Currently I'm running the following SPL to confirm the UF downloaded a new config: index=_internal sourcetype=splunkd (component IN (DeployedApplication, PackageDownloadRestHandler) OR (component=loader "Splunkd starting") OR "Restarting Splunkd") | transaction host This results in something like the following for each host. It's almost what I want but the Deployment Server events are grouped into their own transaction. I would like the group all of the above together into one transaction to show the download started/completed event from DS in the same group for that UF. I tried including the startswith/endswith with various combinations of the following including with and without a field in the transaction command index=_internal sourcetype=splunkd (component IN (DeployedApplication, PackageDownloadRestHandler) OR (component=loader "Splunkd starting") OR "Restarting Splunkd") | transaction startswith="checksum mismatch" endswith="splunkd starting" but this keeps grouping events from different UFs together. Any suggestions would be appreciated. ... View more

I have UFs in the DMZ and internal networks with a load balancer managing traffic between both zones. There is a single deployment server located in the internal network. Up to this point we had the network team open port 8089 for all DMZ servers to connect directly to the deployment server in the internal network. We're changing this and instead will route traffic through the load balancer to the deployment server.  However, if possible, I want to keep both routes so that if one IP fails, the UF will try the second IP. Both IPs will point to the same deployment server so this is not technically a "DS cluster" it's just 2 different routes to the same server. My drawing below shows what I would want to do.   Would it be possible to input multiple target-brokers or targetUris in deploymentclient.conf? If this is not allowed in the config, would it be possible to use an FQDN instead with a DNS record pointing to multiple IPs?  Any advice would help, even if it's "this isn't a good idea".  P.S. I know a load balancer is not recommended, removing it is a no-go. ... View more

I'm trying to replace the default SSL certs on the deployment server with third-party certs but I'm confused about what it entails. I don't know much about TLS certs, mostly just the basics. I'm following these documents for the deployment server-to-client: https://docs.splunk.com/Documentation/Splunk/latest/Security/StepstoSecuringSplunkwithTLS https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigTLScertsS2S.  If I make the changes on the deployment server to point to the third-party cert, do I also need to change the cert on the UFs to keep communicating on port 8089?   ... View more

I have Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) installed.  My security team flagged a possible vuln on /opt/splunk/opt/mongo/lib/libcurl.so.4.8.0 related to CVE-2024-7264, which apparently affects libcurl versions between 7.32.0 and prior to 8.9.1. I ran both the following commands   splunk cmd curl --version splunk cmd mongodb --version   and confirmed the libcurl version is affected. The relevant results were: Curl:   curl 7.61.1 ... libcurl/7.61.1 ...   Mongod:   mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod) mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod) mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod) mongod: /opt/splunk/lib/libssl.so.10: no version information available (required by mongod) db version v7.0.14 Build Info: { "version": "7.0.14", ... }      How do I go about disabling Mongod (if possible)? Alternatively, is there any info on whether this will be addressed in a future update or if this is relevant at all for Splunk Enterprise? ... View more

I'm trying to create an alert that looks through a given list of indexes and triggers an alert for each index showing zero results within a set timeframe. I'm trying with the following search:    | tstats count where index IN (index1, index2, index3, index4, index5) BY index | where count=0     But this doesn't work because running the first line on its own only shows the indexes that are not empty and nothing, not even count=0 for the empty index. I also tried    | tstats count where index IN (index1, index2, index3, index4, index5) BY index | fillnull count value=0 | where count=0   But that doesn't work either. The problem is that if "index5", for example, is showing no results, "| tstats count..." doesn't return anything, not even a null result. So something like "| fillnull" is not working at the end because there is no "index5" row to "fillnull".  I have seen other solutions use    | rest /services/data/indexes ...   and join or append the searches to each other but since I'm on Splunk Cloud, it doesn't work due to the error "Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability".    The only working solution I have so far is to create an alert for each index I want to monitor with the following search   | tstats count where index=<MY_INDEX> | where count=0   but I would rather have a single alert running each time with a list that I can change if I need to than multiple searches competing for a timeslot and all that. I have considered other solutions like providing a lookup table with a list of indexes I want to search and using lookup to compare against the results but that seems too cumbersome.    Is there a way to trigger an alert for empty indexes from a single given list on Splunk Cloud?     ... View more

This is a followup question to the solution on this thread: https://community.splunk.com/t5/Getting-Data-In/create-multiple-sourcetypes-from-single-syslog-source/m-p/701337/highlight/false#M116063 I'm trying to do exactly what the original question asked but I need to apply different DELIM/FIELDS values to the different sourcetypes I create this way. The solution says that once the new sourcetype is created "...just use additional transforms entries with regular expressions that fit the specific subset of data..." does this mean that if I want to further extract fields from the new sourcetype I can only do that using TRANSFORMS from that point forward or would I be able to put a new stanza further down in the props.conf for [my_new_st] and use additional REPORTs or EXTRACTs that only apply to that new sourcetype? For example, can I do something like the following?: Description: first split the individual events based on the value regex-matched on the 5th field then do different field extracts for each of the new sourcetypes.      props.conf: [syslog] TRANSFORMS-create_sourcetype1 = create_sourcetype1 TRANSFORMS-create_sourcetype2 = create_sourcetype2 [sourcetype1] REPORT-extract = custom_delim_sourcetype1 [sourcetype2] REPORT-extract = custom_delim_sourcetype2           transforms.conf: [create_sourcetype1] REGEX = ^(?:[^ \n]* ){5}(my_log_name_1:)\s DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::sourcetype1 [create_sourcetype2] REGEX = ^(?:[^ \n]* ){5}(my_log_name_2:)\s DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::sourcetype2 [custom_delim_sourcetype1] DELIMS = " " FIELDS = d_month,d_date,d_time,d_source,d_logname,d_info,cs_url,cs_bytes,cs_port [custom_delim_sourcetype2] DELIMS = " " FIELDS = d_month,d_date,d_time,d_source,d_logname,d_info,cs_username,sc_http_status       ... View more