@las Your response is not correct. Or - to be more precise - it's partially correct but you draw wrong conclusions from it. Yes, UF by default sends cooked data but it is only cooked, not cooked and parsed (unless you're using indexed extractions but that's a story for another day). Cooked data _is_ getting through all normal phases of processing - line breaking, timestamp recognition and so on. So your ingest evals will only work if you're indeed getting unparsed data from UFs. It will _not_ work if you're getting parsed data from other HFs (or SHs, or a copy from indexers) or parsed data from UFs which has undergone indexed extractions. BTW, ingest actions are RULESETs just with added fancy UI. ... View more

You're touching an interesting topic here. Have you actually tried moving the processing as far back as parsingQueue? Intuition hints that since the parsed data is already in UTF, the input stream has already been split into single events, parsingQueue shouldn't actually do much at this point. Maybe some metrics manipulation. I also wonder how would re-merging events in aggQueue affect already created indexed fields...   ... View more

As I already wrote (albeit in a shorter form) - if you're receiving data which has already gone through a full Splunk Enterprise instance (indexer, HF...) or comes from a UF but has been ingested with indexed extractions configured, it is already parsed and will _not_ go through your transforms. You need to use RULESET instead of TRANSFORMS to process them.   EDIT: Alternatively you could probably use the "route" option in your input and send all data again to typingQueue but this is not a very well docummented option and it might not be easy to debug should anything go wrong. Anyway, each of those methods has its pros and cons. If you use RULESET, your data will only hit that ruleset (and maybe other ones you have defined). If you send the data to typingQueue your data will get affected by index-time operations defined by your add-ons which might or might not be what you want. ... View more

Well, sorry to be saying that but that's what you get when you skip the required upgrade steps. The installation manual says that you have to upgrade from 9.3 to either 9.4 or 10.0 first. Then you can jump to 10.2. At this moment, since there's no official way of downgrading your environment, all you can do is raise a support case - maybe they'll be able to help you with converting your KVstore database. ... View more

10.4 still has 2.17.2 in splunk_archiver app. But the question is - does your VM team have any idea on what this vulnerability is about? And is there any chance it is "live" in your Splunk installation? As far as I can see in my 10.4, the only log4j instance is in the splunk_archiver app which doesn't seem to do any XMLlogging. So maybe it's just that the team is blindly sending out notifications just because their scanner "found" something. ... View more

It is a quite old thread but there are some things which can be said. In general, I believe  that yes, you should be able to reference a field you're setting on input. But you might need to just use SOURCE_KEY=userindex instead of referencing whole _meta. The main problem here is that if your data comes in as parsed, it won't be touched by TRANSFORMS. You need to use RULESET. And you need to define a ruleset for [default] stanza (ok, you might do a wildcarded host stanza as well but somehow I find it less easy to read but YMMV)  because you have no control of what the source is sending. That's just one of the assumptions with s2s - you implicitly trust the sender and trust that the metadata is correct. ... View more

Either there is something more going on with your data than you're showing or you're sloppy in copy-pasting. Earlier you showed us supposed contents of your event having a "message" field with a value of "Complete". Now you're searching for a string "Completed" there. If both your event and your search were literal copies from your environment, they have no thance of matching one another.   ... View more

About the SentinelOne app - it is built by a third party so I wouldn't expect too much of it in terms of  quality. Not to diss anyone, it's just that people who don't work with Splunk normally can - for example - just happily assume that there are no more complicated environments than all-in-one splunk installations. This particular app seem to contain everything (from inputs to dashboards) in a single app which is not a good practice.  This makes you have to ship different versions of the same app to different tiers with varying configurations instead of just pushing a TA here, an app there... Not very pretty. Anyway, SentinelOne is - as far as I remember - a solution with cloud console so the inputs work in pull mode - they just execute an API dump of the data from your cloud tenant. So depending on your architecture, you have to install the app on your SH tier to have properly defined field extractions and other search-time knowledge objects. You also need to install the app on your HF and define input(s) pulling the data.  There doesn't seem to be much documentation available about this app apart from what is in the "details" section on splunkbase so configuring this app with .conf files might be tricky - another thing showing that creators don't work with Splunk much - they expect you to configure everything using webui. For the Ubiquiti - it's a brand and there are many different solutions provided by them - APs, switches, routers. I suppose they produce different kinds of logs.  ... View more

If this is your idea of skipping the intermediate upgrade step, that's not a very good idea. The intermediate step isn't there just for fun, you know? ... View more

Adding a bit more info to @tscroggins 's excelent answer. 1. Splunk as such generally ingests and processes text data. 2. Pcaps can be "processed" but not by Splunk directly but by additional component - Splunk App for Stream app which can extract info from the network stream (either captured directly or provided as pcap). 3. While it is possible to store text-encoded binary data (as @tscroggins has already shown us), usually it doesn't make much sense. It's like hammering nails with binoculars - can be done, sometimes if you don't have anything at hand you might want to resort to using it but it's in now way an optimal solution. ... View more

That is interesting though because I don't think MacOS version would differ here much from the Linux one and I have a running 10.4 instance which launches mongod with cmd parameters (which also seem to be included in your log output) explicitly pointing to PEM keyfile and cert. Also I don't see any keystores within my Splunk installation.  But. I see other threads saying that on Windows mongod relies on the cert being imported to the machine local cert store. Which suggests that on MacOS Splunk might be doing something similar. Also reading further down those threads I'd suspect there is something... not exactly "wrong" as such, but rather unsupported by mongod - either some unexpected characters in certificate attributes or maybe some strange characters in private key password... ... View more

This is not really a Splunk question. It's a question about feasilibity of OS upgrade. Windows in-place upgrade is always tricky and as far as I remember, most windows admins I knew advised fresh installation rather than in-place upgrades. You can try it but you must have a plan B in case it fails. ... View more

PFX? I wasn't aware Splunk components could use PKCS12-formatted crypto material. I was only aware of PEM support. Since you seem to be using self-signed certs, have you tried just recreating the certs using splunk createssl command? https://splunk.my.site.com/customer/s/article/How-to-renew-certificates-in-Splunk ... View more

Yup. This pretty much covers it. Just be aware that if/when the inputs already processed some data which they might be able to re-get or re-read, it might be very difficult to get just those missing events without reingesting a whole lot of other data. Resetting checkpoint will usually do just that - restart from scratch.  ... View more

Adding to @richgalloway 's answer - Splunk works on a per-bucket basis. So the actual retention depends on the age and overall composition of events within each bucket. Splunk rolls whole bucket when the most recent event within the bucket gets older than the pre-set retention time. ... View more

Sorry to say that but I have no idea what LLM you pulled this one from. Splunk has no way of "assigining logs to a specific pipeline". There are no specific settings per pipeline if you have more than one and there is no maxKbps setting at inputs level. There is just one global throughput maxKbps setting set in limits.conf.   ... View more

I'm not sure it works like that. If inputs were tied to the particular queues, scaling processing pipelines would have no effect on single input. And as far as I remember, I had multi-pipeline UFs with lagging inputs and it wouldn't help much. ... View more

I haven't touched it in ages but I was pretty sure the inputs were independent on the processing queues. ... View more

While you can to some extent "stretch" your DS capacity by making the clients phone home less frequently which reduces stress on the DS instance, you still need memory for holding the info about all known DCs so you can't scale it indefinitely. And I wholeheartedly agree that configuring DS with GUI doesn't scale well especially since some settings are unavailable in GUI. ... View more

Yes, currently the DS clustering is the official way but I'm not a big fan, to be honest. Most importantly - it requires shared storage which typically makes it tricky to do over multiple sites. ... View more

Can you please copy-paste your whole event into a preformatted paragraph or code block? It's not obvious what your event looks like. ... View more

Before introduction of DS cluster there used to be advanced DS setups recommended for big installations (and taught on advanced Splunk trainings). But they are not meant for beginner/intermediate admins because they introduce quite a lot of possible issues if not done properly. (and require some different ways of troubleshooting as we can see). I must say I haven't worked with such setups myself. ... View more

The overall idea is sound but you have to remember that OS level name resolver can cache entries. Dealing with it might require different things on different OS-es. ... View more

Assuming the users logged out and back in (just to be sure; I'm not 100% it's required), editing roles should be quite immediate. Question is how how did you edit those permissions? Maybe you did edit the authorize.conf file and did _not_ reload the effective config? ... View more

Generally speaking - no. There is no way to prioritize inputs. And yes, it can have an impact on UFs sometimes. I've had a strange setup with a UF checking huge number of  files from network shares. Every time the UF was restarted it would need about an hour to catch up with the states of all the monitored files. As far as I remember it even lagged ingestion of forwarder's internal events. That was very wrong and luckily has been fixed since. But it shows that you can't prioritize inputs versus each other.   ... View more