Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Question about the PCI Application

jambajuice
Communicator
‎10-28-2010 07:59 PM

What is the "stash" sourcetype used for in the application? We're getting two huge spikes of events from that sourcetype every day at 10 pm and 7 am. They are consuming a significant amount of our license. The messages look like the following:

51  
10/28/10
7:59:00.000 AM  
10/28/2010 07:59:00, search_name="PCI 7.1 - Successful Access by Target - Summary Gen", search_now=1288278900.000, info_min_time=1288277700.000, info_max_time=1288278600.000, info_search_time=1288278935.693, dest_bestmatch=0741BOH, psrsvd_gc=2, psrsvd_v=1
host=semvsplunkprd   Options|  sourcetype=stash   Options|  source=PCI 7.1 - Successful Access by Target - Summary Gen   Options

52  
10/28/10
7:59:00.000 AM  
10/28/2010 07:59:00, search_name="PCI 7.1 - Successful Access by Target - Summary Gen", search_now=1288278900.000, info_min_time=1288277700.000, info_max_time=1288278600.000, info_search_time=1288278935.693, dest_bestmatch=0706BOH, psrsvd_gc=1, psrsvd_v=1
host=semvsplunkprd   Options|  sourcetype=stash   Options|  source=PCI 7.1 - Successful Access by Target - Summary Gen   Options

53  
10/28/10
7:59:00.000 AM  
10/28/2010 07:59:00, search_name="PCI 7.1 - Successful Access by Target - Summary Gen", search_now=1288278900.000, info_min_time=1288277700.000, info_max_time=1288278600.000, info_search_time=1288278935.693, dest_bestmatch=0661BOH, psrsvd_gc=2, psrsvd_v=1
host=semvsplunkprd   Options|  sourcetype=stash   Options|  source=PCI 7.1 - Successful Access by Target - Summary Gen   Options
Tags (1)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎10-28-2010 08:10 PM

The "stash" sourcetype is used for summary indexing. The Summary Gen in the search names is a good clue. Are the results with sourcetype="stash" showing up outside of index=summary? If properly configured, summary indexing should not count against your indexing volume.

Reply

araitz
Splunk Employee
Splunk Employee
‎10-28-2010 10:06 PM

Isn't everyone using the latest/greatest??? 😛

0 Karma
Reply

southeringtonp
Motivator
‎10-28-2010 08:21 PM

Note that this is only true from 4.0.10 onward. Older versions did count summary indexing against your license.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

How Edge Processor's Durable Queue Works

Edge Processor sits in one of the most consequential places in any Splunk pipeline: between your data sources ...