Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Question about the PCI Application

jambajuice
Communicator
‎10-28-2010 07:59 PM

What is the "stash" sourcetype used for in the application? We're getting two huge spikes of events from that sourcetype every day at 10 pm and 7 am. They are consuming a significant amount of our license. The messages look like the following:

51  
10/28/10
7:59:00.000 AM  
10/28/2010 07:59:00, search_name="PCI 7.1 - Successful Access by Target - Summary Gen", search_now=1288278900.000, info_min_time=1288277700.000, info_max_time=1288278600.000, info_search_time=1288278935.693, dest_bestmatch=0741BOH, psrsvd_gc=2, psrsvd_v=1
host=semvsplunkprd   Options|  sourcetype=stash   Options|  source=PCI 7.1 - Successful Access by Target - Summary Gen   Options

52  
10/28/10
7:59:00.000 AM  
10/28/2010 07:59:00, search_name="PCI 7.1 - Successful Access by Target - Summary Gen", search_now=1288278900.000, info_min_time=1288277700.000, info_max_time=1288278600.000, info_search_time=1288278935.693, dest_bestmatch=0706BOH, psrsvd_gc=1, psrsvd_v=1
host=semvsplunkprd   Options|  sourcetype=stash   Options|  source=PCI 7.1 - Successful Access by Target - Summary Gen   Options

53  
10/28/10
7:59:00.000 AM  
10/28/2010 07:59:00, search_name="PCI 7.1 - Successful Access by Target - Summary Gen", search_now=1288278900.000, info_min_time=1288277700.000, info_max_time=1288278600.000, info_search_time=1288278935.693, dest_bestmatch=0661BOH, psrsvd_gc=2, psrsvd_v=1
host=semvsplunkprd   Options|  sourcetype=stash   Options|  source=PCI 7.1 - Successful Access by Target - Summary Gen   Options
Tags (1)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎10-28-2010 08:10 PM

The "stash" sourcetype is used for summary indexing. The Summary Gen in the search names is a good clue. Are the results with sourcetype="stash" showing up outside of index=summary? If properly configured, summary indexing should not count against your indexing volume.

Reply

araitz
Splunk Employee
Splunk Employee
‎10-28-2010 10:06 PM

Isn't everyone using the latest/greatest??? 😛

0 Karma
Reply

southeringtonp
Motivator
‎10-28-2010 08:21 PM

Note that this is only true from 4.0.10 onward. Older versions did count summary indexing against your license.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...