Thanks @PickleRick I have very less visibility and access issues on the source side, while I understand it is the easiest way to do this on the client side, I am trying to understand what are the possibilities at I have or can do on my HF on which I have full control. ... View more

Hi @isoutamo    I am currently using Splunk ingest actions feature to route the logs to S3 bucket and it doesn't have the capability to include <host>:<original sourcetype> for the events.  Thank you for taking time to reply to my query. ... View more

Hi @Richy_s , as I said (and I say this aligned with my second role in my Company: privacy and ISO27001 Lead Auditor!), the only way to mask PII is to analyze your new data stored in a temporary index, finding a list of controls. Then you can implement these rules in props and transforms, as described in the below link. Then you can prepare an alert, to run e.g. once a day, with the same controls on all the data archived in the day. If the alert will find something, it means that you have to extend your checks to other data. It isn't possible to run these controls before indexing because Splunk searches run on indexed data, the only other solution could be: index all data in temporary indexes, not accessibel to users, execute checks, mask eventual found data, copy all the data in the final indexes accessible to users. The only issue is that, in this way, you duplicate the license consuption! Ciao. Giuseppe ... View more

Exactly what I was looking for, thank you so much !! @ITWhisperer  ... View more

1. Usually (yes, I know there are rare cases where it makes sense) you configure external authentication only on SHs. Indexers should generally not run webui (DS and HFs often too) 2. Did you check _internal? ... View more

No. It doesn't work like that. A bucket doesn't "roll to smartstore". A bucket rolls to warm and cache manager uploads it to smartstore when it can. So if you: 1) Didn't give Splunk a chance to upload the bucket to smartstore and 2) Didn't have more copies of a bucket (or just destroyed all instances at once) yes, you might have experienced data loss.   ... View more

when we combined these lookups as shown in the query you shared, the results only reflected matches from the second lookup, meaning only the IP addresses were being compared. Additionally,  My mistake again.  When using the same output name, the second lookup overrides the first.  Use outputnew in the second. index=A sourcetype="Any" | fields "IP address" Hostname OS | dedup "IP address" Hostname OS | eval Hostname = lower(Hostname) | lookup inventory.csv Reporting_Host as Hostname output Reporting_Host as match | lookup inventory.csv Reporting_Host as "IP address" OUTPUTNEW Reporting_Host as match | eval match = if(isnull(match), "missing", "ok") | table Hostname "IP address" OS match   ... View more

The problem is actually deeper because appendcols works only if the lookup and index search has the same number of rows (and sort order).  In this use case, that's opposite to the premise.  I will have to look deeper - but there should be something - it could be even more cumbersome. ... View more

Please share more details ... View more

There are a number of ways to do this - to find which sourcetypes have zero events, create an event for each sourcetype with a zero count and add it to the count for the sourcetype, and where the count is still zero, there were no events for that sourcetype. | stats count by sourcetype | append [| makeresults format=csv data="sourcetype,count A,0 B,0 C,0 D,0 E,0 F,0" | table sourcetype count] | stats sum(count) as count by sourcetype | where count=0 | eval count="No events found" ... View more