Hello @richgalloway,  Thanks for the information, I will try to do that ! Regards, GaetanVP ... View more

Hello @aditsss, If you are receiving those two lines in the same event you could try to use something like this : index="abc"sourcetype ="600000304_gg_abs_ipc2" source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Reading Control-File /absin/CARS.HIERCTR." | rex "(?<starttime>.*?)\s\[.*\s\].*[\r\n]+(?<endtime>.*?)\s\[.*\s\].*" This gave me the following results : Hope it helps ! GaetanVP   ... View more

Hello @DataOrg, I do not know if it can cause the issue but truncate needs to be in capital letter : TRUNCATE = 0 The AUTO_KV_JSON = <empty> is also weird, try to remove it. Also what query are you using to search this json log after you had indexed it ? I used the following props.conf and the json was not truncated : [QualificationTests] DATETIME_CONFIG = CURRENT INDEXED_EXTRACTIONS = json KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Database disabled = false pulldown_type = 1 TRUNCATE = 0 Hope it helps, GaetanVP ... View more

Hello @gcusello thanks for your answer, Okok I will deployed the base Nix app and a custom one for each group. Thanks ! GaetanVP  ... View more

In case of Windows DC node with DNS enable you would go for classic UF installation and monitoring ? Thanks  ... View more

Hello @Jasmine, Could you please share the JSON you have in inputs please ? Would be helpful to do some tests and give you an answer ! Thanks GaetanVP ... View more

Hello @splunkreal, Yes, first you need (as far as I know) to enable the HTTP Event Collector on your receiver (let's suppose it's a standalone Splunk Server). You need to navigate (from the GUI) to settings/data inputs/HTTP Event Collector and click on Global Settings. From there you can enable all Tokens, eventually disable SSL and save. Finally create a New Token from the same page. Then from another machine (or here in my test in localhost) you can run this curl command : curl -k -X POST -H "Authorization: Splunk <hec_token_created>" -d '{"event": "Hello World!", "index": "<your_index>"}' http://<splunk_receiver>:8088/services/collector/event Then you should be able to search this event you just sent. Hope it helps ! GaetanVP ... View more

Yes when you create/modified an inputs.conf file, and do not specify anything in front of the "index" key, Splunk will by default forward the logs to the main index. I suppose you missed to configure the targeted index in one of your inputs.conf file, to find it you can once again use the btool command to locate the conf file that you will need to modify ! /opt/splunkforwarder/bin/splunk btool inputs list --debug | grep -i fortigate /opt/splunkforwarder/bin/splunk btool sourcetypes list --debug | grep -i fortigate This should return the path where you specified the sourcetype for incoming fortigate data. Let me know how it went ! GaetanVP  ... View more

Hello @dnikam, You could try the following : | <you_base_search> | rex field=<field_where_you_have_your_numerical_info> "^\D*(?<Field1>\d*)\/(?<Field2>\d*)" | eval ratio=Field2/Field1 | fields ratio, Field1, Field2 | where ratio > 0.8 If you run this search, it will display an event only if the ratio is actually above 0.8  You can simply click on the "save as" button, choose alert and complete the other info, be sure to trigger the alert when the number of results is greater than zero, and select the correct schedule time, for instance :  Hope it helps ! GaetanVP ... View more

Hello @ornaldo , Here are some thoughts regarding your porst : - There are a lot of output.conf and input.conf directories. Which is the correct one ? Indeed, you can have multiple inputs.conf and outputs.conf Splunk files configured on a machine. Splunk will basically merged all of those file with a specific precedence. More info here : https://docs.splunk.com/Documentation/Splunk/9.1.0/Admin/Wheretofindtheconfigurationfiles In your case, I think this is precedence that will be "follow" It is not really the best practice to put inputs.conf and outputs.conf directly in /opt/splunkforwarder/etc/system/local of a Universal Forwarder because some configuration could be overridden by same *.conf file located in /opt/splunkforwarder/etc/apps/<my_apps>/... Another way to list the final merged that Splunk did for a specific configuration is the following commands : /opt/splunkforwarder/bin/splunk btool inputs list --debug /opt/splunkforwarder/bin/splunk btool outputs list --debug This will display what configuration are applied and where it is located, can be useful to debug.   - In SPLUNK i can see that logs are coming using index=_internal  but there are not the logs of fortigate Yes by default after the UF installation, Splunk will try to forward all the Splunk internal related logs to the tcpout defined. The logs forwarded are for instance located in /opt/splunkforwarder/var/log/splunk Using the first point, if you want to learn more about what is monitored and how it's forward to your indexer, you can use :  /opt/splunkforwarder/bin/splunk btool inputs list --debug | grep -i _internal You will be able to locate all the apps containing conf files responsible of sending logs to the "_internal" index.   Hope it helps ! GaetanVP   ... View more

Hello @isoutamo, thanks for you answer Okay so you would suggest me to implement those two possibilities : Palo Alto --> Syslog Server with UF installed --> HF --> Indexers (1) Palo Alto --> HF with SC4S --> Indexers (2) I do not really understand how those architectures can prevent data loss in case of a crash of the Syslog Server (1) or my HF (2). None of the servers will ask Palo to "resend" some data missed, or am I wrong ?  Thanks, GaetanVP ... View more

Hello @SplunkExplorer, Indeed you're right, you can add some lines in the inputs.conf file to tell your Splunk UF to "Monitor more stuff". More precisely, during the UF installation, Splunk should have created an application with an inputs.conf file that you can open and modified at this path : C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local If you want to keep all your monitored files/channels in the same place, you can add the new configuration at the bottom of this file (otherwise you could have created a new app and create a new input.conf file)... Nevermind, in order to monitor the powershell logs, you can simply add a new stanza with the following : It will be very similar to the stanza that Splunk created during installation time, since all those type of logs can be retrieved from windows event channels (powershell is just another one, like system, application or security...) [WinEventLog://Windows PowerShell] checkpointInterval = 5 current_only = 1 disabled = 0 renderXml = 1 evt_resolve_ad_obj = 1 If you want detail of what is the purpose of each key, feel free to check the official inputs.conf doc : https://docs.splunk.com/Documentation/Splunk/9.0.5/Admin/Inputsconf Do not forget to restart your Splunk UF (restart the service or use the "splunk restart" command) !   For DNS logs, I do not know if the logs are registered in a Win Event Channel... Or do you save the logs in a specific location ? This location could be monitored with the same inputs.conf file.   Hope it helps ! GaetanVP ... View more

Hello ! @gcusello very smart to think about the transpose method ! I just had a problem when it come to to sum the Hardware Level 1 + Printer, it did a concatenation of string and int...  There is probably a clean and quick way to counter this issue... But I ended up with this :  | makeresults format=csv data="techGroupLevel, tech_Group_Requests Hardware Level 1, 10000 Applications Level 1, 800 Printer, 758 MIS, 7 NULL, 8" | replace "Hardware Level 1" WITH hardware_level_1 | transpose 0 header_field="techGroupLevel" column_name=tech_Group_Requests | eval "Device Management"=hardware_level_1+Printer | eval Other=MIS+NULL | fields tech_Group_Requests,"Device Management","Applications Level 1","Other" | transpose 0 header_field="tech_Group_Requests" column_name=techGroupLevel @PaulaCom I hope it helps ! Regards, GaetanVP ... View more

Hello @venky1544, I do not understand 100% of your problem, How exactly do you receive / ingest the data ? Once a day you will have a new line inside your dataset ? Would you be able to share a screenshot of a Splunk Search where you display those data ?  Also I am surprise that your USED_SPACE does not grows from 07 to 10, it goes 10 to 13 to 10MB again ? Regards, GaetanVP ... View more

Hello @Tao_Zeng, You could try something like this    | makeresults | eval TEST="\n User-Agent: iOS/16.4.1 iPhone\n P-Access-Network-Info: 3GPP-NR-TDD;utran-cell-id-3gpp=4600101200e020432103\n Security-Verify: ipsec-3gpp;alg=hmac-md5-96;ealg=null;mod=trans;port-c=9950;port-s=9900;prot=esp;spi-c=2155781586;spi-s=4286488018\n" | rex field=TEST "P-Access-Network-Info: (?<KeyValue>.+?)\\\n" | table KeyValue   Thanks @yeahnah for the triple backslash, I didn't know it. I thought one "/" to exclude the "/" afterwards would be enough, and n is a literal character so I do not really understand... But it's working ! Regards, GaetanVP ... View more