Hi @Fenilleh    Is the issue resolved or still you are facing an issue? If issue still persists,please paste the error whatsoever you are getting in splunkd and mongod.  Also, I am attaching one KB article, have a look if that is relevant.  https://splunk.my.site.com/customer/s/article/KV-Store-Backup-Fails ... View more

Hi @mana_pk123  Can you please share the link of the application that you installed and trying to integrate ? Is it a Splunkbase application or custom? ... View more

Hi @Paramy  If you are using deployment server to manage your forwarders, then you can access the forwarder management interface through Splunk Web on the deployment server and view your forwarders which are connected as clients. You can also check it from the CLI with below command  splunk list deploy-clients ... View more

Hi @jto13  Can you please share few sample raw data from which you are trying to extract the fields. If there is any sensitive information,do mask it and then share it .  Also wanted to confirm the dataflow , is it from HF->indexer ??    ... View more

Hi @mackey  If you have ES, it has a framework called "THREAT INTELLIGENCE" for managing threat feeds, detecting threats, and sending alerts. You should explore this functionality, as it can be quite beneficial. Additionally, there are several other high-quality sources of threat data available in that  which just need to be activated if required OR if you have your own custom feeds, you can also integrate them as custom lookups in threat intelligence. As mentioned by @gcusello you have two options , explore it as per your requirement.  For more info on this , please refer the below docs:  https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_intelligence/Using_threat_intelligence_in_Splunk_Enterprise_Security https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/threatintelligenceframework/ https://www.splunk.com/en_us/pdfs/feature-brief/splunk-threat-intelligence-management.pdf   If this helps, accept the answer by upvoting !! Happy Splunking !!   ... View more

Hi @mackey  Is your Org using Enterprise Security of Splunk? ... View more

Hi @splunkerarijit  I could see that  this is a known issue with latest version of ES and already reported in Splunk and they have provided the workaround as well. Please refer below doc for more info https://docs.splunk.com/Documentation/ES/7.3.2/RN/KnownIssues  If this helps, please upvote or accept solution if it solved ... View more

Hi @Yim  Are you trying to extract it from the field or raw data ?  Please send me the sample data and elaborate it what you are trying to achieve as an output.  ... View more

Hi @Strangertinz  Let me know the version of DB Connect you have installed and the version of Splunk you’re using.Additionally, Could you please provide more details about the error you’re encountering when sending the data? ... View more

Hello @akulg  If I understand your requirement correctly, you're looking to correlate Carbon Black data which will be indexed in Splunk with the  watchlist (threat feeds). If there’s a match, an incident should be created. And looking for a way  to  implementing this functionality within Enterprise Security.  Yes, there is a framework in the ES known as THREAT INTELlIGENCE which will help you to  enhance your security monitoring by integrating threat intelligence into your deployment, allowing you to correlate indicators of suspicious activity and known or potential threats with your events. This addition provides valuable context for your analysts' investigations. Splunk Enterprise Security supports various types of threat intelligence, enabling you to incorporate your own as well. Please refer the below doc for more information.  https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_intelligence/Using_threat_intelligence_in_Splunk_Enterprise_Security Let me know if you have any further questions!! ... View more

Hello @JagsP  Please update the [stanza] regex as follows: REGEX = successful\, returned exit code \'0\' Note: Make sure to place the configurations correctly otherwise it will not work . For eg: If your data flow is UF->HF->Indexer, parsing occurs at the full enterprise instance, with the HF being the first layer where this takes place.  Additionally, here is the documentation for routing and filtering data, which will help you understand the core concepts. https://docs.splunk.com/Documentation/Splunk/9.3.1/Forwarding/Routeandfilterdatad For learning and writing regex for your data, you can use the platform  https://regex101.com/ If this resolves your issue, please accept and upvote the answers. Happy Splunking! ... View more

Hello @JagsP  1. What is the dataflow ? For Eg: UF->HF->Indexer and where have you placed your configurations.  2. Also, share the sample event , so accordingly I can help you with regex part.  ... View more