Hi All, I'm having issues with ingesting my CSV files properly into Splunk and did not come across any current Q&A that could help my specific issue. An example of a couple rows of data in my CSV are as follows with their respective header field at the top of the file, Plugin ID CVE CVSS v2.0 Base Score Risk Host Protocol Port Name Synopsis Description Solution See Also Plugin Output STIG Severity CVSS v3.0 Base Score CVSS v2.0 Temporal Score CVSS v3.0 Temporal Score Risk Factor BID XREF MSKB Plugin Publication Date Plugin Modification Date Metasploit Core Impact CANVAS               135860     None host2.web.com tcp 445 WMI Not Available WMI queries could not be made against the remote host. WMI (Windows Management Instrumentation) is not available on the remote host over DCOM. WMI queries are used to gather information about the remote host, such as its current state, network interface configuration, etc. Without this information Nessus may not be able to identify installed software or security vunerabilities that exist on the remote host. n/a https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page Can't connect to the 'root\CIMV2' WMI namespace.   None       4/21/20 12/21/22                     166602     None host2.web.com tcp 0 Asset Attribute: Fully Qualified Domain Name (FQDN) Report Fully Qualified Domain Name (FQDN) for the remote host. Report Fully Qualified Domain Name (FQDN) for the remote host. n/a   The FQDN for the remote host has been determined to be:   FQDN       : host2.web.com   Confidence : 100   Resolves   : True   Method     : rDNS Lookup: IP Address Another possible FQDN was also detected:         None       10/27/22 10/27/22                       For the second event's Plugin Output field, it keeps reading each new line as a new row. A lot of the rows contain similar data which is causing there to be far more logged events than there are rows in the CSV file.  How can I ensure these fields get parsed properly to keep each row within one event and each cell as it's own field? I have tried a handful of configurations and am currently working with the following, props.conf     [csv] INDEXED_EXTRACTIONS = csv DATETIME_CONFIG = CURRENT SHOULD_LINEMERGE = true NO_BINARY_CHECK = true CHARSET = AUTO KV_MODE = none pulldown_type = true [scan_reports] REPORT-scan_reports = csv_fields     transforms.conf     [csv_fields] DELIMS = "," FIELDS = "Plugin ID", "CVE", CVSS v2.0 Base Score", "Risk", "Host", "Protocol", "Port", "Name", "Synposis", "Description", "Solution", "See Also", "Plugin Output", "STIG Severity", "CVSS v3.0 Base Score", "CVSS v2.0 Temporal Score", "CVSS v3.0 Temporal Score", "Risk Factor", "BID", "XREF", "MSKB", "Plugin Publication Date", "Plugin Modification Date", "Metasploit", "Core Impact", "CANVAS"       Any help will be greatly appreciated!  ... View more

Hello Fellow Splunkers! The goal is to create ServiceNow Incidents/Events exclusively from Splunk Enterprise alerts using the Custom Alert action (we do not have Splunk ES or Splunk ITSI*).  I have a distributed Splunk Enterprise deployment that contains an Indexer Cluster, Heavy Forwarder, and two Standalone Search heads (in addition to the Cluster Master and Deployment Server). I have yet to see this implementation work in a deployment with only Splunk Enterprise. Please let me know if this configuration is possible with an on-prem Splunk Enterprise deployment.  For context, I currently have the following configured, Splunk_TA_snow deployed to the Search Heads, Heavy Forwarder and Indexer Cluster (the add-on in the Indexer Cluster does not contain the inputs.conf file) Logs are being ingested via the Heavy Forwarder and the ServiceNow account is making successful connections to the Heavy Forwarder and Search Heads configured account. I have tried configuring the below on alerts with no luck I have also tried passing | snowincident within the alert's SPL to create a new incident in SNOW. Any help or tips will be greatly appreciated! ... View more

Hello Fellow Splunkers! I have an environment that's using Twistlock and is deployed in EKS. We are able to collect the majority of logs via Kubernetes logging, however our team really wanted to utilize the application created for Twistlock (https://splunkbase.splunk.com/app/4555/). Has anyone else run into issues using the app for this architecture type? If not, has anyone successfully configured this application to use the predefined sourcetypes shown in the app? Any guidance will be greatly appreciated!   ... View more

Hello Fellow Splunkers! Can someone please explain the need for deploying Splunk with the minimum hardware requirements? If the specs are reduced is their data loss or just lagging? I constantly get this question and have not been able to find anything on it in the Splunk documentation.   Thanks in advance for the help! ... View more

Hello! Has anyone ever successfully ingested Red Hat Satellite logs using Splunk? If not, are there any plans on making a TA for this use-case in the near future?  ... View more

Hello Fellow Splunkers, I have been looking for a solution to ingest Dell EMC Unity 500 storage logs and my research has basically told me it's not possible...I just find that hard to believe with the power of Splunk so wanted to ask you all if you've seen this ingested before and if so, how? I saw a similar post with this same question here: https://community.splunk.com/t5/Deployment-Architecture/How-to-add-the-logs-of-EMC-unity-storage-to-splunk/m-p/394811 However, it's from 2018 and doesn't appear to have a solid solution linked to it. Please reach out if you have any suggestions, solutions, or questions! ... View more

Hello Everyone, I have an environment consisting of three VPC's (say x, y, and z). Each VPC holds Linux, Windows and AWS logs. I have successfully set-up the AWS log ingest using separate indexes (aws_vpcx, aws_vpcy, aws_vpcz). However, I'm struggling to get the Linux/Windows data to index the same way. The unique identifier I'm using is hostnames. The following holds true for all hostnames per VPC, VPC X has hostnames == vpcX*** VPC Y has hostnames == vpcY*** VPC Z has hostnames == vpcZ*** For Linux logs I tried to add the following : Inputs.conf currently has (index=os_vpcX) so the default is for all Linux hosts in VPC X which is why it's not in the props and transforms files below. Currently all VPCs are sending to the os_vpcX index instead of all three and I need to figure out why the below config isn't working. I'm doing this from the cluster master and pushing it to the indexer cluster. props.conf [host::vpcY*] TRANSFORMS-osVpcY = osVpcYTrans [host::vpcZ*] TRANSFORMS-osVpcZ = osVpcZTrans transforms.conf [osVpcYTrans] REGEX = vpcX.+ DEST_KEY = _MetaData:Index FORMAT = os_vpcy [osVpcZTrans] REGEX = vpcY.+ DEST_KEY = _MetaData:Index FORMAT = os_vpcz  My second question is the same but for the Windows add-on..this seems more difficult with the single inputs.conf file having multiple indexes in it. Is there a way for me to specify more than one 'unique' thing about the stanza? For example, this is the default windows inputs.conf containing multiple indexes...I will need the windows index to go to either windows, windows_vpcY, or windows_vpcZ depending on the host that's sending the logs..but then I will also need that same separation for the wineventlog data (wineventlog, wineventlog_vpcY, wineventlog_vpcZ). ###### WinEventLog Inputs for DNS ###### [WinEventLog://DNS Server] disabled = 0 renderXml=true index = wineventlog ###### DHCP ###### [monitor://$WINDIR\System32\DHCP] disabled = 0 whitelist = DhcpSrvLog* crcSalt = <SOURCE> sourcetype = DhcpSrvLog index = windows  Thanks in advance to anyone that can help!  ... View more