Hello Fellow Splunkers! The goal is to create ServiceNow Incidents/Events exclusively from Splunk Enterprise alerts using the Custom Alert action (we do not have Splunk ES or Splunk ITSI*).  I have a distributed Splunk Enterprise deployment that contains an Indexer Cluster, Heavy Forwarder, and two Standalone Search heads (in addition to the Cluster Master and Deployment Server). I have yet to see this implementation work in a deployment with only Splunk Enterprise. Please let me know if this configuration is possible with an on-prem Splunk Enterprise deployment.  For context, I currently have the following configured, Splunk_TA_snow deployed to the Search Heads, Heavy Forwarder and Indexer Cluster (the add-on in the Indexer Cluster does not contain the inputs.conf file) Logs are being ingested via the Heavy Forwarder and the ServiceNow account is making successful connections to the Heavy Forwarder and Search Heads configured account. I have tried configuring the below on alerts with no luck I have also tried passing | snowincident within the alert's SPL to create a new incident in SNOW. Any help or tips will be greatly appreciated! ... View more

Hello Fellow Splunkers! I have an environment that's using Twistlock and is deployed in EKS. We are able to collect the majority of logs via Kubernetes logging, however our team really wanted to utilize the application created for Twistlock (https://splunkbase.splunk.com/app/4555/). Has anyone else run into issues using the app for this architecture type? If not, has anyone successfully configured this application to use the predefined sourcetypes shown in the app? Any guidance will be greatly appreciated!   ... View more

Hello Fellow Splunkers! Can someone please explain the need for deploying Splunk with the minimum hardware requirements? If the specs are reduced is their data loss or just lagging? I constantly get this question and have not been able to find anything on it in the Splunk documentation.   Thanks in advance for the help! ... View more

Hello! Has anyone ever successfully ingested Red Hat Satellite logs using Splunk? If not, are there any plans on making a TA for this use-case in the near future?  ... View more

Hello Fellow Splunkers, I have been looking for a solution to ingest Dell EMC Unity 500 storage logs and my research has basically told me it's not possible...I just find that hard to believe with the power of Splunk so wanted to ask you all if you've seen this ingested before and if so, how? I saw a similar post with this same question here: https://community.splunk.com/t5/Deployment-Architecture/How-to-add-the-logs-of-EMC-unity-storage-to-splunk/m-p/394811 However, it's from 2018 and doesn't appear to have a solid solution linked to it. Please reach out if you have any suggestions, solutions, or questions! ... View more

Hello Everyone, I have an environment consisting of three VPC's (say x, y, and z). Each VPC holds Linux, Windows and AWS logs. I have successfully set-up the AWS log ingest using separate indexes (aws_vpcx, aws_vpcy, aws_vpcz). However, I'm struggling to get the Linux/Windows data to index the same way. The unique identifier I'm using is hostnames. The following holds true for all hostnames per VPC, VPC X has hostnames == vpcX*** VPC Y has hostnames == vpcY*** VPC Z has hostnames == vpcZ*** For Linux logs I tried to add the following : Inputs.conf currently has (index=os_vpcX) so the default is for all Linux hosts in VPC X which is why it's not in the props and transforms files below. Currently all VPCs are sending to the os_vpcX index instead of all three and I need to figure out why the below config isn't working. I'm doing this from the cluster master and pushing it to the indexer cluster. props.conf [host::vpcY*] TRANSFORMS-osVpcY = osVpcYTrans [host::vpcZ*] TRANSFORMS-osVpcZ = osVpcZTrans transforms.conf [osVpcYTrans] REGEX = vpcX.+ DEST_KEY = _MetaData:Index FORMAT = os_vpcy [osVpcZTrans] REGEX = vpcY.+ DEST_KEY = _MetaData:Index FORMAT = os_vpcz  My second question is the same but for the Windows add-on..this seems more difficult with the single inputs.conf file having multiple indexes in it. Is there a way for me to specify more than one 'unique' thing about the stanza? For example, this is the default windows inputs.conf containing multiple indexes...I will need the windows index to go to either windows, windows_vpcY, or windows_vpcZ depending on the host that's sending the logs..but then I will also need that same separation for the wineventlog data (wineventlog, wineventlog_vpcY, wineventlog_vpcZ). ###### WinEventLog Inputs for DNS ###### [WinEventLog://DNS Server] disabled = 0 renderXml=true index = wineventlog ###### DHCP ###### [monitor://$WINDIR\System32\DHCP] disabled = 0 whitelist = DhcpSrvLog* crcSalt = <SOURCE> sourcetype = DhcpSrvLog index = windows  Thanks in advance to anyone that can help!  ... View more