I currently have a Splunk Cloud instance running 8.0. This add-on is not compatible with Splunk Cloud or 8.0. If I were to install an HF on premise running 7.3 and send the logs to Splunk Cloud I'm pretty sure that would work as far as getting data in. Without the add-in in Splunk Cloud would we be missing field extractions and possibly other things? ... View more

The download page says "Cisco eStreamer eNcore Add-on for Splunk is an eStreamer client with a Splunk plugin that provides comprehensive event forwarding from all 6.x versions of Firepower Management Center to Splunk Enterprise and Splunk Enterprise Security. The following event types are supported with complete schema coverage through the eStreamer API specification for FMC version 6.2." Is the 6.x correct, or is there something about 6.3 that breaks it? ... View more

I have a lookup table that is giving me strange search results that I can't figure out — I have a table which is a list of names, and the team they are on: person1,team1 person2,team1 person3,team2 However, there are people in the data that may not be defined in a team. I was looking to define them as "Other", so I could create searches for them without using nots. So, in my lookup definition I have Minimum Matches set to 1 and Default Matches set to Other. Also, automatic lookups are turned on. When I search like: index=myindex and drill into interesting fields, it shows a count of 239,824 in team Other If I click on Team other, or search like: index=myindex team=Other Then it shows a count of 86,495. Why would it be showing 239824 on a more general search, and 86495 when searched for specifically with everything else (including time picker) being the same? After a bit more testing, to rephrase the question: If I do the automatic lookup, with a minimum match of 1 and the default match=Other set, I get a different count than running: index=index| fillnull value=Other Team| search Team=Other Shouldn't they be the same? ... View more

This add-on stops Splunk from starting as it's written. Changing line 12 in props.conf to the following fixes the issue: TRANSFORMS-cb-host-override = cb-host-override Not much of a question - but this was the only contact method given. ... View more

I've been running through the Splunk App for Windows Infrastructure basically as a lab because it seems to cover many pieces of a Splunk deployment. I'm on the step at https://docs.splunk.com/Documentation/MSApp/1.4.3/MSInfra/DownloadandconfiguretheSplunkAdd-onforWindows and it says: "The [admon] input should only be enabled on one domain controller in a single domain. The [admon] input directly queries the Active Directory domain controllers. Enabling this input on multiple Splunk instances can disrupt your Active Directory servers and eventually make them unresponsive, preventing users from accessing needed services. " I read in a different answers thread that the impact is really negligible and to run it on all DCs. Is this the case? Also, what is the impact if the [admon://default] disabled = 0 is deployed on to a non-DC? Should I separate this into two apps, one for DCs, one for member servers? Or a separate application only pushed out to one DC from the deployment server to respect the "only enabled on one" rule mentioned above? ... View more