Hi, Code is following index=asa host=1.2.3.4 src_sg_info=* | timechart span=10m dc(src_sg_info) by src_sg_info | rename user1 as "David E" | rename user2 as "Mary E" | rename user3 as "Lucy E" If number of user is 0, then we know theres is no VPN user at all. Plan is to print it out together with active VPN user in timechart if possible. Try to explain how it looks below.                                                                                                             user2                                                                                                           user3                No Vpn user                                                                                                    No VPN user time .....................................................................................................................................................................................................................................    

We are having issus with Data models from Splunk_SA_CIM running for a very long time (hitting the limit) and causing out of memory (OOM) issues on our indexers. We have got brand new physical servers with 128 GB RAM and 48 Cores. The Enterprise security search head cluster has data models enabled which are both running on old and new hardware. Though we are getting OOM on new hardware and every run hits our 30+ min limit. Example on configuration for auth DMA: allow_old_summaries = true allow_skew = 5% backfill_time = -1d cron_schedule = */5 * * * * earliest_time = -6mon hunk.compression_codec = - hunk.dfs_block_size = 0 hunk.file_format = - manual_rebuilds = true max_concurrent = 1 max_time = 1800 Any tips on troubleshooting data models running for a very long time and causing out of memory (OOM)? Thanks!

Hello, I received the following error, the issue resolved itself after 4 hours.  The CSV file size is 54 MB.  Streamed search execute failed because: Error in 'lookup' command: Failed to re-open lookup file: 'opt/splunk/var/run/searchpeers/[random number]/apps/[app-name]/lookups/test.csv' I am aware that there already a post in regards this, but I have more questions 1)  What is the cause of this error?     Is it because of the bug like mentioned in the old post below?  I am running 9.0.4, the bug should have been fixed https://community.splunk.com/t5/Splunk-Enterprise/Message-quot-Streamed-search-execute-failed-because-Error-in/m-p/569878 2) a) Is it because max_memtable_bytes in limits.conf  is 25MB? https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Limitsconf b) How do I check limit.conf via GUI without admin role? c)  What does "Lookup files with size above max_memtable_bytes will be indexed on disk" mean?      Is it a good thing or bad? d) If I see cs.index.alive file auto generated, does it mean it's an indexed on disk? [random number]/apps/[app-name]/lookups/test.csv [random number]/apps/[app-name]/lookups/test.csv_[random number].cs.index.alive 3)  If I am not allowed to change any setting (increase 25MB limit),         what is the solution for this issue? I appreciate your help. Thank you

Hi Guys, I am performing a POC to import our parquet files into splunk, i have manage to write a python script to extract out the events aka raw logs to a df.  I also did a python script to pump the logs via the syslog protocol to HF than to indexer. I am using the syslog method because i got many log type and i can do this by using the [udp://portnumber] to ingest multiple types of logs at once and to a different sourcetype however when i do this I am not able to retain the original datatime on the raw event but it is taking the datetime on the point i was sending the event. secondly i am using python because all these parquet files are storing in a s3 container hence it will be easier for me to loop thru the directory and extract the file.  I was hoping if anyone can help me out how can i get the original timestamp of the logs? Or there are other more effective way of doing this? sample logs from splunk after index, - Nov 10 09:45:50 127.0.0.1 <190>2023-09-01T16:59:12Z server1 server2 %NGIPS-6-430002: DeviceUUID: xxx-xxx-xxx heres my code to push the event via syslog.  import logging import logging.handlers import socket from IPython.display import clear_output #Create you logger. Please note that this logger is different from ArcSight logger. #my_loggerudp = logging.getLogger('MyLoggerUDP') #my_loggertcp = logging.getLogger('MyLoggerTCP') #We will pass the message as INFO my_loggerudp.setLevel(logging.INFO) #Define SyslogHandler #TCP #handlertcp = logging.handlers.SysLogHandler(address = ('localhost',1026), socktype=socket.SOCK_STREAM) #UDP handlerudp = logging.handlers.SysLogHandler(address = ('localhost',1025), socktype=socket.SOCK_DGRAM) #X.X.X.X =IP Address of the Syslog Collector(Connector Appliance,Loggers etc.) #514 = Syslog port , You need to specify the port which you have defined ,by default it is 514 for Syslog) my_loggerudp.addHandler(handlerudp) #my_loggertcp.addHandler(handlertcp) #Example: We will pass values from a List event = df["event"] count = len(event) #for x in range(2): for x in event: clear_output (wait=True) my_loggerudp.info(x) my_loggerudp.handlers[0].flush() count -= 1 print(f"logs left to be transmit {count}") print (x)