The following link provides the common format for CEF log format, assuming that's your format. https://splunk.github.io/splunk-connect-for-syslog/main/sources/base/cef/#splunk-metadata-with-cef-e... ... View more

The following link provides the common format for CEF log format, assuming that's your format. https://splunk.github.io/splunk-connect-for-syslog/main/sources/base/cef/#splunk-metadata-with-cef-events ... View more

@martialartjesse Glad to know it helped someone else. Send over some karma if you don't mind. Thanks. ... View more

My issue was with the 3 new internal indexes that Splunk Enterprise introduces. In short, my fix was to add the line  selectiveIndexing = true in the %SplunkHome%/etc/system/local/outputs.conf file. Here is a link in the docs referring to this fix. Otherwise, I'm including the synopsis of the symptom/fix from the link I provided initially. Hope that helps. Resolution What causes symptom 1? Splunk Enterprise 9.2.0 introduces a scalable Deployment Server (DS) feature, which makes the DS tier more resilient and highly available. Under the hood, several new internal indexes are introduced to accommodate this feature: _dsphonehome _dsclient _dsappevent These indexes are defined in Splunk Enterprise 9.2.x by default. If your DS forwards its data to remote indexers and the indexers are running an older Splunk version, the latter will not have the above-mentioned indexes defined. This will result in the DS being unable to forward and search its DS/DC-related events. The DS's Forwarder Management UI is then unable to list the Deployment Clients (DCs), despite the clients phoning home without any issue.   Fix for symptom 1: The idea behind it is simple: As long as your DS can index its DS/DC events to the 3 indexes above and search them back, your clients should appear in the UI.   Steps: 1. Allow your DS to selectively index the phone home, client and app events to itself. This is especially applicable to on-prem DS that forwards data to Splunkcloud indexers, but it can be applied to a completely on-prem/cloud BYO environment as well.    Add the following parameters and values to the DS's outputs.conf file, followed by restarting the splunkd service. [indexAndForward] index = true selectiveIndexing = true   2. This step is applicable if your DS is forwarding its data to on-prem indexing tier and the indexers' version is older than 9.2.0:   Configure the 3 indexes mentioned earlier on your indexing tier. If your indexers are non-clustered, add the index definitions on each of them manually or using your preferred automation. If your indexers are clustered, push the index definitions from the Cluster Manager and enable replication (repFactor = auto) to benefit from cluster redundancy.   Sample indexes.conf configuration: [_dsphonehome] homePath = $SPLUNK_DB/_dsphonehome/db coldPath = $SPLUNK_DB/_dsphonehome/colddb thawedPath = $SPLUNK_DB/_dsphonehome/thaweddb # clustered indexers only # repFactor = auto [_dsappevent] homePath = $SPLUNK_DB/_dsappevent/db coldPath = $SPLUNK_DB/_dsappevent/colddb thawedPath = $SPLUNK_DB/_dsappevent/thaweddb # clustered indexers only # repFactor = auto [_dsclient] homePath = $SPLUNK_DB/_dsclient/db coldPath = $SPLUNK_DB/_dsclient/colddb thawedPath = $SPLUNK_DB/_dsclient/thaweddb # clustered indexers only # repFactor = auto   There is one additional step only if your DC sends its data to the indexers via an intermediate forwarder AND your intermediate forwarder's version is older than 9.2.x:   Add the following parameter and value to the intermediate forwarder's outputs.conf file, followed by a splunkd service restart. [tcpout] forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent)   At this point, the deployment clients should appear in the Forwarder Management UI > Clients tab.   Tips: If you still can't see the clients, run the following query on the DS and check whether it returns some events:  index=_ds*   If the query returns nothing and your DS is also a Distributed Monitoring Console instance, go to Settings >  Monitoring Console > Settings > General Setup. Locate your DMC (This instance) and click Edit > Edit Server Roles. Tick the Indexer role and click Save. Run the query again to confirm it is working. ... View more

My issue was with the 3 new internal indexes that Splunk Enterprise introduces. In short, my fix was to add the line  selectiveIndexing = true in the %SplunkHome%/etc/system/local/outputs.conf file. Here is a link in the docs referring to this fix. Otherwise, I'm including the synopsis of the symptom/fix from the link I provided initially. Hope that helps. Resolution What causes symptom 1? Splunk Enterprise 9.2.0 introduces a scalable Deployment Server (DS) feature, which makes the DS tier more resilient and highly available. Under the hood, several new internal indexes are introduced to accommodate this feature: _dsphonehome _dsclient _dsappevent These indexes are defined in Splunk Enterprise 9.2.x by default. If your DS forwards its data to remote indexers and the indexers are running an older Splunk version, the latter will not have the above-mentioned indexes defined. This will result in the DS being unable to forward and search its DS/DC-related events. The DS's Forwarder Management UI is then unable to list the Deployment Clients (DCs), despite the clients phoning home without any issue.   Fix for symptom 1: The idea behind it is simple: As long as your DS can index its DS/DC events to the 3 indexes above and search them back, your clients should appear in the UI.   Steps: 1. Allow your DS to selectively index the phone home, client and app events to itself. This is especially applicable to on-prem DS that forwards data to Splunkcloud indexers, but it can be applied to a completely on-prem/cloud BYO environment as well.    Add the following parameters and values to the DS's outputs.conf file, followed by restarting the splunkd service. [indexAndForward] index = true selectiveIndexing = true   2. This step is applicable if your DS is forwarding its data to on-prem indexing tier and the indexers' version is older than 9.2.0:   Configure the 3 indexes mentioned earlier on your indexing tier. If your indexers are non-clustered, add the index definitions on each of them manually or using your preferred automation. If your indexers are clustered, push the index definitions from the Cluster Manager and enable replication (repFactor = auto) to benefit from cluster redundancy.   Sample indexes.conf configuration: [_dsphonehome] homePath = $SPLUNK_DB/_dsphonehome/db coldPath = $SPLUNK_DB/_dsphonehome/colddb thawedPath = $SPLUNK_DB/_dsphonehome/thaweddb # clustered indexers only # repFactor = auto [_dsappevent] homePath = $SPLUNK_DB/_dsappevent/db coldPath = $SPLUNK_DB/_dsappevent/colddb thawedPath = $SPLUNK_DB/_dsappevent/thaweddb # clustered indexers only # repFactor = auto [_dsclient] homePath = $SPLUNK_DB/_dsclient/db coldPath = $SPLUNK_DB/_dsclient/colddb thawedPath = $SPLUNK_DB/_dsclient/thaweddb # clustered indexers only # repFactor = auto   There is one additional step only if your DC sends its data to the indexers via an intermediate forwarder AND your intermediate forwarder's version is older than 9.2.x:   Add the following parameter and value to the intermediate forwarder's outputs.conf file, followed by a splunkd service restart. [tcpout] forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent)   At this point, the deployment clients should appear in the Forwarder Management UI > Clients tab.   Tips: If you still can't see the clients, run the following query on the DS and check whether it returns some events:  index=_ds*   If the query returns nothing and your DS is also a Distributed Monitoring Console instance, go to Settings >  Monitoring Console > Settings > General Setup. Locate your DMC (This instance) and click Edit > Edit Server Roles. Tick the Indexer role and click Save. Run the query again to confirm it is working. ... View more

Any suggestions how to do this in Studio using json? Thank you. ... View more

So, if I had more than one user, could I use WILDCARD(user*)? ... View more

Thank you. I figured out my problem. On the query I was trying to use username=mike and trying to reference the name mike in my emaillookup.csv lookup table. However, the name in the lookup table was in the form of mike@my-site.com . I had to regex the "@my-site.com" from the name mike in order to reference mike.  Once I was referencing mike on both the query and the lookup table, I was able to pull the fields I needed.  Thanks for both of your recommendations ... View more

13 years later and this solution worked like a charm for me. Although, I wasn't able to use the props.conf file. Not sure if that's changed since this topic came up. ... View more

@Tom_Lundie Thank you. This resolved my issue. I'm seeing most events using the wineventlog sourcetype. Although, I see some gaps in the data from 2018-2022 and with the XmlWinEventLog sourcetype, I was able to go back to 2017. Any ideas? Thank you again. ... View more

@gcusello I am using a separate app to pull the printer logs but I am also collecting windows logs using the same forwarder. I am pulling the logs manually through an app and inputs.conf file. I'll try to delete the fishbucket sub-directory and report back. ... View more

@scelikok Unfortunately running the search again does not increase the values. I opened a ticket a few months ago on this issue and they recommended the changes below with no success. Their final recommendation, was to reboot the Windows servers once a week or upgrade from 2012 R2 to 2019 or newer. I will re-open the case and request more help.   1. Change evt_resolve_ad_obj = 1 (change to 0) 2. Increase the number of pipelines to handle incoming data. Number of cpus on host minus 1. In my case I have 9 pipelines. 3. Modify outputs.conf [tcpout] stanza to: [tcpout] autoLBFrequency = 180 forceTimebasedAutoLB = false autoLBVolume = 5000000 maxQueueSize =25MB ... View more

@scelikok I'm still seeing the same issue on most hosts as you can see below. You mentioned that the events are delayed and not dropped. Is that a good assumption? Also, I'm sharing my query in case this would be helpful. I should mention that in addition to making these changes, we spun up 3 additional HFs thinking it was a congestion issue. But, we are seeing the same behavior across those HFs as well. Your help is appreciated. index=windows_ad source="WinEventLog:Security" host IN (host1 host2 host3) | timechart count by host span=1h limit=50     ... View more

@scelikok Should I bounce the UF on the host servers for these changes to take effect? ... View more