tcp start and end are not suppose to be mapped to Network Sessions Datamodel (CIM) according to Splunk: https://docs.splunk.com/Documentation/CIM/5.3.1/User/NetworkSessions: "The fields in the Network Sessions data model describe Dynamic Host Configuration Protocol (DHCP) and Virtual Private Network (VPN) traffic, whether server:server or client:server, and network infrastructure inventory and topology." Globalprotect logs should be the ones mapped to Network Sessions - VPN ... View more

Correction: After building a second HF. You do need to configure receiving. Receiving will allow the HF to receive data from forwarding clients. ... View more

@MousumiChowdhur Thanks it work, but some lines are huge specially exception one, how can trim only first line of error? e.g. current output 2022-04-25 15:35:10,514 ERROR [APP] User User1 invalid: javax.security.auth.login.LoginException: User T75171 invalid at ws.loginmodule.Spi.login(LoginModuleSpi.java:356) [loginModule2-1.0.0-SNAPSHOT.jar:] at ws.loginmodule.ModuleSpi.login(LoginModuleSpi.java:172) [loginModule2-1.0.0-SNAPSHOT.jar:] at sun.reflect.GeneratedMethodAccessor1495.invoke(Unknown Source) [:1.8.0_275] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_275] at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_275] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [rt.jar:1.8.0_275] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [rt.jar:1.8.0_275] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) [rt.jar:1.8.0_275] ...   expected output: _raw                                                                                                                                                                                                                                          count  2022-04-25 15:35:10,514 ERROR [APP] User User1 invalid: javax.security.auth.login.LoginException        550     any idea? Thanks ... View more

FYI - I ran into the same issue on one of my two heavy forwarders.   the issue why the  port 8000 was not accepting turned out to be an app that i had installed on the heavy forwarder. when i removed the app ( custom app )  the web port was accessible.    upon investigating the app i noticed it had index.conf and i suspect that could have caused the issue,  since that app was ment for indexer server, i deleted it from the Heavy forwarder and restarted splunk instance. the web GUI access then started working  ... View more

Splunk recommended for service restart on Slave after changing License Manager server in the document https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Swapthelicensemaster  But we have come across different options to perform the same: Update of the new LM details done from GUI --> Here restart of the service wasn’t needed, it was showing up in License Manager Update of the new LM details done from CLI Service was not restarted à Here most of the indexers were showing in License Manager Service was restarted à Some of the indexers were required restart as it wasn’t showing in License Manager ... View more

Okay. What would be the log format like - syslog or something else ? I want to understand what sourcetype we would define to these logs. ... View more

Correlation searches are just searches at the end of the day, running on a schedule. You could do a search like.. index=_internal sourcetype=scheduler savedsearch_name=part_match Look for a successful run and there should be an evcount (event count) field with a value of 0 or more if it returned any result (depends on your search if no events returned is normal or not). Also important is the 'status' field which says if it ran, was delegated, deferred, or skipped by Splunks scheduler. Please forgive any minor inaccuracies of fields, I'm not in front of a PC at the moment 🙂 Cheers. ... View more

@asiddique_splunk could you please help ... View more

The monitoring console is advising you of best practice from Plan a deployment Because of high CPU and memory usage during app downloads, it is recommended that the deployment server instance reside on a dedicated machine. While you do not have to do this, it is recommended as when the deployment server becomes overloaded it doesn't respond to other requests for a short period of time. If your using "MC" as cluster master, I'd suggest you do not share the roles on the same server... ... View more

Yes, @jkat54 , they could certainly put them in the same place if they chose. Personally, I'd tend to put it elsewhere, with enough space to allow the system to move stuff in and out as per normal operations, but that's a nit. The point is, don't blaze unnecessary trails unless you have a good reason. Out there be snakes and dragons and chiggers. ... View more

If you have the data coming in as syslog then half the work is done. Now you just need to teach Splunk how to parse it. One way to do that is to save 1,000 or so events in a text file and use the Add Data wizard to load that file. This offers an interactive method to try various settings to see which ones work with your data. Once you find the settings that work, copy them to the props.conf file in the app you created for your HP objects. ... View more

Have a look at the REST API: https://help.servicedeskplus.com/api/rest-api.html ... View more

First we understand LTM and GTM: - LTM is a server load balancer which can load balance from L4 (IP addresses and ports decisions) to L7 (URL-based decisions) servers and links - GTM is a multi datacenter / multi links load balancer which load balance users to the best datacenter and Link acting as DNS server for a DNS zone or single DNS records Link Controller is a product using limited features of both LTM and GTM: - Load balancing L4 only (Links and servers) from LTM - Multi Links load balancing from GTM (No multi Datacenter) So as long as OS version on device is falling between 10.1 - 12.X this should be good.But may be someone who knows this in and out can confirm this better. ... View more

@skoelpin - Thank you for your advise. ... View more

Yes that is correct 🙂 regex101.com also has explanation of this! ... View more

Yes, it does. Thank you! ... View more

Hi @amarish_vlabs, does this answers your question or you have some query? Please feel free to ask. If no query, please accept the answer so as to close this open question. 🙂 Thank you - Saurabh ... View more

For anyone reading there are two posts that summarise this information, this one and https://answers.splunk.com/answers/59662/is-there-a-systemd-unit-file-for-splunk.html A full explanation post is here https://answers.splunk.com/answers/738877/splunk-systemd-unit-file-in-versions-722-and-newer.html regarding systemd + Redhat 7 and getting it working ... View more

Splunk's best practice is to write the networking device's logs to a intermediary syslog server (this is to ensure continuous availability of network devices logs irrespective of availability of splunk servers) , you may use syslog-ng or rsyslog - so have a syslog server configure the cyberoam device to start sending the logs to syslog server's IP address check if the logs are being written to syslog or not if the logs are coming, then install the splunk universal forwarder on that syslog server which shall monitor these logs/directory and send them to your indexer IP on port 9997 with sourcetype: cyberoam & Index : *custom* Monitor files and directories with inputs.conf (https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitorfilesanddirectorieswithinputs.conf) Install Cyberoam addon on your splunk instances for automatic field extractions search for index=* sourcetype=cyberoam ===== Another direct approach can be - a. configure the device to send logs directly to your indexer IP address on UDP 514 b. have the addon installed on your instances of splunk c. open the port UDP:514 on splunk and on your splunk server's OS firewall Input Type : UDP Port Port Number : 514 Source name override : N/A Restrict to Host : give IP of your device (1.2.3.4) Source Type: cyberoam App Context : search Host : (IP address of the remote server) Index : create new > cyberoam d. ensure that there is no other device which might be blocking this data movement e. search for index=* sourcetype=cyberoam ... View more

Hi @rjthibod, Have you looked at this documentation http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf ? Specially this one REGEX and the FORMAT attribute: * Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases (see the description of FORMAT, below). * If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>. * For example, the following are equivalent: * Using FORMAT: * REGEX = ([a-z]+)=([a-z]+) * FORMAT = $1::$2 * Without using FORMAT * REGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+) * When using either of the above formats, in a search-time extraction, the regex will continue to match against the source text, extracting as many fields as can be identified in the source text. So are you giving field name in your REGEX ? ... View more

@fabiocaldas Great to hear that. IF this pointed you in right direction to fix the issue, please accept my answer. ... View more

@ankithreddy777 DEST_KEY = _raw is generally used for masking the sensitive data (card numbers, PINs or IP addresses) which comes in _raw This is supplemented with REGEX = (your regex e.g. to extract PIN) - for values which you want to mask in your raw data and FORMAT = $1PIN=####$2 masking the 4 digit PIN with 4 hashes. ... View more