Is the app (Cisco Secure eStreamer Client Add-On[https://splunkbase.splunk.com/app/3662]) even usable on splunkcloud? I can install it from the "browse more apps" page in the cloud app management area, but it seems i will not be able to set it up or use it, as 1) it requires you to edit a config file on disk; 2) it writes the data it retreives from Cisco to a local disk; 3) it is not possible to create a disk monitor in splunkcloud.  Only real option seems to be to use a heavy forwarder. Any suggestions? ... View more

So when searching tag=usb, I get an message telling me : "The term 'usb*:' contains a wildcard in the middle of a word or string. This might cause inconsistent results if the characters that the wildcard represents include punctuation", but i did not add the wildard there myself. So anyone has any idea where this comes from. One of the things I could think of this comes from an add-on, somewhere..  While investigating this a little bit more I also see funky errors when searching tag=* for instance.  ... View more

Hi, I am looking at the Palo Alto add-on from https://splunkbase.splunk.com/app/2757/ and specifically to logs with sourcetype pan:userid All the logs get the username unknown, when digging into this  I see this in the prop.conf [pan:userid] SHOULD_LINEMERGE = false TIME_PREFIX = ^(?:[^,]*,){6} MAX_TIMESTAMP_LOOKAHEAD = 32 REPORT-search = extract_userid FIELDALIAS-virtual_system = vsys as virtual_system FIELDALIAS-src_for_pan_correlation = src_ip as src FIELDALIAS-dest_ip_for_pan_correlation = src_ip as dest_ip FIELDALIAS-client_ip = src_ip as client_ip FIELDALIAS-dest_for_pan_correlation = src_ip as dest FIELDALIAS-dvc_for_pan_correlation = host as dvc EVAL-user = coalesce(src_user,"unknown")   and in the transforms i find : [pan_userid] DEST_KEY = MetaData:Sourcetype REGEX = ^[^,]+,[^,]+,[^,]+,USERID, FORMAT = sourcetype::pan:userid   [extract_userid] DELIMS = "," FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","vsys","src_ip","source_name","event_id","repeat_count","timeout_threshold","src_port","dest_port","source","source_type","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id","factor_type","factor_completion_time","factor_number"   One thing I notice is that there is no src_user in the fields list in the [extract_userid] so I probably miss something here but my conclusion is that the field will never be filled.  So does anyone have an idea how to get user field filled with username?   Just for reference a log, that should fit here, and it does partially.    <14>1 2020-12-07T15:14:29+01:00 Servername-XX - - - - 1,2020/12/07 15:14:29,000101011111,USERID,logout,223,2020/12/07 15:14:29,vsys,10.10.10.11,client\usr.name,client-loc-id,0,1,0,0,0,agent,,1111111111111111114,0x0,0,0,0,0,,Servername-XX,0,,2020/12/07 15:14:29,1,0x0,client\user.name   ... View more

Is it possible to see into conf files, like a props.conf, without having cli/machine access. So from inside Splunk interface? Is it also possible to see the current aggregated confs within Splunk? ... View more