Hello.  Our organization has one of our Data Model (DM) searches for ES regularly running over 200 seconds to complete.  Soon another source will be added to the DM, so I have been looking for ways to reduce the runtime.   I came across a site that suggested the macros that build the CIM DM's could be faster by adding the sourcetype alongside the index in the search.  My thought was, "Why stop there?"  You could add the source too, as long as it doesn't iterate with a date or some random number scheme.  And even then, with reasonable wildcarding at the end I believe there would be a performance improvement. I was told that this effort is unnecessary, even though in my unofficial tests over the same period, I found my modified searches to nearly twice as fast.  So aside from the additional effort to build those searches and maintain them, why is this unnecessary?   Thanks AJ ... View more

I have events coming from an API that all have the same 10 fields.  Viewing the RAW event one of the fields (detail) is quote escaped JSON (\").  The contents of the field varies and I cannot get consistent parsing via configuration files.   The props.conf does already include KV_MODE = json   If I add | spath input=detail to the SPL it parses perfectly, but I need to do the parsing from the config files so I can build Datamodels.   Since KV's vary across events parsing the whole detail field verses regex's on specifc KV's seems to be more efficient.   I've had limited success using a regex in transforms.conf.  And I think trying to use the | eval details = spath(X,Y) won't work because there are multiple keys and values.  Some sample events are below. {"edgeName": "DVC_NAME", "enterpriseUsername": null, "event": "EDGE_NEW_DEVICE", "category": "EDGE", "id": 12345678, "segmentName": null, "severity": "NOTICE", "eventTime": "2021-08-03T13:21:31.000Z", "message": "New or updated client device 01:23:45:67:ab:ef, ip 192.168.0.100, segId 0, hostname NT_HOSTNAME, os", "detail": "{\"last_request_time\":0,\"client_mac\":\"01:23:45:67:ab:ef\",\"client_ipv4addr\":\"192.168.0.100\",\"hostname\":\"NT_HOSTNAME\",\"os_type\":0,\"os_class\":0,\"os_class_name\":\"UNKNOWN\",\"os_version\":\"\",\"device_type\":\"\",\"os_description\":\"\",\"dhcp_param_list\":\"1,3,6,15,31,33,43,44,46,47,119,121,249,252\",\"segment_id\":0}"} {"id": 73646231, "severity": "INFO", "eventTime": "2021-08-03T06:36:31.000Z", "segmentName": null, "message": "Edge [DVC_NAME] has re-established communication with the Orchestrator", "category": "EDGE", "event": "EDGE_UP", "enterpriseUsername": null, "detail": "{\"enterpriseAlertConfigurationId\":null,\"enterpriseId\":316,\"edgeId\":8748,\"edgeName\":\"DVC_NAME\",\"state\":\"PENDING\",\"stateSetTime\":\"2021-08-03T06:36:30.867Z\",\"triggerTime\":\"2021-08-03T06:36:30.867Z\",\"remainingNotifications\":1,\"nextNotificationTime\":\"2021-08-03T06:36:30.867Z\",\"lastContact\":\"2021-08-03T06:36:29.000Z\",\"name\":\"EDGE_UP\",\"type\":\"EDGE_UP\",\"firstNotificationSeconds\":0,\"maxNotifications\":1,\"notificationIntervalSeconds\":120,\"resetIntervalSeconds\":3600,\"timezone\":\"America/Phoenix\",\"locale\":null}", "edgeName": "DVC_NAME"} {"edgeName": "DVC_NAME", "id": 73579676, "eventTime": "2021-08-02T23:24:58.000Z", "event": "MGD_CONF_APPLIED", "severity": "INFO", "segmentName": null, "enterpriseUsername": null, "detail": "{\"heartBeatSeconds\": 30, \"managementPlaneProxy\": {\"drHeartbeatSecs\": 60, \"primary\": \"host-1.domain.net\", \"secondary\": \"host-2.domain.net\"}, \"timeSliceSeconds\": 300, \"statsUploadSeconds\": 300}", "message": "Applied new configuration for managementPlane version 1627946184323", "category": "EDGE"} ... View more

I saw in another question that the pantag command supports an IP as a parameter for dynamic address group and I have no trouble adding IP addresses. What I have not been able to do is push a subnet in CIDR notation. It does say submitted successfully but everything after and including the slash gets truncated leaving only the network address in the dynamic group. I tried URL encoding it and that did not even submit successfully. Am I doing something wrong or does pantag only support IP addresses and not subnets? Thanks. ... View more

First of all, thank you for the app. The setup, import, and event classification is great. The issue I am having is that authentication events with a reason of "Allow unenrolled user" are not included in the import. I couldn't see anything in the python or within the app to restrict/filter events. Any ideas? ... View more

Currently when splunk eats the serviceperf and hostperf data the events come in as multi-line events. When in the nagios web view selecting splunk for a host may return a multi-line event that contains other hosts that came in at the same time. Is this as it should be? Would I be creating more problems by splitting the events so there is one single nagios event per event in splunk? Thanks in advance. ... View more