Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Question about the PCI Application

jambajuice
Communicator
‎10-28-2010 07:59 PM

What is the "stash" sourcetype used for in the application? We're getting two huge spikes of events from that sourcetype every day at 10 pm and 7 am. They are consuming a significant amount of our license. The messages look like the following:

51  
10/28/10
7:59:00.000 AM  
10/28/2010 07:59:00, search_name="PCI 7.1 - Successful Access by Target - Summary Gen", search_now=1288278900.000, info_min_time=1288277700.000, info_max_time=1288278600.000, info_search_time=1288278935.693, dest_bestmatch=0741BOH, psrsvd_gc=2, psrsvd_v=1
host=semvsplunkprd   Options|  sourcetype=stash   Options|  source=PCI 7.1 - Successful Access by Target - Summary Gen   Options

52  
10/28/10
7:59:00.000 AM  
10/28/2010 07:59:00, search_name="PCI 7.1 - Successful Access by Target - Summary Gen", search_now=1288278900.000, info_min_time=1288277700.000, info_max_time=1288278600.000, info_search_time=1288278935.693, dest_bestmatch=0706BOH, psrsvd_gc=1, psrsvd_v=1
host=semvsplunkprd   Options|  sourcetype=stash   Options|  source=PCI 7.1 - Successful Access by Target - Summary Gen   Options

53  
10/28/10
7:59:00.000 AM  
10/28/2010 07:59:00, search_name="PCI 7.1 - Successful Access by Target - Summary Gen", search_now=1288278900.000, info_min_time=1288277700.000, info_max_time=1288278600.000, info_search_time=1288278935.693, dest_bestmatch=0661BOH, psrsvd_gc=2, psrsvd_v=1
host=semvsplunkprd   Options|  sourcetype=stash   Options|  source=PCI 7.1 - Successful Access by Target - Summary Gen   Options
Tags (1)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎10-28-2010 08:10 PM

The "stash" sourcetype is used for summary indexing. The Summary Gen in the search names is a good clue. Are the results with sourcetype="stash" showing up outside of index=summary? If properly configured, summary indexing should not count against your indexing volume.

Reply

araitz
Splunk Employee
Splunk Employee
‎10-28-2010 10:06 PM

Isn't everyone using the latest/greatest??? 😛

0 Karma
Reply

southeringtonp
Motivator
‎10-28-2010 08:21 PM

Note that this is only true from 4.0.10 onward. Older versions did count summary indexing against your license.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...