****log.****.txtsourcetype = my_custom_sourcetype as you can see the last log have received at 06:35:02am -> but was created at 00:35:02 of my current time in Mexico City. At the moment no more logs showed in splunk 😞 But now I realized the logs come split for some reason.
... View more
09-30-2023
08:11 AM
Hi @gcusello , That's correct I used the GUI data extraction feature to obtain the parameters, and the output(showed above) was applied in my props.conf file 😞
... View more
09-30-2023
05:03 AM
Hello @gcusello , I've already added to the stanza but still failling 😞
... View more
09-30-2023
03:55 AM
Hello guys!, I have a month trying to forward my logs from iMacs using the UF with the following format: Resources,line,data,process
2023-09-30T06:35:02,"Scanned disks....... "
2023-09-30T06:35:02,User: ......
2023-09-30T06:35:02,...........
2023-09-30T06:35:02,............
2023-09-30T06:35:02,Time of completion: .......... but when the log get into Splunk it only shows the first row: Resources,line,data,process and the rest of the log reaches splunk 6 hours later. I've added the following rule in props.conf but it still failling. path: /Applications/SplunkForwarder/etc/system/local/props.conf [name_of_my_sourcetype]
CHARSET=UTF-8
TIME_FORMAT=%Y-%m-%dT%H:%M:%S,
TIME_PREFIX=^
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TZ=America/Mexico_City
disabled=false Every change I made I always restart the splunk forwarder using ./splunk restart I have no access to the Splunk server (SSH) but if needed I could try to make some configurations but I do not where.
... View more
Labels
- Labels:
-
Mac
-
props.conf
-
universal forwarder
08-25-2023
01:14 PM
Actually I have an on-prem instance of Splunk Enterprise installed locally, but for incident response we need to forward specific indexes logs to Splunk Cloud, I've been reviewing the "Distributed Search" option but if I'm not mistaken it takes all the SE data. Is there any way to perform this activity?
... View more
Labels
- Labels:
-
distributed search
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-01-2023
10:59 AM
|
