Loved your link https://www.splunk.com/en_us/products/features-comparison-chart.html But it's not available any more. Vanished 😞 ... View more

The most hillarious answer I have seen recently 😄 ... View more

Same issue here. ... View more

I am working on brand new Symantec Messaging Gateway (Brightmail) TA right now.  Once its done I will share it! This one si more comprehensive than the one currenlty available on Splunkbase.  ... View more

Yes, it's correct. See below.   splunk@test:/opt/splunk/var/lib/splunk$ splunk btool indexes list _audit | grep audit [_audit] coldPath = $SPLUNK_DB/audit/colddb homePath = $SPLUNK_DB/audit/db thawedPath = $SPLUNK_DB/audit/thaweddb tstatsHomePath = volume:_splunk_summaries/audit/datamodel_summary   I agree it's not logical and Splunk should change directory name from "audit" to "_audit" on a filesystem. ... View more

A list of all CIM fields (with mapping to corresponding  data model they are used in) are available in CIM documentation since 4.15.0 version: CIM App documentation -> Data Model -> CIM fields per associated data model https://docs.splunk.com/Documentation/CIM/4.18.0/User/CIMfields   ... View more

This is probably the best approach. I am exploring it now. However, as other folks noticed _introspection index does not provide data reflecting reality. Example: data.datamodel_summary_size says 2x8GB=16GB (roughly) for given index for two indexers but real disk size of datamodel_summary subdirectory for the same index shows 2x12GB=24GB total for two indexeres.  I checked and summary replication is not set to true.  Would you know why?   ... View more

There is a very severe issue with forwarding to a 3rd party syslog from any full Splunk instance  (SH, HF, Indexer, etc.). Let' say you want to send data to a 3rd party syslog via TCP and it happens that syslog is unreachable (not receiving data for whatever reason (service down, network down, etc.). After some time all queues start to fill up from output (e.g. output queue for syslog target group is just 97B and you cannot change it) over parsing (parsing, merging, typing, ...) to input queues. Once input queue is full Splunk instance will stop receving data - on indexer you effectively STOP indexing. This is by design. There are some solutions for this - none is great.  1. Send to a 3rd party syslog via UDP - not reliable and for many customer unacceptable. 2. Send requrested content via some other "tool". If you want to send out locally monitored files you can use SyslogNG or Cribl if the target destination is syslog-capable consumer.  BTW Cribl is the only non-Splunk solution out on the market that supports native input/output for Splunk proprietary S2S protocol. So you can collect data by UF and send to Cribl for processing and forward further to Splunk, Syslog  and many other targets. You cannot solve this puzzle with Splunk only ideally. ... View more

Yes. Once data is in accelerated DM (DMA), in other words data was added into summary index of a given data model (storing in to DM summary index is called saving into so called High Performace Analytics Store (HPA) from marketing perspective) you do NOT need any TA extraction/parsing capabilities as you already filled the fields with values in some form before indexing/writing into summary index. ' Just a comment. Storing events into a summary index means that data will get new sourcetype - "stash". This data is not count against Splunk license (its seen as internal data). However, when you save data into a summary index under some custom sourcetype (eg. sourcetyp="mysourcetype") using `collect` command then this data might in theory be parsed by TA that has parsing rules for this custom sourcetype.  ... View more

Yes, it did help. ... View more

Try MIME Decoder TA add-on: https://splunkbase.splunk.com/app/5116/ ... View more

Correct link https://dev.splunk.com/view/event-collector/SP-CAAAE6M which redirects to https://dev.splunk.com/enterprise/docs/devtools/httpeventcollector/ ... View more

Gregg, you made my day! Thx. I didn't know %r, %n, %s. Couldn't find anything about these in https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Commontimeformatvariables. Again, great knowledge! ... View more

Check my add-on up the thread. I can push the code to some public git so that more people can work on it and make it better. https://splunkbase.splunk.com/app/5116/ ... View more

Hi Brian, I made your script into TA add-on as Splunk custom command compatible with v2 protocol. You are mentioned as an author too. MIME Decoder Add-on https://splunkbase.splunk.com/app/5116/ Tomas   ... View more

I am using Python SDK. Watch "self.fieldname" routine. My command will have one argument - existing field from previous search (message_subject). With the code below I was successfull passing value from any field I add as an argument to SPL commmand: e.g. "| mimedecode message_subject" I got inspiration from: https://docs.splunk.com/DocumentationStatic/PythonSDK/1.6.0/searchcommands.html     class decodemimeCommand(StreamingCommand): def stream(self, records): # get the argument - fieldname with mime-encoded string message_subject = self.fieldnames[0] for record in records: record['message_subject_decoded'] = main(record[message_subject]) yield record if __name__ == "__main__": dispatch(decodemimeCommand, sys.argv, sys.stdin, sys.stdout, __name__)     ... View more

It would be nice to post updated and working links.  ... View more

Yeah. Had the same issue. In distributed environment alerts are written/indexed on SH, so index MUST exist there. But with index forwarding to an indexer, data will end up there at the end. Beware, index on SH and index on IDX must have the SAME name! ... View more

HF is not A SH. It does index-time parsing except for indexing (should not). So it’s basically an indexer. Hence, give it IDX role in DMC/MC. ... View more

I liked that one with ltrim !!! Saved me 🙂 ... View more