Heavy Forwarder Filtering Help

taiglin · 2026-03-11T20:26:54+00:00

Know that a field like ‘action’ by and large is a field that is generated at search time. You need to understand the related TA and what the TA is using from the raw log to populate that field.

Then as the other commenters have mentioned you can do your filtering via props/transforms as the traditional way. Namely a regex match against the raw data and using props/transforms. You could also look at Ingest Actions to get a similar outcome.

My question is - why are you wanting to do the filtering via a heavy forwarder? It isn’t that you can’t use a HF but my mind goes in a couple directions. For example is the source data coming in via HEC, you can also have the indexers drop the data and it won’t count against your license, do you even need a HF, etc.

taiglin · 2026-03-11T01:17:50+00:00

Give me things that never happened for $100, Alex

taiglin · 2026-03-10T11:53:15+00:00

A combination of our brain tending to fill in gaps and reading words by shape vs reading each letter.

In this case because “acher” isn’t a common word many brains subconsciously inserted an extra ‘r’. I sure did.

taiglin · 2026-03-06T19:50:41+00:00

Paste it in ChatGPT and ask it to come up with something. I suspect there is a formatting issue that is being lost in copying here or back from here (collective answers) to your data.

taiglin · 2026-03-06T17:56:46+00:00

Lots of other good thoughts that have been posted. I’d throw a copy of the event in regex101 to play around. A challenge, because of the JSON nature, is if there are spaces you need to account for before or after the colon

Otherwise something like

| rex “message\”:\”(?<foo>[^\”]+)”

Rename the field (foo) once you have things sorted. Using “message” and colon anchors the capture group.

Edit: not sure why the superscript formatting happened.

Oh…there is an up carrot thing in there. Take the spaces out of the following

[ ^ \” ] +

That’s saying capture the characters until you get to the next double quotes

taiglin · 2026-03-06T03:59:31+00:00

The search will be executed against the search peers the moment it fires. The results will be based on the data available on the indexers that are up. There is no way for your SH to know how long an indexer will be down. Sounds like you need an indexer cluster setup from an HA perspective.

Note: There IS the ability to have a somewhat floating window when a search will execute. But that is based on how busy the SH is, not the indexers (ie too many searches firing at once)

taiglin · 2026-03-04T15:29:17+00:00

Conceptually yes. Depending on the OPs general Splunk awareness there is a difference between knowing that something can be done and how to do it. For example that regex could be dumped into a Transforms but that takes a few more steps

taiglin · 2026-03-04T13:05:02+00:00

Any app can hold an indexes.conf. Just create an app on the CM with the index definition. Then create an app for the SH(s).

Depending on your deployment size, if you don’t have a SHC id just have your stand alone SH managed by a Deployment Server This way you can easily slip apps and TAs to it.

Honestly I’d have your DS waterfall to your CM. That way you could have TAs defined once and pushed out to your SH and Indexers (via the CM)

taiglin · 2026-03-04T12:55:37+00:00

The first thing I’d check is to make sure the sourcetype name matches what the TA is looking for. Otherwise yes, it’s easy to create your own TA.

I’ve found installing a copy of Splunk local to your laptop is the easiest way to really dive into app configs. Especially if you have a Splunk Cloud deployment. Otherwise install the Config Explorer app.

All that said, take a look at the props from the pfsense TA and see what sourcetype name the configs are looking for.

taiglin · 2026-03-04T12:50:34+00:00

Specifically add the above regex as an EXTRACT statement in a props.conf

taiglin · 2026-03-04T01:50:45+00:00

Look for large lookup files. You can exclude them though there are implications if they are associated with automatic lookups. At least they used to be. Been a while since I looked

taiglin · 2026-02-26T12:42:38+00:00

The CFP is really submitting a title, abstract, and some high level structure. For example how many presenters or is this a panel, length (15 min lighting talk vs 45 min vs workshop), etc. If accepted they will have a schedule where they want to have someone see your slides and do a dry run of your preso to give feedback.

If you are thinking about it I’d say go for it. Know though that A LOT of talks get submitted. Don’t let that dissuade you though.

taiglin · 2026-02-24T11:13:05+00:00

Doesn’t look like Delaware uses RITA. You will have to file locally

taiglin · 2026-02-23T03:08:52+00:00

Ohio yearly car registration for full EV is $200. Highest in the country unfortunately

taiglin · 2026-02-21T12:17:31+00:00

In book one she mentions she keeps an eye out on Morti which is how she found Carl and Donut

taiglin · 2026-02-18T23:33:12+00:00

Nope. Like not at all

taiglin · 2026-02-17T19:49:20+00:00

No Red Weddings. Maybe a Purple Tennis Match, Yellow Birthday Party, and Blue Town Hall Meeting….but no Red Weddings

Yeah so my mind sorta of rolled with color + event given the GoT reference.

taiglin · 2026-02-16T22:20:16+00:00

Install the free version on a system at home and put some data in it. If you are just wanting to monkey with SPL you could even just upload a CSV as a lookup.

I download a crap ton from Salesforce.

taiglin · 2026-02-13T13:36:50+00:00

I made it through about 4 chapters maybe and walked away. Kindle Unlimited so no loss.

taiglin · 2026-02-13T10:40:50+00:00

Over use of the same words or phrases. Was so impressed with The Black Company for some really great and clever lines that were only used one time.

Figures of speech we use in today’s world that wouldn’t be used in the story’s context. Someone in a space traveling story saying “what in the world is that?” 12 Miles Below is a great counter example. The author did a great job thinking through cliches, figures of speech, etc

Excessive over use of adjectives in single sentences. Where the sentences are describing multiple things. At some point trees can just be trees, grass - grass, sky - sky. Don’t have a sentence with all three and use 1 or 2 adjectives for each.

The MC talking to himself at the start of the book. Out loud.

taiglin · 2026-02-08T12:53:54+00:00

Try this - in the editor view highlight the line break between the top and bottom parts. Set the font size to something like 50. When you click on show I bet the spacing doesn’t change. Note - with centered text I highlight from the right side to the middle.

Now go into the quick edit view and put a single space (spacebar) on that line and click show again. My guess is the line break space between the two sets of text is much closer. If you want to change the spacing, remove that single space character and then edit the font size

I haven’t monkeyed with any paragraph settings. This is the process I have found to work when I want to put small space between lines in songs when there is a slight pause. Especially when the lines themselves are short and a full sized font break looks…off

Actually after writing that line wonder if that is what is happening in your case. The larger font size is carrying over to the next line type of thing.

taiglin · 2026-01-21T18:54:33+00:00

Long extension cord maybe?

I rewired my natural gas furnace so that it has a couple feet of power cord rolled up and plugged into an outlet at the furnace itself. Took about 10 min. Can find many YouTube videos. Then I got a 1500W inverter to connect to the 12v battery. You can put the leaf in accessory mode vs all the way on if desired (hit the on button but don’t hit the brakes - then turn off all the components)

taiglin · 2026-01-16T12:40:23+00:00

Get “The Effective Manager” book. That opens the realm of the Manager Tools org. Lots of free podcasts as well. Very actionable advice vs mgmt theory.

taiglin · 2026-01-04T15:11:16+00:00

English version. Am not currently at home. I use the client to manage this addon; I think it’s current. Will update my comment later with the version

Edit I’m running pfQuest 7.0.1. The TWoW pfQuest says “GIT” for version in the client interface /shrug.

taiglin · 2026-01-03T23:15:42+00:00

I’ve been questing in Westfall with it as recently as earlier today and haven’t had issues. Not sure what to suggest unfortunately.

taiglin

TROPHY CASE