Hi PickleRick, Agreed.  Than do i remove the sourcetype= statement from stanza in inputs.conf  ? ( becuase it is over written any way ) please share your thoughts. also  do i create seperate index for metrics mentioned in my inputs.conf of keep with eventtype index ? here is snipped of inputs.conf ------------------------------- inputs.conf ----------       # ###### OS Logs ###### # [WinEventLog://Application] disabled = false start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=true index = winos ----- ------ ----- # ###### Host monitoring ###### # [WinHostMon://Computer] interval = 600 disabled = false type = Computer index = winos [WinHostMon://Process] interval = 600 disabled = false type = Process index = winos ----- ----- # ###### Win Registry Monitoring # [WinRegMon://default] disabled = false hive = .* proc = .* type = rename|set|delete|create index = winos ------- ------ # # perfmonance Monitoring # ###### Splunk 5.0+ Performance Counters ###### ## CPU [perfmon://CPU] counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec instances = * interval = 30 mode = single object = Processor _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true sourcetype = PerfmonMetrics:CPU disabled = 0 index = ????? Please share your expertise thanks     ... View more

Hi PickleRick, Thank you for good research and shared the knowledge.  How can i fix this issue if you can please share more tips ? thanks     ... View more

Hi agreed but why source and sourcetype os mixed up ? it does not goes what i have mentioned in inputs.conf. how do i fix it ?   DC01.xxx.xxx</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>CORP\ADmaint</Data><Data Name='SubjectUserName'>ADmaint</Data><Data Name='SubjectDomainName'>CORP</Data><Data Name='SubjectLogonId'>0x1b73fc</Data><Data Name='PrivilegeList'>SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege host = DC01 source = WinEventLog:Security sourcetype = WinEventLog this source and sourcetype are mixed and not according to inputs.conf   ... View more

i had similar issue.   i created new index for my windows servers and define the sourcetype in inputs.conf and deploy the _TA_Windows apps search works fine but source type and source are interchanged. any thoughts ?   ... View more

Hello Friends, here is my snipped of inputs.conf tog et you an idea or may be mistaked on my end ?? again thank you for your help ------------------ This is my snip of inputs.conf # cat inputs.conf [perfmon://CPU] counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time instances = * interval = 30 mode = single object = Processor _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true sourcetype = PerfmonMetrics:CPU disabled = 0 index=uat [perfmon://Memory] counters = Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes interval = 30 mode = single object = Memory _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true sourcetype = PerfmonMetrics:Memory disabled = 0 index=uat [WinEventLog://Application] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 10 renderXml=true sourcetype = WinEventLog:Application index=uat [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 10 renderXml=true blacklist1 = EventCode="(4662|566)" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="(4656|4670|4663|4703|4658|4688)" Message="Account Name:(\W+\w+$)" blacklist3 = EventCode="4624" Message="An account was successfully logged on" blacklist4 = EventCode="(4688|4689)" Message="%SplunkUniversalForwarder%" blacklist5 = EventCode="6278" Message="Network Policy Server granted full access to a user because the host met the defined health policy." #whitelist = 1101, 1104, 4616, 4657, 4697 sourcetype = WinEventLog:Security index=uat [WinEventLog://System] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 10 renderXml=true sourcetype = WinEventLog:System index=uat [WinEventLog://Setup] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest renderXml=true sourcetype = WinEventLog:Setup index=uat [monitor://$SPLUNK_HOME\var\log\splunk\*.log*] sourcetype = uf dissabled = 0 index = _internal ... View more

I only get sourcetype wineventlog but when i add to security or application or system than does not search  any. i have disabled=0 in all inputs.conf stanza   thank you for your help ... View more

yes i see some sourcetypes when i do only search using index= and in event i see some sourcetypes. ... View more

Hi Gcusello Let me give you little more detail. a. we use custom index  b. we deployed splunk_ta_windows using deloyment server c. we have modify inputs.conf on deployment server d. inputs.conf has index=<our index name> in each stanza e. we used default inputs.conf and changed the index to our    now we see windows log data if we use in search and specify index name but if we ud thru sourcetype than data does not search, also we see only few sourcetypes. your help is appreciated   ... View more

Hi  we have AWS cloud and also we have Splunk cloud for data analysis and reporting. We like to implement SIEM for our SAAS company. any tips or recommendations be greatly appreicated. Note: in your link, there is SOAR product not the SIEM.   please explain   thanks Yogesh Switchfly ... View more

Hello, unfortunately, i could not see "advanced search" or "macro link" in our splunk cloud. we have splunk cloud and deploy server to deploy apps and we request splunk support to install both apps (splun apps for aws and splunk apps for aws security dashboard). we created the custom index. now we search our index on search window and it display the cloudtrail data as well as cloudwatch data. but security dashboard apps dow not pickup the data. i understand we need to change the index from default index name to our custom index name. questions: 1. what is installed patch location of apps ? 2. which conf file to update for index? 3. can you please share some screen shots generic please thank you   ... View more

Hi gcusello,   We have Splunk Add -on for AWS installed and configured and we also installed and configured the splunk apps for AWS security dashboard. and we created custom index.  But some how we do not see any data on security dashbnboard apps eventhough we see data when we do search outside the apps. i read up and it says macro search has their own index and we need to change it. but i dont know where to change that index name in search macro. any help is greatly appreciated. we have splunk cloud  thank  yogesh switchfly ... View more

Hi  We have installed splunk Add-on for AWS and configure the inputs and we see the cloudtrail and cloudwatch data thru s3 bucket inputs. then we installed Splunk apps for aws security dashboards but some how we dont see any of our data. just fyi we have custom index ( it is not default 'main' index) so where do we change the index so that we can see data in dashboard??   ... View more

Hello,, thank you for your quick reply. Yes we already have enabled aws inspector v2 in our aws cloud and we see vulnerability notification they inspector for all instances, ECRs and services. we also have installed splunk add-on for AWS. please share the link to configure and ingest inspector data/log in to splunk. Thank you   ... View more

Hi  Please find my response. at first you should check if AWS inspector logs is inside your AWS subscription. ===> How do i confirm that ? and document link ? or tips please ?  Then you can use Data Manager or the Splunk Add-On for AWS (https://splunkbase.splunk.com/app/1876). ===> We have splunk add-on for aws installed. is that enough to move on ? Here you can find a detailed instruction to use this last Add-On https://docs.splunk.com/Documentation/AddOns/released/AWS/Inspector ==> once above is reveal we can follow the instructions.  again thank you so much Yogesh Switchfly ... View more

Hi we have AWS and splunk cloud (victoria) and we also like to ingest the cloudtrail data to splunk cloud if some once can share the tips or process  thanks   ... View more