Hello, I've have an alert that returns by email suspicious login attempts in the form of a table with client_ip, number of different logins used, list of logins used, continent and country. Basically, the table is created by this search (time window 60 minutes):     index=webauth sourcetype=cas login!="audit:unknown" | eval login=lower(login) | stats dc(login) AS number, values(login) AS "logins list" by client_ip| iplocation allfields=true client_ip | fields - City,MetroCode,Region,lat,lon,Timezone | search number>1     Sample result: client_ip number logins list Continent Country 192.168.0.6 3 foo bar baz Somewhere Here   We have many false positive alert because some users make typos when they try to log in. I would like to clean up this table from any login that is not very different from the first one. If a result line lists those logins: myself, myselv, then the Levenshtein distance would be 1, then I would like to ditch the line (ie. number would fall from 2 to 1, and result would be excluded). If a result line lists: myself, myselv, yourself, then the second login would be excluded, but the result should be kept in the final table because yourself is very different from myself. I hope it makes sense. I've studied the solution https://community.splunk.com/t5/Splunk-Search/Is-there-any-way-to-compare-multivalue-fields-to-single-value/td-p/317189 for hours, but my result is so ugly that I can't believe it's the only solution:     index=webauth sourcetype=cas login!="audit:unknown" | eval login=lower(login) | fields client_ip,login | dedup client_ip,login | mvcombine login | eval n=mvcount(login), llogs=mvdedup(login) | search n>1 | iplocation allfields=true client_ip | fields - City,MetroCode,Region,lat,lon,Timezone,_raw,_time | mvexpand login | table * | map maxsearches=100 search=" | makeresults | eval login=\"$login$\", llogs=\"$llogs$\", number=\"$n$\" , Continent=\"$Continent$\" , Country=\"$Country$\" , client_ip=\"$client_ip$\" |makemv delim=\" \" llogs | mvexpand llogs |table *" | `ut_levenshtein(login,llogs)` | search ut_levenshtein>3 | fields - _time, llogs | mvcombine login | eval logins=mvdedup(login) | eval number=mvcount(logins) | fields - login | dedup client_ip,logins | table client_ip,number,logins,Continent,Country,ut_levenshtein       Any idea to design something better? Thanks ... View more

Hello, We use Splunk 6.2.0 and the server.pem certificate will be expired in 10 days: openssl x509 -in /opt/splunk/etc/auth/server.pem -text -noout | grep "Not After" Not After : Dec 16 12:11:46 2017 GMT How can we renew this certificate with a third-party signed certificate ? Thanks in advance ! Best regards, Marc ... View more

I'm trying to create on my network a "syslog" server that would act as a hub to concentrate logs from various sources, then filter them (like force a hostname, change sourcetype, drop some events...) and eventually forward them to my 2 dedicated indexers into different indexes. problem #1: many sources ("remote_servers") are not able to select a port to send their logs to. Hence I'm having multiple sources dropping their logs on UDP:514 and I must differentiate those sources (different indexes, different sourcetype/host settings). problem #2: some pieces of hardware wont send proper syslog data (no hostname for example), so I have to rely only on the IP of incoming connection to dispatch their logs. problem #3: I can't use a modern rsyslogd. I've tried version 5.x as included in RHEL 6, but it's not supporting sophisticated actions (I think) I need to use rsyslogd as dispatcher. What would be the best way to achieve this? I've tried with rsyslogd 5.x and Universal Forwarder, and failed. I'm trying right now with Heavy Forwarder. I've created inputs like this: [udp://192.168.120.18:514] source=aruba host=192.168.120.18 index=rezo [udp://192.168.181.253:514] source=lb-bv-prod host=192.168.181.253 index=rezo_1m But I'm not even sure it can really work (still have to test with real steam of data). Is it a proper way to achieve my goal? ... View more