Hello Experts ,  I am trying to send windows security logs to logstash(http) receiver . Below is what I have based on my understanding from below splunk document  https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Configureforwardingwithoutputs.conf?_gl=1*1oibtlm*_gcl_aw*R0NMLjE3NDY4NDE5NzEuRUFJYUlRb2JDaE1Jc2Z2dnRPV1hqUU1WaDBwX0FCMlJYQnRjRUFBWUFTQUFFZ0wtNXZEX0J3RQ..*_gcl_au*NzE5NjQzNDU5LjE3NDQ5MDE2Mjc.*FPAU*NzE5NjQzNDU5LjE3NDQ5MDE2Mjc.*_ga*NjI5NDg5MjY4LjE3NDQ5MDE2Mjg.*_ga_5EPM2P39FV*czE3NDcxNTY4OTMkbzckZzEkdDE3NDcxNTcxNDIkajAkbDAkaDM4ODI5OTg4OQ..*_fplc*R1FCTFo5ZiUyQnVNQ3gxRlQ2NXVoQW45b0tXS2Z4SiUyRkxpSUYyME04d2hZRGR4b25qaGFMaEhSRG1SYUpoaDhCTG8zc3daRkhXZEhtTjFad0VtcFhoTHBZc0k3eGgzUDVNZzJOaXhkJTJCNGklMkIxbUJpYVRBanhIWUpKdFFtMlpIRVElM0QlM0Q. On UF I have inputs.conf [WinEventLog://Security] disabled = 0 outputs.conf [httpout] httpEventCollectorToken = <token> uri = http://127.0.0.1:8002 compressed = false sendCookedData = false compression = none my logstash.conf ( I want to write the data into a file) input { http { port => 8002 codec => plain } } output { file { path => "C:\logstash_output\uf_debug_raw.txt" } } The file is being created but it holds encoded data like encrypted data , symbols . Can someone suggest if this is even possible  data in the file  {"url":{"domain":"127.0.0.1","port":8002,"path":"/services/collector/s2s"},"@version":"1","event":{"original":"�x��V�n\u001CE\u0010�`@���@\u001C�����% ... View more

Hello Splunk ES experts ,  I want to make a query which will produce MTTD (something like by analyzing the time difference between when a raw log event is ingested ( and meets the condition of a correlation search ) and when a notable event is generated based on the correlation search , I have tried something below but it does not give me results I am expecting because it is not calculating time difference for those notables which are in New status , below is working fine for any other status . Can someone please help me on this , may be it is too simple to achieve and I am making this complex  index=notable | eval orig_epoch=if( NOT isnum(orig_time), strptime(orig_time, "%m/%d/%Y %H:%M:%S"), 'orig_time' ) | eval event_epoch_standardized= orig_epoch, diff_seconds='_time'-'event_epoch_standardized' | fields + _time, search_name, diff_seconds | stats count as notable_count, min(diff_seconds) as min_diff_seconds, max(diff_seconds) as max_diff_seconds, avg(diff_seconds) as avg_diff_seconds by search_name | eval avg_diff=tostring(avg_diff_seconds, "duration") | addcoltotals labelfield=search_name   ... View more

Hi Experts ,  Someone has installed ESCU app directly on the Search head members . Now I am upgrading this app to a newer release .  Question :- Since this app was not installed from the deployer but I want to upgrade it via deployer what is the best practice and method to achieve this  Here is my plan , please correct me if I am thinking wrong  Step 1) First I will copy the installed folder from one of the SHC member to deployer under /etc/app so that it install itself on the deployer and then I can manually upgrade it using deployer GUI Step2) Once upgraded , I will copy upgraded app from /etc/apps folder to /etc/shcluster/apps folder  Step3) run apply shcluster-bundle on the deployer to push the upgraded app to SHC members . Do you think above is the right approach ? if not what else I can do    ... View more

Hello Experts, We have migrated to new hardware after old data is backed up , new environment has last 2 months of data . Now we want to restore old data onto a standalone server to perform some searches .  Highlights  --> old backup has primary and replication buckets as it was cluster backup. --> we are planning to setup a test machine(indexer/search head) for the above and ask storage team to mount (~450TB (primary and secondary ) buckets). Do you think it is a right approach ? is there anything that we need to consider before we ask a test machine (8GB RAM , 4 CPU) and storage team to mount 450TB(backup) to this test machine .  ... View more

Hello Splunk ES experts , My Splunkd is crashing frequently with below error in crash logs C++ exception: exception_addr=0x7ff2c2c3c620 typeinfo=0x556c38241c48, name=St9bad_alloc Exception indicates memory allocation failure This started after ES app installation . I have checked with free command I have plenty of  memory on the system 32GB and 16 CPU                total                 used            free                   shared           buff/cache           available Mem: 32750180     1764936    19979208     17744               11006036         31040488 Swap: 4169724          0                   4169724   Below are my ulimit settings  splunk soft nofile 65535 splunk hard nofile 65535 splunk soft nproc 65535 splunk hard nproc 65535 Any suggestions please  ... View more