Hi, splunkd sourcetype works fine:
earliest=-30d index=_internal sourcetype=splunkd user="*" action=login OR action=logoff | table user status action reason message sourcetype=splunk_web_service --- not available nowadays. I think its removed or merged with splunkd.
... View more
For a log file that was separating lines using the hex 0A character, I was able to use LINE_BREAKER = (\x0A). I viewed the log file in a hex editor to find the line separator.
... View more
On 7.1 or newer, you'll need to use the user.seed.conf. Hurricane Labs has a good rundown on how to do it.
https://www.hurricanelabs.com/splunk-tutorials/splunk-7-1-performing-a-splunk-password-reset
... View more
You can frame the search with wild cards. Example: src_ip=10.1.2.[wcrd] for a /24 CIDR range or src_ip=10.7.[wcrd].[wcrd] for a /16 CIDR range, etc.
[wcrd] = *
(I was having trouble getting the * to show when using more than 1 in the IP addresses.)
... View more