All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks for you replies, indeed, I was using dbinspect to check buckets size. But I need to have tsidx vs raw data files size. Do you know if somehow splunk support, as they should have access to f... See more...
Thanks for you replies, indeed, I was using dbinspect to check buckets size. But I need to have tsidx vs raw data files size. Do you know if somehow splunk support, as they should have access to file system, could answer to this need? Thanks   Regards
The dbinspect command will give you the sizes of each bucket, but there's nothing I know that will break that down further. To reduce the size of tsidx files, do fewer index-time field extractions (... See more...
The dbinspect command will give you the sizes of each bucket, but there's nothing I know that will break that down further. To reduce the size of tsidx files, do fewer index-time field extractions (especially JSON) and only accelerate the datamodels you use.
You cannot directly access or view tsidx and raw data file sizes in Splunk Cloud, as file system access is restricted. However, you can estimate index storage usage (including tsidx and raw data) usi... See more...
You cannot directly access or view tsidx and raw data file sizes in Splunk Cloud, as file system access is restricted. However, you can estimate index storage usage (including tsidx and raw data) using the dbinspect command.   | dbinspect index=<your_index> | stats sum(rawSize) as total_raw_size sum(sizeOnDiskMB) as total_disk_size | eval total_raw_size_MB=round(total_raw_size/1024/1024,2) | table total_raw_size_MB total_disk_size This provides an estimate of the raw data size and the total disk usage (which includes tsidx and other metadata). I dont think there is anything you can change in Splunk Cloud to reduce tsidx size, but also confused as to why you want to. I'd argue increased number of indexed fields (which would increase tsidx sizes) would *improve* search performance if used with things like tstats.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
@livehybrid I tried the query that you suggested to check internal logs for my HF and tweaked key words to see anything related to FMC/Cisco/estreamer. But, it does not show any error logs.
I have configured the Cisco Security Cloud app on the HF because our FMC is not allowed to have any outbound access. As far as the configuration is concerned, I was able to import the cert from FMC a... See more...
I have configured the Cisco Security Cloud app on the HF because our FMC is not allowed to have any outbound access. As far as the configuration is concerned, I was able to import the cert from FMC and save the configuration in the Cisco Security Cloud app. I also created the index on HF as well as cloud instance. But, I don't see any logs from that source into the cloud. I checked the internal logs for the HF and I don't see any errors related to this. I am adding the screenshot from the app configuration on the HF. It does not show the status as  "Connected"     I tried opening a Cisco TAC Case, but as soon as I select the product category to Splunk, it asks me to open a ticket with Splunk support. So, I have been trying to figure out how to contact Cisco Support for the app add-on.   FYI additional info, I also have the Cisco Security Cloud app on the cloud instance, which I am using for integration with another Cisco cloud product which seems to be working fine.   Thank you! Parth
I checked and it was installed but not running the latest version updated the pan app and pan add-on to the latest version but dashboards still don't work
I recognize this is an old post but I ran into this issue today and this is how I solved it. In my case, there was another data model with the same name shared globally in another app (App B). I had ... See more...
I recognize this is an old post but I ran into this issue today and this is how I solved it. In my case, there was another data model with the same name shared globally in another app (App B). I had to change the permissions of the global data model to shared in app (App B), then I could delete the other data model in App A. Once deleted, I changed the permissions for data model in App B back to global. Hope this helps!
Hello, I would like to know if there is a way to see/check tsidx files size and raw data file size. I would like to reduce tsidx file size to improve search performance. Thanks for support Nordin... See more...
Hello, I would like to know if there is a way to see/check tsidx files size and raw data file size. I would like to reduce tsidx file size to improve search performance. Thanks for support Nordine  
Hi @OUnl  If this is in relation to Splunk Education then please email your query to education@splunk.com This is a community forum and you are not guaranteed a response from the correct team. You... See more...
Hi @OUnl  If this is in relation to Splunk Education then please email your query to education@splunk.com This is a community forum and you are not guaranteed a response from the correct team. You may wish to remove your email address from the original post to protect yourself from spam, phishing etc.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing    
Hi @heathramos  It sounds like you havent installed Splunk Add-on for Palo Alto Networks  - You need this in addition to the Splunk App for Palo Alto Networks because the Add-on contains all the mac... See more...
Hi @heathramos  It sounds like you havent installed Splunk Add-on for Palo Alto Networks  - You need this in addition to the Splunk App for Palo Alto Networks because the Add-on contains all the macros that the dashboards in the app use, such as p_index, pan_tstats, pan_summariesonly and pan_logs. Please install this and hopefully this should resolve the issue, once installed check the p_index - by default this is "index=pan*" so if your index is called "pan" then the default should be fine.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
I don't see p_index When I create it, how exactly do I configure it? What do I put under definition?
@heathramos Your dashboard isn't populating because it's looking for data in places that don't exist in your environment.  The main culprit is probably the p_index macro. Your dashboard is using `p_... See more...
@heathramos Your dashboard isn't populating because it's looking for data in places that don't exist in your environment.  The main culprit is probably the p_index macro. Your dashboard is using `p_index` but this macro either doesn't exist or isn't pointing to the right place. Go to Settings > Advanced Search > Search Macros and see if you have one called p_index. If not, create it. If yes, make sure it's set to your actual Palo Alto index. tip: When you're in the Search app, you can Cmd+Shift+E (Mac) or Ctrl+Shift+E (Windows) to expand macros in your search and see what they actually resolve to. This will show you exactly what `p_index` is doing. Second issue - sourcetype mismatch. The dashboard expects sourcetype="pan:xdr_incident" but your data probably has a different sourcetype. Run this to see what you actually have: index=pan | stats count by sourcetype Quick test: Try running the base search manually with your actual values instead of the tokens. Replace $severity$ with * and see if you get any results. The dashboard is basically looking for some field names like incident_id, severity, status etc. If your XDR data doesn't have these exact field names, nothing will show up. Most of these Palo Alto app dashboards assume you've configured everything exactly as Palo Alto intended, but real environments are messier. You'll probably need to either: Fix your data inputs to match what the dashboard expects, OR Edit the dashboard searches to match your actual data structure Start with that macro expansion trick and sourcetype check - those are usually the smoking guns. Good luck! If this Helps, Please Upvote.
Have you added some options to this dashboard which could cause that user cannot see those input fields? And is it only time input or other inputs too?
if I run the following search, I get records: index="pan" host="*" none of the dashboards show any info what could cause this?  
I'm not sure if this helps you https://splunkbase.splunk.com/app/3124 ?
Hi r. Ismo, Thank you for your return mail but i have still my active edu email account. It is trial version needs to be completed in 60 days but i am in valid since May 18 2025 so almost 1 month pa... See more...
Hi r. Ismo, Thank you for your return mail but i have still my active edu email account. It is trial version needs to be completed in 60 days but i am in valid since May 18 2025 so almost 1 month passed. Who can check my account from splunk admin panel?  thank you
Old post about those additional and undocumented parameters https://community.splunk.com/t5/Security/splunk-show-decrypted-command-usage/m-p/656369/highlight/true#M17251
I am still using active email
I was using my account last weeks with my edu email but what happened? 
As other already said there is probably firewall between your workstation and splunkd running on your RHEL7 box. It could be on RH or if there is any FW between network segments then those are possib... See more...
As other already said there is probably firewall between your workstation and splunkd running on your RHEL7 box. It could be on RH or if there is any FW between network segments then those are possible candidates. One way to try it is use ssh tunneling from your workstation to that box (if it's allowed on RH side). Or you could try it with curl on that box to test if it response or not. Based on your screenshot it should be up and running.