splunk | The Splunk Enterprise REST API client | REST library

When i use summarize any() all my columns get a new name any_original name. I want to keep the original name or rename the any away

in Splunk used to do something like rename value(*) as * and that did the trick, in kql im not sure

Screenshot

I have a docker-compose setup with containers logging into fluentd. To support different demo environments, I have events being output to multiple destinations (ElasticSearch, Splunk, Syslog, etc.)

I would like to maintain a single configuration file, but disable output plugins that are not needed. If I have 4 potential output destinations, I would have to maintain 10 different configuration files to support all the different possible combinations.

I know that plugins can use environment variables for configuration parameters, which would be ideal. However, I don't see that there is a common 'enabled' or 'disable' parameter in the underlying plugin architecture.

Is there any way to disable a plugin externally? Or will I have to dynamically build my configuration file from an external script?

I'm evaluating the use of apache-kafka to ingest existing text files and after reading articles, connectors documentation, etc, I still don't know if there is an easy way to ingest the data or if it would require transformation or custom programming.

The background:

We have a legacy java application (website/ecommerce). In the past, there was a splunk server to do several analytics.

The splunk server is gone, but we still generate the log files used to ingest the data into splunk.

The data was ingested to Splunk using splunk-forwarders; the forwarders read log files with the following format:

From a search I composed a table, let's call it T1, formed by two columns table name, sourcetype

Now I need to create a static, code generated table, call it T2, that contains all the expected values for the above mentioned table T1, hardcoded. 1st question: How could I?

2nd question: As a result, I need to generate a table T3 equal to: T2 - T1, basically a logical set difference of the first field, which answer the business question "I want to know which records are missing in T1 based on T2"

I am a newbie of Splunk and its query language and I tried to play a bit with set diff and eval to create static data but I did not manage to create the logic I want at all.

Could you point me to the correct logical implementation of this task?

I do script fluently in both SQL and Python, is there any kind of concept I could reuse to become more familiar with this query language?

Stupid graphical example:

How can I change the logging for Springboot Kafka? I'm seeing over 2M messages on our Splunk server and nothing is working:

I use basic Splunk queries mostly, like

I am currently running ossec 3.6 in local mode and forwarding data to Splunk. I cannot seem to find something similar in wazuh - am I missing something? We really don't want to have a manager as all our data goes to Splunk anyway. We'd like to continue outputting ossec/wazuh data in Splunk format and send straight to Splunk. I've Googled and read the wazuh docs, but cannot find anything that addresses this. Is this possible?

Need a table to show the top 5 URL as given below in Splunk. Is this possible in Splunk? I tried many ways but I can't get all status of a URL as a single row.

In Splunk, I have a dashboard with init-section. I use the init-section to set 2 tokens, then I use the token values to set the default value for a time input.

When I run the dashboard, the time input is unpopulated. If I replace $earliest_time_token$, $latest_time_token$ with their actual values then the time token is pre-populated.

Is there a way to pre-populate the time input field using variables?

fyi - I tried -7d@d & "-7d@d" I get the same result