After attending a pair of confs I wanted to start a thread of thoughts about What should I do at my first Splunk .conf? I have a single question at the bottom. Feel free to add on and make suggestions. Visit official Splunk booths Outside of your scheduled sessions this should be your top priority when you get there. This is when you get to speak with the development teams behind current, new and upcoming Splunk modules and features. There are some neat non-NDA internal projects also worth seeing especially if you have a homelab and want to do some cool weekend projects. My Experience: Last year my most memorable conversation was with the MLTK team when i asked them why UBA didn't leverage MLTK if MLTK was as awesome as the streets tell me. This year I spoke with the someone from the UI team and we spoke about the color palette challenges they were faced with the dark mode. Visit Vendor booths Many of them are MSPs or Splunk app makers. Because MSPs are trying to sell you a service they are more willing to share real world processes and challenges that you can take back to your shop. You can also speak with app & appliance vendors about their TA. Your shop use syslog-ng? They are there. Your shop use Checkpoint? They are there. ect. Visit 'Ask The Experts' (get answers, you can) This is your opportunity to sit with a Splunk expert and have them answer your questions. I've seen people break out laptops, but I always have my questions ready to go by the time I get there. Splunk Answers is where I ask 'How' questions. 'Ask the Experts' is the perfect opportunity to ask 'Why' questions in a face to face Apple store Genius Barish setting. Visit the 'Innovation Lab' (the only place you can't take photos) Here is where you really get to see some AMAZING things Splunk is doing internally. They make you sign an NDA before you can enter and because of that I can't get any much more specific. What I can say is that I was beyond impressed by what I saw in there. Sign up for BOTS or BOTN (gather three co-workers and find a cool team name) These competitions take place just before .conf and will do two very important things for you: 1 Expose you to Splunk use cases with accompanying data sets. This data is VERY robust. The use cases go from really really easy, all the way up to REALLY hard. 2 Give you a FREE hands-on with Splunk's entire Enterprise offering (as of the time of this writing it is UBA,MLTK,ES & Phantom) all configured and all ready to get busy on the data set they provide for you. 3 There is a Splunk session dedicated to analyzing the data generated from the competition. The description made it sound really interesting and I didn't realize this until it was too late, my 3rd biggest miss of .conf. The innovation lab had some things in there that I want my company to have a hand in testing. But because I didn't read the details of the NDA, and I am uncertain if I can even ask my sales person about the project I have in mind. How can I get in contact with a specific team from the innovation lab? ... View more

Rexex101 works GREAT. However, Splunk gives me an error. I keep getting the following error with the regex below: I am trying to extract everything before \ or \ Error in 'rex' command: Encountered the following error while compiling the regex '(?[^].)': Regex: missing terminating ] for character class* | rex field=src_user "\\(?<user>[^\\].*)" Here are the examples of what I'm trying to extract: DTTSOL-EAST\SQLAdmin DTTSOL-EAST\SQLAdmin task@delly\mason DANNY@rand\D calicoe\iron What am I doing wrong and should I use something else besides regxex101? ... View more

Hello, I hope someone can help. I am attempting to do a subsearch that I am having difficulty with and hope someone here can assist. I would like any fields in SourceB or SourceC that match SourceA, to be returned I'd previously had the following syntax: SourceA | table field1 | search [ | search SourceB table field1 ] | search [ |search SourceC field1 | table src] but now, I need it to be interpreded more like this: SourceA field1 (SourceB field1 or SourceC field1) ... View more