Hi, So I have a HF instance, which receive multiple types of syslog on many different ports. Ideally, you would have a different port for each sourcetype, however, due to misconfigurations on some servers, we ended up having multiple types of syslog received on the same udp://514 port. Since changing port require reconfig and we have to make new network change request, we figured that we could change the sourcetype base on regex to minimize work. I look into some of the app that actually do this kind of changing sourcetype thing, and I found cisco app actually have this config so I mimic it. So here are my configurations on HF: $SPLUNK_HOME/etc/system/local/inputs.conf: [udp://514] acceptFrom = <many_hosts> index = my_syslog sourcetype = syslog $SPLUNK_HOME/etc/system/local/transforms.conf: [force_sourcetype_for_peplink] DEST_KEY = MetaData:Sourcetype REGEX = ^(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+(?:0?[1-9]|[12]\d|3[01])\s+(?:[01]\d|2[0-3]):[0-5]\d:[0-5]\d\s+(?:pepline_host1|pepline_host2|pepline_host3)\s+(?=.*[A-Z][A-Za-z]+:\s).* FORMAT = sourcetype::peplink $SPLUNK_HOME/etc/system/local/props.conf: [syslog] TRANSFORMS-force_sourcetype_for_peplink = force_sourcetype_for_peplink After HF, we have our data route into an Indexer cluster. However, upon restart the HF, I saw nothing changed. The logs from the peplink_host* were still having its sourcetype as syslog. So what could be the reason here?       ... View more

Hi, as the question suggest, I am trying to send 2 streams of logs. From the document Forward data to third-party systems - Splunk Documentation I know there are 2 limitations: - I can only send raw data - I cannot filter only the data I want So sending all data is OK for me. Currently, my UF have this app called INDEXER_OUTPUT. Which in its default/outputs.conf have these configs:   [tcpout] defaultGroup=my_indexer_cluster autoLBFrequency=300 [tcpout:my_indexer_cluster] server=<indexer_01_ip>:9997,<indexer_02_ip>:9997,<indexer_03_ip>:9997,<indexer_04_ip>:9997 [tcpout-server://<indexer_01_ip>:9997] [tcpout-server://<indexer_02_ip>:9997] [tcpout-server://<indexer_03_ip>:9997] [tcpout-server://<indexer_04_ip>:9997]   So what I did was created another server class, with a single app within called ELK_OUTPUT. It also has a single default/outputs.conf file with this config:   [tcpout] [tcpout:elk_server] server=<elk_server_ip>:3514 sendCookedData=false   Upon adding the client to the server class, what I noticed is a weird behavior: I only get the metrics.log sent to the ELK server What I am suspecting is that maybe because my [WinEventLog://Security] input stanza contains "renderXML = true" and "evt_resolve_ad_obj = 1", so that it no longer considered as "raw data"? ... View more

The Splunk app for Linux already provided a stanza for collecting all the .log files in the /var/log folder ([monitor::///var/log]). But what if I want to write specific regex/transformations for specific .log file, given its path. For example, I want to apply transformation by writing specific stanzas in props.conf and transforms.conf for file /var/log/abc/def.log and /var/log/abc/ghi.log.  How to make these have the same sourcetype as "alphabet_log" and then write its regex functions? I also have a question regarding the docs from Splunk In the props.conf docs, it stated that: For settings that are specified in multiple categories of matching [<spec>] stanzas, [host::<host>] settings override [<sourcetype>] settings. Additionally, [source::<source>] settings override both [host::<host>] and [<sourcetype>] settings.  What does "override" here mean? Does it override everything, or it combines and only override the duplicate configs? ... View more

Splunk Add-on for Windows is well-known and I am using it to parse my XmlWinEventLog. However, upon using, I am getting EventCode as a duplicated codes in multiline, like this: 4688 4688 I think I could find the reason, as in the transforms.conf, there are 2 function for detecting EventCode: [EventID_as_EventCode] SOURCE_KEY = EventID REGEX = (.+) FORMAT = EventCode::$1 [EventID2_as_EventCode] REGEX = <EventID.*?>(.+?)<\/EventID>.* FORMAT = EventCode::$1 And in the props.conf, both function is called: REPORT-EventCode_from_xml = EventID_as_EventCode, EventID2_as_EventCode However, I have never seen someone mentioned this issue, so is this because of my log? My log is the XML WinEventLog like this: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> <System> <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{68ad733a-0b7e-4010-a246-bad643c2e4c1}' /> <EventID>4688</EventID> <Version>2</Version> <Level>0</Level> <Task>13312</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime='2025-05-30T10:55:19.179279400Z' /> <EventRecordID>25849216</EventRecordID> <Correlation /> <Execution ProcessID='4' ThreadID='7780' /> <Channel>Security</Channel> <Computer>ABCD-DE01.company.domain</Computer> <Security /> </System> <EventData> <Data Name='SubjectUserSid'>S-1-5-18</Data> <Data Name='SubjectUserName'>ABCD-DE01$</Data> <Data Name='SubjectDomainName'>COMPANY.DOMAIN</Data> <Data Name='SubjectLogonId'>0x3e7</Data> <Data Name='NewProcessId'>0x1c48</Data> <Data Name='NewProcessName'>C:\Windows\System32\net1.exe</Data> <Data Name='TokenElevationType'>%%1936</Data> <Data Name='ProcessId'>0x2a2c</Data> <Data Name='CommandLine'>C:\Windows\system32\net1 accounts</Data> <Data Name='TargetUserSid'>S-1-0-0</Data> <Data Name='TargetUserName'>-</Data> <Data Name='TargetDomainName'>-</Data> <Data Name='TargetLogonId'>0x0</Data> <Data Name='ParentProcessName'>C:\Windows\System32\net.exe</Data> <Data Name='MandatoryLabel'>S-1-16-16384</Data> </EventData> </Event>  The result of this is that the functions called below, using EventCode, cannot match the EventCode, like this one: EVAL-process_name = if(EventCode=4688, New_Process_Name, Process_Name) ... View more