Here's an audio sample. First, update $SPLUNK_HOME/etc/system/local/web.conf to enable the <embed> tag. Splunk strips src attributes from <embed>, <audio>, etc. tags, but we can use <embed> with the following setting: [settings] dashboard_html_allow_embeddable_content = true Download this PCAP file: https://github.com/groktrev/junk/blob/74af4d0a1a35041b63df67019f2abc50aa3f085e/audio_sample.pcap.gz It contains a single session with a plaintext HTTP GET request and an MP3 file response. You can verify the file with, e.g., Wireshark. Index the file: $ gzip -d audio_sample.pcap.gz $ $SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd -r audio_sample.pcap Create a Simple XML dashboard: <form version="1.1" theme="light"> <label>audio_player</label> <search id="all_audio_search"> <query> <![CDATA[ index=main sourcetype=stream:http mime_type=audio/* | stats latest(dest_content_hexadecimal) as dest_content_hexadecimal by site uri_path mime_type ]]> </query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search> <search base="all_audio_search" id="audio_search"> <query> <![CDATA[ | search uri_path=$uri_path_tok|s$ | fields mime_type dest_content_hexadecimal | lookup hexbase64lookup hexstring as dest_content_hexadecimal | eval audio_src="data:".mime_type.";base64,".base64string | fields audio_src mime_type ]]> </query> <done> <set token="audio_src_tok">$result.audio_src$</set> <set token="mime_type_tok">$result.mime_type$</set> </done> </search> <fieldset submitButton="false"> <input type="dropdown" token="uri_path_tok"> <label>URI Path</label> <fieldForLabel>uri_path</fieldForLabel> <fieldForValue>uri_path</fieldForValue> <search base="all_audio_search"></search> </input> <input type="time" token="time_tok" searchWhenChanged="true"> <label>Time Range</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel depends="$uri_path_tok$"> <title>$uri_path_tok$</title> <html depends="$audio_src_tok$"><!-- <audio controls="controls"> <source src="$audio_src_tok$" type="$mime_type_tok$"/> </audio>--> <embed src="$audio_src_tok$" type="$mime_type_tok$" width="300" height="53"/> </html> </panel> </row> </form>  Make history! ... View more

While not as robust and functional as Cloudmeter's original products, which were focused on web site recording and replay, Splunk Stream scales well on bespoke hardware, e.g., AMD/Intel boxes with Napatech interfaces, and combined with Enterprise Security, provides functionality approximating but admittedly trailing Suricata and Zeek-based IDS and NDR solutions. Stream never found its footing outside the on-premises enterprise, and with the acquisition of SignalFx (also old news) and the merging of AppDynamics, I doubt it ever will. There's also this nugget in the 8.1.5 release notes: "As of version 8.1.5, Splunk Stream no longer ingests PCAP files." The functionality is still present, however. I built the toy example on 8.1.6. I wouldn't expect more than simple bug fixes at this point, and lack of support for HTTP/2 combined with widely adopted TLS forward secrecy make Stream moot for many distributed applications. ... View more

Hi @Hemant0808, Splunk Stream can ingest PCAP files. Splunk Stream's ability to index or hash payload content, including media files, varies by protocol. Splunk Stream is composed of three separate apps/add-ons: Splunk App for Stream https://splunkbase.splunk.com/app/1809 Splunk Add-on for Stream Wire Data https://splunkbase.splunk.com/app/5234 Splunk Add-on for Stream Forwarders https://splunkbase.splunk.com/app/5238 To install Splunk Stream in your environment, see: Splunk Cloud Platform https://help.splunk.com/en/splunk-cloud-platform/collect-stream-data/install-and-configure-splunk-stream/8.1/splunk-stream-architecture/splunk-stream-on-premise-deployment-architecture Splunk Enterprise https://help.splunk.com/en/splunk-enterprise/collect-stream-data/install-and-configure-splunk-stream/8.1/splunk-stream-architecture/splunk-stream-on-premise-deployment-architecture We'll use Splunk Enterprise as our baseline. HTTP is fully supported. Decryption of HTTPS (TLS) streams requires a captured RSA key exchange and the session's private key. Splunk Stream cannot decrypt TLS sessions with a Diffie–Hellman (DH) key exchange. Fields provided for HTTP file transfer streams are documented here: https://help.splunk.com/en/splunk-enterprise/collect-stream-data/install-and-configure-splunk-stream/8.1/protocols/file-transfer Enable the http stream. To configure streams to extract content, see: https://help.splunk.com/en/splunk-enterprise/collect-stream-data/use-splunk-stream/8.1/configure-streams/configure-streams-to-use-content-extraction Under the http stream, enable the following fields: dest_content dest_content_sha512_hash file_extracted_req file_extracted_resp file_size http_filename mime_type part_filename src_content src_content_sha512_hash Under the http stream, extract two new fields: Source Term: dest_content Name: dest_content_hexadecimal Description: dest_content_hexadecimal Extraction Type: Hexadecimal Source Term: src_content Name: src_content_hexadecimal Description: src_content_hexadecimal Extraction Type: Hexadecimal Save the changes. To index large payloads, we'll increase the [streamfwd] maxFieldSize from 10 KiB to 1 MiB. As a better practice, use a value large enough for your use cases but no larger. $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/streamfwd.conf [streamfwd] maxFieldSize = 1048576 We'll use a sample PCAP file from https://wiki.wireshark.org/SampleCaptures and the following reference: https://help.splunk.com/en/splunk-enterprise/collect-stream-data/install-and-configure-splunk-stream/8.0/configure-your-splunk-stream-installation/ingest-pcap-files Using the command line on Linux: [splunk@splunk ~]$ wget https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/http_with_jpegs.cap.gz [splunk@splunk ~]$ gzip -d ~/http_with_jpegs.cap.gz [splunk@splunk ~]$ SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd -r ~/http_with_jpegs.cap Ignore any Netflow or file mount point errors. In Splunk, search for the indexed content (note the 2004 dates from the PCAP file): index=main sourcetype=stream:http starttime=11/19/2004:00:00:00 endtime=11/20/2004:00:00:00 Notice that the dest_content and src_content fields contain the raw content bytes as JSON-escaped strings. These fields are useful for plaintext content like HTML, but they're a problem for binary content like images. Also notice that automatic JSON field extraction failed for the larger events. Under the http stream, disable the dest_content and src_content fields, save the configuration, and then re-index http_with_jpegs.cap as shown above. Search for the events again, but this time, add a mime_type search predicate: index=main sourcetype=stream:http starttime=11/19/2004:00:00:00 endtime=11/20/2004:00:00:00 mime_type=image/jpeg dest_content_hexadecimal contains the content bytes as a hexdecimal string. dest_content_sha512_hash contains the SHA-512 hash. uri_path contains the file name. Let's look at /Websidan/2004-07-SeaWorld/fullsize/DSC07858.JPG: index=main sourcetype=stream:http starttime=11/19/2004:00:00:00 endtime=11/20/2004:00:00:00 mime_type=image/jpeg uri_path=/Websidan/2004-07-SeaWorld/fullsize/DSC07858.JPG | fields mime_type dest_content_hexadecimal | head 1 Can we do anything interesting with the content? Yes, we can! While we can manipulate hex strings in Splunk, we will eventually have problems mapping bytes to UTF-8, and we'll need to implement Base64 encoding in either SPL or an external script. To work around these problems, we'll create a simple external lookup script to encode hex strings as Base64. As a better practice, create an app directory under $SPLUNK_HOME/etc/apps: $ mkdir -p $SPLUNK_HOME/etc/apps/hexbase64lookup/bin $SPLUNK_HOME/etc/apps/hexbase64lookup/default $SPLUNK_HOME/etc/apps/hexbase64lookup/metadata Then create the following files: $SPLUNK_HOME/etc/apps/hexbase64lookup/bin/hexbase64lookup.py #!/usr/bin/env python import base64 import csv import sys def main(): if len(sys.argv) != 3: print('Usage: python base64lookup.py hexstring base64string') sys.exit(1) hexstringfield = sys.argv[1] base64stringfield = sys.argv[2] sys.stdin.reconfigure(errors='surrogateescape') sys.stdout.reconfigure(errors='surrogateescape') csv.field_size_limit(sys.maxsize) infile = sys.stdin outfile = sys.stdout r = csv.DictReader(infile) header = r.fieldnames w = csv.DictWriter(outfile, fieldnames=r.fieldnames) w.writeheader() for result in r: if result[hexstringfield] and result[base64stringfield]: w.writerow(result) elif result[hexstringfield]: hexstring = result[hexstringfield] hexstringbytes = bytes.fromhex(hexstring) base64bytes = base64.standard_b64encode(hexstringbytes) base64string = base64bytes.decode('utf-8', errors='surrogateescape') result[base64stringfield] = base64string w.writerow(result) elif result[base64stringfield]: base64string = result[base64stringfield] base64bytes = base64string.encode('utf-8', errors='surrogateescape') hexstringbytes = base64.standard_b64decode(base64bytes) hexstring = hexstringbytes.hex() result[hexstringfield] = hexstring w.writerow(result) main()  $SPLUNK_HOME/etc/apps/hexbase64lookup/default/transforms.conf [hexbase64lookup] external_cmd = hexbase64lookup.py hexstring base64string fields_list = hexstring,base64string $SPLUNK_HOME/etc/apps/hexbase64lookup/metadata/default.meta [searchscripts/hexbase64lookup.py] access = read : [ * ], write : [ admin ] export = system [transforms/hexbase64lookup] access = read : [ * ], write : [ admin ] export = system Restart Splunk! Now we can get the Base64 representation of the image data, in this case as <img> src attribute data: index=main sourcetype=stream:http starttime=11/19/2004:00:00:00 endtime=11/20/2004:00:00:00 mime_type=image/jpeg uri_path=/Websidan/2004-07-SeaWorld/fullsize/DSC07858.JPG | head 1 | fields mime_type dest_content_hexadecimal | lookup hexbase64lookup hexstring as dest_content_hexadecimal | eval img_src="data:".mime_type.";base64,".base64string Now what? Let's create a Simple XML dashboard to view the image! Here's the source: <dashboard version="1.1" theme="light"> <label>image_viewer</label> <search id="image_search"> <query><![CDATA[ index=main sourcetype=stream:http starttime=11/19/2004:00:00:00 endtime=11/20/2004:00:00:00 mime_type=image/jpeg uri_path=/Websidan/2004-07-SeaWorld/fullsize/DSC07858.JPG | head 1 | fields mime_type dest_content_hexadecimal | lookup hexbase64lookup hexstring as dest_content_hexadecimal | eval img_src="data:".mime_type.";base64,".base64string ]]></query> <done> <set token="img_src_tok">$result.img_src$</set> </done> </search> <row> <panel> <html> <img src="$img_src_tok$"/> </html> </panel> </row> </dashboard> And here's a screenshot (at 50%): Dolphins! To display image content in a Dashboard Studio dashboard, we can store the data in a KV store collection used by Dashboard Studio (not shown). Will this work for other protocols and content types? It might! You've labeled the question "HTTP Event Collector," which is a specific Splunk feature unrelated to indexing PCAP data. Let me know which protocol you're trying to extract media and audio files from, and we can find a sample PCAP file and adapt the solution. Disclaimer: Do not use the methods described above for security research in production. Use an appropriate sandbox. ... View more

Hi @DAMAIT, The cisco:ise:syslog source type and its associated knowledge objects have been incorporated into Cisco Catalyst Add-on for Splunk at https://splunkbase.splunk.com/app/7538. ... View more

Hi @LovingSplunk, Building on @inventsekar's answer in a typical native Splunk environment, you can see forwarder connections to receivers with the following search: index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=* This is the same base search the monitoring console uses to discover forwarder assets. In a Cribl environment, the flow changes: splunk forwarder -> cribl worker [ source - route - pipeline - destination ] -> splunk receiver You can verify your forwarder output configuration from the host itself. On a typical Linux host: sudo su - splunkfwd -c '/opt/splunkforwarder/bin/splunk btool outputs list' If you have no outputs defined, neither Splunk nor Cribl is receiving data. Tracking sources by connection IP in Cribl may require a custom pipeline and metric rollup by the __srcIpPort field; however, the value of the __srcIpPort field varies by proxy configuration and Cribl source type. In the case of a forwarder sending data to a local Cribl instance, the connection IP may be 127.0.0.1. ... View more

Hi @pruthviraj_k_m, I commented on tracking status changes circa ES 7.0. The searches may still be applicable today. See https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-a-Dashboard-that-will-show-SLA-for-alerts-received/m-p/594780/highlight/true#M10776. ... View more

Hi @splunknoob4, If you have Splunk support, you could ask about enhancement request ENH-6550. I opened it in 2018. Maybe there's been some progress? 😉 ... View more

Hi @duesser, The links in the other responses may cover the detail, but in short, 372998479107735.188677 is outside the precision of a double-precision floating point value when converted to binary: 372998479107735.188677 to binary => 0100001011110101001100111101011110011101100101010110100101110011 back to decimal => 372998479107735.1875 The easiest way to maintain precision is probably to store the value as a string and then at search time, perform calculations using custom search commands that reference, e.g., Python decimal or gmpy modules. ... View more

Hi @mh124, Maps+ uses clustering by default, and each cluster must normally have at least two results. To allow single results to display stylized markers, set the leaflet_maps_app.maps-plus.singleMarkerMode option to 1: <viz type="leaflet_maps_app.maps-plus"> <search> <query>| makeresults format=csv data=" latitude,longitude,bgp_state 37.166111,-119.449444,Down 42.9525,-76.016667,Up 42.9525,-76.016667,Up 42.9525,-76.016667,Up " | eval clusterGroup=coalesce(lower(bgp_state), "up") | table latitude longitude clusterGroup</query> <earliest>0</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="leaflet_maps_app.maps-plus.cluster">1</option> <option name="leaflet_maps_app.maps-plus.clusterGroupColors">down:red, up:green</option> <option name="leaflet_maps_app.maps-plus.singleMarkerMode">1</option> </viz> The singleMarkerMode option is loosely documented in app help: Single Marker Mode Re-style single marker icon to marker cluster style (round) - Requires browser Refresh In the Format visualization interface, navigate to Clustering > Single Marker Mode, and then click Enabled. ... View more

Hi @beataficek, After logging into your search head or search head cluster, browse to https://splunk/en_US/_bump, where "splunk" is your hostname and "en_US" is your locale, and then click the Bump version button. If this doesn't work and you're using a search head cluster with round-robin DNS or a load balancer, replication may be broken, and you may be seeing an older version of your dashboard intermittently. ... View more

There's some grammar weirdness in there. Oops. At least you know a human wrote it. 😉 I do get a kick out of LLMs showing me my own community answers as references, though, even if the LLM hallucinates a goofball interpretaton. ... View more

Hi @BradOH, We'll use a solution similar to the referenced post but adapted to Dashboard Studio's quirks. As a starting point, we'll construct our search programmatically in SPL: | makeresults | eval index="foo" | eval field1="x" | eval field2="y" | eval field3="z" | format This returns a single field named seach with the following value: ( ( field1="x" AND field2="y" AND field3="z" AND index="foo" ) ) Next, we'll define a pseudo-nullable input token with the default value set to a single space. Recall that Dashboard Studio trims whitespace from token values. While then token will indeed have a default value of a single space, it will display as an empty string. Editing the rendered input will remove the space, but clearing the rendered input will leave the (unrendered) space. In this way, the token is always defined and always satisfies implicit token dependencies: "input_nullable": { "options": { "defaultValue": " ", "token": "text_field2_nullable" }, "title": "Nullable Token", "type": "input.text" } Next, we'll translate our base search into a data source that dynamically sets field2 and interprets a single space as null value. Note that we're removing field2 from the search when it's "null." This allows the search to return results whether field2 exists in the event or not. If you want to limit search results to events where field2 exists, using "*" in place null(), e.g., field2 is optional: | makeresults | eval index="foo" | eval field1="x" | eval field2=if($text_field2_nullable|s$==" ", null(), $text_field2_nullable|s$) | eval field3="z" | format or if field2 must exist: | makeresults | eval index="foo" | eval field1="x" | eval field2=if($text_field2_nullable|s$==" ", "*", $text_field2_nullable|s$) | eval field3="z" | format If the format command doesn't produce the SPL you need, you can use the makeresults command and any SPL to define a field named search and construct any value you'd like using whatever SPL you'd like. You don't need to limit yourself to the eval command. You have the full suite of (safe) default and custom SPL commands and any data in your environment available to you: | makeresults | eval search="index=foo field1=x field2=".if($text_field2_nullable|s$==" ", "*", $text_field2_nullable|s$)." field3=z" | fields - _time (Note that the eval search ... example isn't entirely string-safe. Be mindful of token values that contain embedded whitespace. I'll leave that as an exercise for you.) The data source must have the "Access search results or metadata" option enabled ("enableSmartSources": true). We'll reference the result of the format command, the "search" result field, in our visualization elements: "dataSources": { "ds_WKrsc3Ay": { "name": "search_nullable_token", "options": { "enableSmartSources": true, "query": "| makeresults \r\n| eval index=\"foo\" \r\n| eval field1=\"x\" \r\n| eval field2=if($text_field2_nullable|s$==\" \", null(), $text_field2_nullable|s$)\r\n| eval field3=\"z\"\r\n| format", "queryParameters": { "earliest": "0", "latest": "" } }, "type": "ds.search" } } Finally, we'll use the $search_nullable_token:result.search$ token anywhere we need to reference the generated SPL: "visualizations": { "viz_breCVkj9": { "options": { "markdown": "### SPL\n`$search_nullable_token:result.search$`" }, "type": "splunk.markdown" } } Tying it all together: { "title": "Nullable Token (Legacy)", "description": "", "inputs": { "input_global_trp": { "options": { "defaultValue": "-24h@h,now", "token": "global_time" }, "title": "Global Time Range", "type": "input.timerange" }, "input_nullable": { "options": { "defaultValue": " ", "token": "text_field2_nullable" }, "title": "Nullable Token", "type": "input.text" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } }, "ds.spl2": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } } }, "visualizations": { "global": { "showProgressBar": true } } }, "visualizations": { "viz_breCVkj9": { "options": { "markdown": "### SPL\n`$search_nullable_token:result.search$`" }, "type": "splunk.markdown" } }, "dataSources": { "ds_WKrsc3Ay": { "name": "search_nullable_token", "options": { "enableSmartSources": true, "query": "| makeresults \r\n| eval index=\"foo\" \r\n| eval field1=\"x\" \r\n| eval field2=if($text_field2_nullable|s$==\" \", null(), $text_field2_nullable|s$)\r\n| eval field3=\"z\"\r\n| format", "queryParameters": { "earliest": "0", "latest": "" } }, "type": "ds.search" } }, "layout": { "globalInputs": [ "input_nullable", "input_global_trp" ], "layoutDefinitions": { "layout_1": { "options": { "height": 960, "width": 1440 }, "structure": [ { "item": "viz_breCVkj9", "position": { "h": 400, "w": 1440, "x": 0, "y": 0 }, "type": "block" } ], "type": "grid" } }, "options": {}, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } } }   ... View more

Hi @ra_52194724, Try one of the following EXTRACT settings in props.conf: [your_sourcetype_or_other_spec] EXTRACT-core_key_1 = JOB (?|(?=.+"hostname": "aa01")|..(?=.+"hostname": "bb01"))(?<core_key>...) EXTRACT-core_key_2 = "description": "(?:aa01 .+ JOB |bb01 .+ JOB ..)(?<core_key>...) The core_key_1 extract uses alternating positive lookaheads to discard leading characters in the job identifier based on a trailing hostname value. If the hostname always appears at the start of the description value, you can use the core_key_2 extract. You can also use both regular expression in SPL: | rex "JOB (?|(?=.+\"hostname\": \"aa01\")|..(?=.+\"hostname\": \"bb01\"))(?<core_key>...)" | rex "\"description\": \"(?:aa01 .+ JOB |bb01 .+ JOB ..)(?<core_key>...)" If you have an arbitrarily long list of hostnames to match, I might take a different approach. Let us know. ... View more

Hi @ra_52194724, N.B.: I posted this answer a moment ago, and the forum lost it. Apologies if it appears twice. You can achieve this using alternating positive lookaheads to discard leading characters in the job identifier based on a trailing hostname value: | makeresults format=csv data=" _raw \"{\"\"group_id\"\": \"\"aa2211-3b22-4263-8fe7-e7ef6c7859ed\"\", \"\"Status\"\": \"\"OPEN\"\", \"\"description\"\": \"\"aa01 : GOT EQQE056I JOB T375P201(JOB91552), OPERATION(0010), OPERATION TEXT( ), ENDED IN ERROR JCL . PRTY=1, APPL = T375P2 , WORK STATION = CPU4, IE= 2603161420, NO E2E RC\"\", \"\"hostname\"\": \"\"aa01\"\", \"\"CI_company\"\": \"\"zzz Group\"\", \"\"CEC_ID\"\": \"\"job-585796313\"\", \"\"ORIGIN_By_Product\"\": \"\"Microsoft\"\"}\" \"{\"\"group_id\"\": \"\"bb2211-3b22-4263-8fe7-e7ef6c7859ed\"\", \"\"Status\"\": \"\"OPEN\"\", \"\"description\"\": \"\"bb01 : GOT EQQE006I JOB T375Q201(JOB91632), OPERATION(0010), OPERATION TEXT( ), ENDED IN ERROR JCL . RTY=1, APPL = T375Q2 , WORK STATION = CPU5, IE= 2606661420, NO E2E RC\"\", \"\"hostname\"\": \"\"bb01\"\", \"\"CI_company\"\": \"\"xxx Group\"\", \"\"CEC_ID\"\": \"\"job-565796313\"\", \"\"ORIGIN_By_Product\"\": \"\"Microsoft\"\"}\" " | rex "JOB (?|(?=.+\"hostname\": \"aa01\")|..(?=.+\"hostname\": \"bb01\"))(?<core_key>...)" | table core_key core_key T37 75Q Using a search-time extraction in props.conf: [your_sourcetype_or_other_spec] EXTRACT-core_key = JOB (?|(?=.+"hostname": "aa01")|..(?=.+"hostname": "bb01"))(?<core_key>...) EDIT: Since the hostname also appears at the beginning of the description, you can simplify the regular expression: "description": "(?:aa01 .+ JOB |bb01 .+ JOB ..)(?<core_key>...) If you have an arbitrarily long list of hostnames to match, I might take a different approach. Let us know. ... View more

Hi @BradOH, In Splunk Enterprise 10.2 and Splunk Cloud Platform 10.1.2507 or later, you can use JSONata expressions to construct predicates. Dashboard Studio's interface with JSONata is not well-documented and may require trial and error. See the expressions object in the source below. Note that Dashboard Studio trims (removes leading and trailing whitespace) tokens, and empty tokens are undefined. When setting an empty value, use a single space as I've done below; otherwise, Dashboard Studio will interpret the $eval:field2$ token as a string literal instead of dereferencing it. If a space conflicts with your solution, devise a compatible placeholder. You can adapt previously discussed methods in earlier versions of Splunk, e.g., this simple solution by @ITWhisperer: https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-studio-How-to-create-search-for-value-that-may-be-null/m-p/657776 JSONata example: { "title": "Nullable Token", "description": "", "inputs": { "input_global_trp": { "options": { "defaultValue": "-24h@h,now", "token": "global_time" }, "title": "Global Time Range", "type": "input.timerange" }, "input_nullable": { "options": { "defaultValue": "", "token": "text_field2_nullable" }, "title": "Nullable Token", "type": "input.text" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } }, "ds.spl2": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } } }, "visualizations": { "global": { "showProgressBar": true } } }, "visualizations": { "viz_qwzyWlJP": { "options": { "markdown": "### SPL\n`index=foo field1=x $eval:field2$ field3=z`" }, "type": "splunk.markdown" } }, "dataSources": {}, "layout": { "globalInputs": [ "input_nullable", "input_global_trp" ], "layoutDefinitions": { "layout_1": { "options": { "height": 960, "width": 1440 }, "structure": [ { "item": "viz_qwzyWlJP", "position": { "h": 400, "w": 1440, "x": 0, "y": 0 }, "type": "block" } ], "type": "grid" } }, "options": {}, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } }, "expressions": { "eval": { "eval_1": { "name": "field2", "value": "$exists($text_field2_nullable$) ? 'field2=\"' & $replace($replace($text_field2_nullable$, '\\\\', '\\\\\\\\'), '\"', '\\\\\"') & '\"' : ' '" } } } }   ... View more

Hi @michael3, Try double-encoding the linefeed and other characters as needed: %0A => %250A ... View more

Hi @_joe , As a baseline, verify the limits.conf [thruput] stanza maxKBps setting. The value should be 0 on a heavy forwarder: $ /opt/splunk/bin/splunk btool limits list thruput [thruput] maxKBps = 0 syslog outputs have a fixed maximum queue size of 97 KiB (99,328 bytes). The maximum theoretical thruput per syslog output is bound by the queue size and the round-trip time (RTT) to the destination. For example, if the one-way latency between the Splunk Enterprise sender and the Owl data diode is 1 ms, the RTT is 2 ms, and the the maximum thruput is 99,328 * 8 bits / 0.002 seconds = 397,312,000 bps / 8 bits = 49,664,000 Bps or ~47.363 MBps. You can verify whether your syslog output and the internal indexing queue are blocked by looking at metrics.log. The internal indexing queue sits in front of both outputs and indexes. In the case of a heavy forwarder, the indexing queue may be blocked if one or more outputs are blocked: index=_internal source=*metrics.log* group=queue name IN (indexqueue diode-syslog-tcp diode-syslog-udp) blocked=true or optimized using the TERM operator: index=_internal source=*metrics.log* TERM(group=queue) (TERM(name=indexqueue) OR TERM(name=diode-syslog-tcp) OR TERM(name=diode-syslog-udp)) TERM(blocked=true) You can return statistics quickly using the tstats command: | tstats prestats=t max(PREFIX(max_size_kb=)) max(PREFIX(largest_size=)) where index=_internal source=*metrics.log* TERM(group=queue) (TERM(name=indexqueue) OR TERM(name=diode-syslog-tcp) OR TERM(name=diode-syslog-udp)) TERM(blocked=true) by PREFIX(name=) or over time: | tstats prestats=t max(PREFIX(max_size_kb=)) avg(PREFIX(largest_size=)) where index=_internal source=*metrics.log* TERM(group=queue) (TERM(name=indexqueue) OR TERM(name=diode-syslog-tcp) OR TERM(name=diode-syslog-udp)) by _time PREFIX(name=) | timechart max(max_size_kb=) avg(largest_size=) by "name=" If metrics.log isn't available in _internal log, you can search the log file locally in $SPLUNK_HOME/var/log/splunk/, e.g.: $ grep blocked=true /opt/splunk/var/log/splunk/metrics.log* If a queue is blocked, largest_size will exceed max_size_kb and provide hints for optimization. If your Owl data diode has 1 Gbps available bandwidth, you need a queue size of 1,000,000,000 bps * 0.002 seconds / 8 bits = 250,000 bytes. Queue sizes, like TCP RWIN values, should be an even multiple of the end-to-end TCP MSS. I can't find a documented value from Owl, so we'll assume 1,460 bytes for standard ethernet. 250,000 / 1,460 = ~171, so we'll round up to 172 and use a starting queue size of 172 * 1,460 = 251,120 bytes. MSS values are larger if jumbo frames are used and may be smaller if another medium or encapsulation is used. Actual thruput is less than available bandwidth. Standard 1 GbE, for example, has an actual theoretical maximum thruput of ~126,646,610 Bps or ~120.780 MBps. If your source generates data more quickly than your interface can transmit it, your source must queue. If your average thruput exceeds 120.780 MBps, then your source will queue to infinity. If your average thruput is less than 120.780 MBps, you will introduce queueing delay, but the data will arrive eventually. Since syslog outputs have a fixed queue size, we can't modify the queue size directly as we can for other queues. Instead, we can scale the local pipeline horizontally by increasing the value of the server.conf [general] stanza parallelIngestionPipelines setting. To saturate a 1 Gbps link with a RTT of 2 ms, we need a queue size of 251,120 bytes as shown above. 251,120 / 99,328 ~= 2.528, so we'll need at least ceiling(2.528) = 3 parallel ingestion pipelines. In server.conf: [general] parallelIngestionPipelines = 3 The default maxQueueSize value for the indexing queue is 500 KB per parallel ingestion pipeline. We shouldn't need to modify it for this example. This is a good starting point for syslog output over 1 GbE with a RTT of 2 ms. If you know your actual bandwidth and RTT values, we can adjust the settings as needed. As a side note, the maximum datagram size for UDPv4 is 65,507 bytes. If you're using UDP and the Owl data diode itself doesn't have a smaller limit, you can set maxEventSize directly in $SPLUNK_HOME/etc/apps/owl_diode_sender/local/outputs.conf and forget about it: [syslog:diode-syslog-udp] maxEventSize = 65507 If the size of your source events exceed this limit or there are other limits between the sender and the Owl data diode, use TCP and an appropriately configured line breaker on the receiver. Without access to an Owl data diode, I'm making assumptions about MTUs, packet ordering, etc. that may be invalidated by an actual device. ... View more

Hi @spl_aficionado, Best (or better) practices depend on your organization's standards. Start with established benchmarks, e.g., CIS, for Microsoft Windows Server, Microsoft SQL Server, or whatever technologies your implementation uses. These benchmarks will cover authentication, authorization, TLS configuration, etc. Prefer a custom configuration using the latest Microsoft JDBC Driver for SQL Server--currently 13.2.1-- over Splunk DBX Add-on for Microsoft SQL Server JDBC. The latter is out of date and uses a version of the JDBC driver with known vulnerabilities. DB Connect should correctly configure the JDBC driver for TLS based on the options you select. If you need to edit the JDBC URL directly, connection properties for authentication, TLS/SSL, etc. are documented at https://learn.microsoft.com/en-us/sql/connect/jdbc/setting-the-connection-properties?view=sql-server-ver17. If you're trying a specific configuration, and it isn't working, post a redacted copy of your connection string here alongside a summary of your SQL Server configuration, and we can debug it as needed. ... View more

Hi @wp-uk-36, The commands are similar when searching accelerated data models. For example, the following seaches have nearly identical execution paths: | datamodel Authentication Authentication search summariesonly=t | stats count | tstats prestats=t summariesonly=t count from datamodel=Authentication.Authentication | stats count tstats edges out datamodel when used without the prestats argument: | tstats summariesonly=t count from datamodel=Authentication.Authentication Your use cases imply summariesonly=false: | datamodel Authentication Authentication search summariesonly=f | stats count | tstats prestats=t summariesonly=f count from datamodel=Authentication.Authentication | stats count Once again, with prestats=true, the execution paths are the same. You can verify this with the job inspector. Find and compare the optimized litsearch and fallback lispy. For example, in my test environment using the Authentication data model and the _audit index: datamodel litsearch (index=_audit ((index=_audit sourcetype=audittrailv2* category=authn) OR (index=_audit "action=login attempt" NOT "action=search")) (NOT action=success OR NOT user=*$) (index=* OR index=_*)) DIRECTIVES(REQUIRED_TAGS(intersect="t" tags="cleartext,cloud,default,insecure,multifactor,pci,privileged")) | addinfo type=count label=prereport_events track_fieldmeta_events=true | prestats count [ AND [ OR [ AND sourcetype::audittrailv2* [ OR authn category::authn ] ] [ AND action attempt login ] ] ] tstats litsearch (index=_audit ((index=_audit sourcetype=audittrailv2* category=authn) OR (index=_audit "action=login attempt" NOT "action=search")) (NOT action=success OR NOT user=*$) (index=* OR index=_*)) DIRECTIVES(REQUIRED_TAGS(intersect="t" tags="cleartext,cloud,default,insecure,multifactor,pci,privileged")) | addinfo type=count label=prereport_events track_fieldmeta_events=true | prestats count [ AND [ OR [ AND sourcetype::audittrailv2* [ OR authn category::authn ] ] [ AND action attempt login ] ] ] As expected, they are the same. The actual searches will vary by configuration, hot bucket state, etc. I'm testing with Splunk Enterprise 10.2, and results in earlier versions of Splunk may differ. When in doubt, run semantically identical datamodel and tstats searches and compare the execution plans and search logs in the job inspector. For a deeper dive, explore archived .conf content. In Google: site:conf.splunk.com tstats datamodel ... View more

Hi @wp-uk-36, This solution also disables pagination, but you can pre-sort your data source search, set the visualization count option to the desired number of rows, and then set the visualization paginateDataSourceKey option to an empty string: { ..., "visualizations": { "viz_xxx": { "dataSources": { "primary": "ds_xxx" }, "options": { "count": 100, "paginateDataSourceKey": "" }, "type": "splunk.table" } }, ... } The sort indicators are still visible, but clicking a header cell will have no effect. ... View more

Hi @STCK, Building on @livehybrid's example, specify the minimum allowable width (30px) for all columns except message, and Dashboard Studio will fit all columns to content until the table width requires wrapping: { ..., "visualizations": { "viz_xxx": { "dataSources": { "primary": "ds_xxx" }, "options": { "columnFormat": { "date": { "width": 30 }, "status": { "width": 30 }, "データソース": { "width": 30 } } }, "type": "splunk.table" } }, ... } Tested in Splunk Enterprise 10.2.0. ... View more

Hi @nabeel652, Here's an alternative using a single eval, which you can implement as a macro: wildcard_domains.csv domain *.example.com transforms.conf [wildcard_domains] batch_index_query = 0 case_sensitive_match = 0 filename = wildcard_domains.csv match_type = WILDCARD(domain) max_matches = 1 min_matches = 0 SPL | makeresults format=csv data=" domain foo.example.com bar.example.com bar.baz.example.com " | eval wildcard_domain_match=if(match(domain, replace(replace(spath(lookup("wildcard_domains", json_object("domain", domain), json_array("domain")), "domain"), "\\.", "\\."), "^\\*", "^[^.]+")), 1, 0) Result domain wildcard_domain_match foo.example.com 1 bar.example.com 1 bar.baz.example.com 0 As @PickleRick noted, the order of the entries in wildcard_domains.csv is important. The first match "wins." If I were doing this for myself, I would write an external lookup and use a standard or reference library for wildcard label matching rules relative to the use case: DNS, TLS, X.509, etc. Those examples follow the same general rules for leftmost label matching, but you may have other requirements. (Edited to remove mvmap. I started writing a response with max_matches >= 1. I can provide an example if you need one.) ... View more

Hi @Nraj87, I'm not AI. Did you read the referenced documentation and experiment with health checks and thresholds? In general: 1. Model your system's behavior in a controlled environment. What are its principal components (metrics)? What are the shapes/distributions of the metrics? 2. Measure your system's activity. What are the current values of the metrics? 3. Monitor (compare) your measurements to your model. Is the current metric value outside the range of acceptable values based on your model? ... View more

Hi @loganallen, See the following threads for past discussions: https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-a-Dashboard-that-will-show-SLA-for-alerts-received/m-p/594780 https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-calculate-MTTD-in-ES/m-p/698232 You'll note that most correlation searches do not store the original event _time in the notable. If MTTD is a key statistic for your organization, you may need to redesign your correlation searches to store the relevant source event fields in your notables. ... View more