I imported a csv into Splunk and now I need to compare two of the fields to find identical values. Compare the values of "Customer_Full_Name" and "User_Full_Name" to find who, if anyone, is both a customer and a user. I feel like eval should be able to help here but can't think of how to do it. Once I have that figured out I need to see if there are users looking at the records of customers that happen to also be users but I'll leave that for another question later. ... View more

Splunk isn't completely parsing the xml into fields in search results, only sections. For example, in the sample event below, the system and userdata sections are fields but the xml headers inside them are not parsed into fields (i.e. Username and IpAddress .) Based on some of what I've read here in the forums, I've already edited my props.conf for sourcetype=XmlWinEventLog but haven't seen any change. [source::XmlWinEventLog] KV_MODE=xml TRUNCATE = 0 I don't know what I'm missing and could use some help. (Hell, what I put in there, Splunk was probably already doing) Here's a sample event (I added line breaks to make it easier to read. Raw data in search results it's a single line): <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event" xml:lang="en-US"> <System> <Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /> <EventID>200</EventID> <Version>0</Version> <Level>4</Level> <Task>2</Task> <Opcode>30</Opcode> <Keywords>0x4020000001000000</Keywords> <TimeCreated SystemTime="2020-02-21T18:54:19.913701800Z" /> <EventRecordID>1219</EventRecordID> <Correlation ActivityID="{BEA11342-474B-47DE-907D-F2FBEBD40000}" /> <Execution ProcessID="5480" ThreadID="8416" /> <Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel> <Computer>gatewayserver.domain.com</Computer> <Security UserID="S-1-5-20" /> </System> <UserData> <EventInfo xmlns="aag"> <Username>domain\username</Username> <IpAddress>173.x.x.x</IpAddress> <AuthType>NTLM</AuthType> <Resource /> <ConnectionProtocol>HTTP</ConnectionProtocol> <ErrorCode>0</ErrorCode> </EventInfo> </UserData> <RenderingInfo Culture="en-US"> <Message>The user "domain\username", on client computer "173.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".</Message> <Level>Information</Level> <Task /> <Opcode /> <Channel /> <Provider /> <Keywords> <Keyword>Audit Success</Keyword> </Keywords> </RenderingInfo> </Event> ... View more

I have a bunch of light forwarders sending data to a central heavy forwarder which then sends the data to the main indexer. On the central heavy forwarder and the main indexer I've created an index called windows . When I run a search on the main indexer, it doesn't look like all of the data is going into the windows index and I don't know why. In particular one Windows 7 Professional system (a light forwarder) and a Windows XP Pro system (the central heavy forwarder). The other systems are getting forwarded just fine (They consist of Win 2000, XP, Server 2003 and Server 2008 R2). Help? On each light forwarder Ive placed inputs.conf in: %SPLUNK_HOME\etc\apps\SplunkLightForwarder\local\inputs.conf [default] index = windows On the central heavy forwarder I've placed the inputs.conf in: %SPLUNK_HOME\etc\apps\SplunkForwarder\local\inputs.conf [default] index = windows ... View more

I have a bunch of light forwarders sending data to a central heavy forwarder which sends the data to the main indexer. This is my props.conf and transforms.conf located on the central heavy forwarder. The light forwarders and main indexer do not have a props.conf or transforms.conf . Is this correct and/or what am I doing wrong and is there a more efficient way to do this? Thanks. props.conf (located %SPLUNK_HOME\etc\system\local\props.conf ) [wmi] TRANSFORMS-wmi=wminull transforms.conf (located %SPLUNK_HOME\etc\system\local\transforms.conf ) [wminull] REGEX=(?m)^Process_Name="C:\\Winpds\\Prismexe\\netman.exe" DEST_KEY=queue FORMAT=nullQueue [wminull] REGEX=(?m)^Process_Name="C:\\Program*\\Symantec\\Symantec*Endpoint*Protection\\Rtvscan.exe" DEST_KEY=queue FORMAT=nullQueue ... View more