Hi Team Getting this error message frequently in internal logs of Splunk. Error in 'where' command: The expression is malformed. An unexpected character is reached at '*) OR match(indicator, *_ip) OR match(indicator, *_host)) Any hints will be appreciated. Thanks in advance  

Hi at all, I found that the information in my Monitoring Console (Splunk version 9.1.1) about Replication Factor is wrong, is there anyone that experienced the same thing: in [Monitoring Console > Overview of Splunk Enterprise 9.1.1] is displayed Replication Factor = 3 but I configured Replication Factor =2 (it's a multisite, so origin=1, total=2). Is it maybe the Search Head Cluster Replication Factor (that's 3) or simply a displ? Thank you for your advice. Ciao. Giuseppe

Hi Team, We are planning to integrate Splunk with the ticketing system BMC Helix. So, we would like to know if it's possible to raise a ticket in the BMC Helix automatically if the knowledge objects are triggered? If yes what is the way to do that.   Thanks in Advance Siva.  

I have a log feed which was configured by a previous employee. Documentation does not exist, of course... The feed stopped once we migrated indexers. I checked the deployment server and there does not seem to be any apps on this server where the feed exists which ingest this feed. Then, we added in the old indexer to the architecture and the feed started working again! When I check these events in Search & Reporting, I can see the feed is only coming in via this legacy indexer by checking the splunk_server field. I logged into the legacy indexer via CLI and used btool on inputs for the index, source and sourcetypes, no matches. Also struggling to find anything useful in the _internal events via search head GUI. Both indexers are in a cluster and so the config should be identical, but the events only come in via the legacy indexer. How can I find how this feed is configured?

I am trying to integrate this solution into Splunk but I am finding problems. The most relevant as far is the number of retrieved events. I use the official event collector app Radware CWAF Event Collector | Splunkbase It works via API user and I found that the number of events in Splunk doesn't match with the events in cloud console. After opening a support ticket with Radware they told me that the problem is the "pulling rate" for API configuration in my Splunk. I have been trying to find how to configure this "pulling rate" in Splunk but I found nothing. Do you know how to solve this parameter or how do you solve this integration? This is exactly what they told me: Our cloudops team checked to see if there are any differences between the CWAF and the logs that are sent to your SIEM. They found that there is a queue of logs that are waiting to be pulled by your SIEM. Therefore, we do not have any evidence that the issue is with the SIEM infrastructure. For example, if we send 10 events per minute and the SIEM is pulling 5 per minute, this will create a queue of logs. Unfortunately, we cannot support customer-side configuration. It might be more helpful to consult with the support team for the SIEM you are using, as the interval might be the "Pulling Rate."  

if we configure a fast volume for hot/warm and slower spindles for cold and set maxVolumeDataSizeMB to enforce sizes. can you see any situation where cold would file but hot/warm would still have space?

I have a client creating a new system that will have 2 sites with rf/sf per site being 1 and the total rf/sf being 2. Each site will have 3+ indexers. My question is how this effects bucket distribution over the indexers if you leave maxbucket as the default of 3 and is there any performance implications They're going rf/sf as 1 due to disk costs. Thanks in advance