I know this is an old one, but I wanted to make sure this info is out there. The Splunk Add-on for Microsoft Windows now handles this. Just add host=WinEventLogForwardHost to the [WinEventLog://ForwardedEvents] monitoring stanza. ... View more

Hola, que sourcetype utilizó?? ... View more

This Worked for me as well.  No need to give admin_all_objects permission! Splunk V. 8.2.5 ... View more

This seems to be a known issue and solution is available in the documentation link below. Creating the local\commands.conf worked for us.  https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.4/User/Workaroundfordefaultconfigstanzaerrorsindistributedenvironments ... View more

We had the same issue and resolved it. The broken clients were all trying to download two versions of an app. I have Splunk_TA_Squid_SiteA and Splunk_TA_Squid_SiteB with competing configurations for the same Squid logs. I didn't realize Server Class SiteA Include was including my SiteB clients. My SiteB clients were downloading both SiteA Squid and SiteB Squid. Once I updated Server Class Site A to only apply to Site A clients and not Site B clients, my Site B clients stopped generating the CheckSum errors. ... View more

Just to update this thread and share that this stills working My context: I deployed recently a cluster env. and did not noticed that i my filesystem was getting close to the limit I realized when all my indexers status=AutomaticDetention As i was aware that the data was useless i followed your approach and worked ... View more

any other method to collect logs other than wec. ... View more

I've followed this format for many versions now, but it seems to be broken with 8.2.2. Using https://download.splunk.com/products/splunk/releases/8.2.2/linux/splunk-8.2.2-87344edfcdb4-linux-2.6-x86_64.rpm gives me a 404. ... View more

I saw this solution today after almost 4 years and it works for me too . However I do get a trailing dot OR a number before each . Original 7/26/2021 4:14:02 PM 1498 PACKET 0000020027AD4070 UDP Rcv 10.38.2.63 e92f Q [0001 D NOERROR] A (5)ctldl(13)windowsupdate(3)com(0) 7/26/2021 4:14:02 PM 1498 PACKET 000002002D51DCC0 UDP Rcv 10.34.23.50 7494 Q [0001 D NOERROR] A (5)ctldl(13)windowsupdate(3)com(0) 7/26/2021 4:14:02 PM 1498 PACKET 0000020024F70D10 UDP Rcv 10.38.5.167 30e6 Q [0001 D NOERROR] A (4)pypi(3)org(0) After applying Sedcmd ,notice the dot 7/26/2021 4:14:02 PM 1498 PACKET 0000020027AD4070 UDP Rcv 10.38.2.63 e92f Q [0001 D NOERROR] A .ctldl(13)windowsupdate.com. 7/26/2021 4:14:02 PM 1498 PACKET 000002002D51DCC0 UDP Rcv 10.34.23.50 7494 Q [0001 D NOERROR] A .ctldl(13)windowsupdate.com. 7/26/2021 4:14:02 PM 1498 PACKET 0000020024F70D10 UDP Rcv 10.38.5.167 30e6 Q [0001 D NOERROR] A .pypi.org.   ... View more

Great Thanks ... View more

If you want to build regex using plain simple English for your sample data & test matches also then you can use https://itsallbinary.com/simply-regex/regex-builder-tool You can simply use plain English phrases from auto suggestions & tool will generate regex for it. You can also test generated regex right there with your sample data as asked in question. One example of capturing log statement from this tool - _Match_anywhere_in_text_ _any_digit_ _then_ _exact_string_ ( /) _then_ _any_digit_ _then_ _exact_string_ ( /) _then_ _one_or_more_of_ ( _any_digit_) _then_ _any_whitespace_ _then_ _exact_string_ ( -) _then_ _any_whitespace_ _then_ _capture_this_ ( _one_or_more_of_ ( _as_less_as_possible_of_ _any_character_)) _then_ _any_whitespace_ _then_ _exact_string_ ( -) _then_ _capture_this_ ( _one_or_more_of_ ( _any_character_ )) _then_ _exact_string_ ( -) _then_ _capture_this_ ( _one_or_more_of_ ( _any_character_)) This generates complex regex: \d\/\d\/(?:\d)+\s\-\s((?:.)+?)\s\-((?:.)+)\-((?:.)+) You can also test with your sample data: 6/7/2020 - MyClass - Today is Sunday and yesterday was Saturday - Success It will match regex with your sample data & show groups: Full Match = '6/7/2020 - MyClass - Today is Sunday and yesterday was Saturday - Success' Group 1 = 'MyClass' Group 2 = ' Today is Sunday and yesterday was Saturday ' Group 3 = ' Success'   ... View more

This doesnt work in more recent versions and results in the following error: ERROR AggregatorMiningProcessor - Uncaught exception in Aggregator, skipping an event: Can't open DateParser XML configuration file "./local/datetime.xml": No such file or directory - data_source So currently you have to use a static path and separate apps per deployment. ... View more

Hello voldemarlegrand, I have the same issue and liked your trick. But somehow it works in splunk btool inputs list stanza, but not in reality. Splunk stopped logging the data specified with /data/./data1. When I used a less well defined method like /data/data1 and /data/data if I have only a /data/data1 directory then it works. I guess the better solution is to assign indexes by transforms.conf as described at https://docs.splunk.com/Documentation/Splunk/8.0.4/Indexer/Setupmultipleindexes ... View more

Yes.. There was some configuration issue when upload on web. Unzipped and copied to apps directory manually and it worked like a charm. I have kept source type as cisco:ios. ... View more

This is actually mentioned in the (Default) server.conf since around ver. 6.6.x, in that Mongo DB aka. kvstore (not Splunk) does not support Forward-Secrecy ciphers i.e. Mongo needs to have RSA ones to work. # The following non-forward-secrecy ciphers were added to support the kv store: # AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256. ... View more

Damode, Page 117 of the Kiwi Syslog Server Admin Guide (v9.6) goes into configuring up a custom log format for your syslog server to use. I simply configured the custom log format up following these instructions and the following settings: Log File Fields: Date, Time, Hostname, Message text Date Format: YYYY-MM-DD Time Format: HH:MM:SS Delimiter: Tab Qualifier: None Adjust time to UTS: disabled The big thing for me was adjusting the Kiwi Syslog configuration so that it didn't prepend it's own facility and severity codes to each syslog message coming in. In my case, Splunk was inspecting the syslogs coming in and using the . as the host name. Once Kiwi had been told NOT to add this information in, Splunk was able to correctly pull the hostname out of each syslog message. I have all of the syslogs from my switches going into the one syslog file, with Kiwi pre-pending the hostname of the device originating the syslog to the start of each syslog message as it writes it to disk. Splunk then Monitors this file and onfowards to Splunk ... and the Indexers are now able to correctly pull the originating hostname out of the received data. In terms of the inputs.conf .... I simply used the CLI to add the file monitor to the Universal Forwarder running on my syslog server. splunk add monitor c:\syslogs\switches\switch_logs.txt -index networkstuff -sourcetype syslog this appears to add it to the following location: $SPLUNK_HOME/etc/apps/search/local/inputs.conf ... View more

@tfechner, I think Docs needs correction to description. However, as per Unix documentation %d picks up both date prefixed with 0 and not prefixed with 0. http://pubs.opengroup.org/onlinepubs/7908799/xsh/strptime.html Following is a run anywhere search to demo _time being set from time field with both kind of dates. | makeresults | eval data="time=\"Jul 4 16:43:42.804\",time=\"Jul 04 16:44:46.583\"" | makemv data delim="," | mvexpand data | rename data as _raw | KV | eval _time=strptime(time,"%b %d %H:%M:%S.%3N") To answer your other question, you should ideally create two different sourcetypes for data coming in two different formats from two systems. You can correlate them afterwards as per your requirement. ... View more

This should be fixed in the latest version which is 2.5.6 without having to do any customizations. Please let me know if this is not the case. ... View more

If you download my companion add-on it will take care of this for you and collect the fields into a separate summary index every hour. See https://github.com/inspired/TA-cisco-esa-extras You will still need the Splunk Add-on for Cisco ESA ... View more

Thanks. What sideview showed actually removed the need to pass it to a custom command as Splunk can already output the next scheduled times! 🙂 ... View more

Splunk recommend using a syslog server rather than using splunk to listen on UDP ... View more

I believe map is going to give you results in the same order as any other splunk search , latest to first, but you're unlikely to get a second hit with the same src , dest and sourcetype in that kind of time window, unless it's the same guy a third time, so you're getting the right result either way. The funny thing is, about a week after I read and commented on your use case, I was requested to identify similar cleartext password entries in our system, and mask them. Nontrivial, I must say. ... View more

I guess you could edit $SPLUNK_HOME/etc/system/local/savedsearches.conf and add: schedule_window = auto Just make sure your existing searches that need a specific setting of 0, 1 etc have that set already. All searches you add after this change should now have auto set by default. You will need to teach your users that auto is a bad setting in certain situations. ... View more