×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
yc
Engager
Member since: Thursday
Thursday
Community Statistics
Posts 4
Solutions 0
Karma Given 5
Karma Received 1
Member Since ‎05-28-2026
Activity Feed
View All

Re: [Puzzles] Solve, Learn, Repeat: Matching cron ...

by in Community Blog
Thursday
1 Karma
Thursday
1 Karma
good catch on the dom/dow OR logic edge case. the kind of thing that bites you in production when you least expect.  the broader pattern here of generating regex on the fly to match against unknown structure is something we've been thinking about a lot in a different context: doing the same thing at the field normalization layer for log sources with no defined schema. The problems aren't identical but the underlying mechanic is surprisingly similar.  ... View more

Re: Why Splunk Customers Should Attend Cisco Live ...

by in Community Blog
Thursday
Thursday
are there any user group breakouts or networking events next week? ... View more

Re: Data Management Digest – May 2026

by in Product News & Announcements
Thursday
Thursday
Solid update — the Stats M1.5 semi-stateful aggregation in particular is a meaningful improvement for anyone doing ingest-time compaction on high-cardinality sources. One gap this doesn't close, and where we've been focused: what happens when the incoming source has no defined schema at all. Custom vendor formats, internal app logs, anything without an existing TA. Auto Schematization handles known structure — but the truly unknown formats still require someone to define the mapping manually before any of the pipeline tooling can act on them.That's what we built Fleak OCSF Mapper for — paste raw sample events, get an OCSF mapping back, run it at search time via | fleakmapping. Complementary to the pipeline layer rather than overlapping it. If anyone's hitting that wall with long-tail sources, it's on Splunkbase: #https://splunkbase.splunk.com/app/8693 ... View more

AI OCSF Mapper — normalize custom log sources at s...

by in All Apps and Add-ons
Thursday
Thursday
Built this because we kept hitting the same wall: a log source with no TA, no CIM mapping, and a backlog of transforms.conf work.  Detection rules/queries should be able to be written once and applied on any logs. Splunk App: AI Mapper for OCSF based queries  Here's how it works: Open Mapping Studio in Splunk Paste raw sample events from your log source The app generates a parser and OCSF mapping — you see the normalized output before anything is saved Save the rule Use | fleakmapping in any search to stream events through and get OCSF fields back   What it's good for right now: Firewall, endpoint, identity, and app logs that don't have a TA and never will Situations where you need OCSF output feeding a correlation rule or dashboard and don't want to block on a normalization project Onboarding a new vendor format fast enough that the stakeholder doesn't lose faith in you Honest caveats: v0.1.0 — works, but rough edges exist, average generation time per event type end to end is 3-5min. AI-generated mappings are good, not perfect — you'll want to review before pushing to production Works on Splunk Enterprise and Cloud, platform 10.2+ If you try it on a log source and the mapping quality is off, post the event structure here. That's the most useful feedback we can get right now. ... View more
Contact Me
Online Status
Offline
Date Last Visited
Thursday
Karma from
View All
Karma given to