Hi @Karthikeya , is the question is on the license exceedings, you don't have problems exceeding less than 45 times in 60 days. if the problem is the storage, you could change the dimension of the...
See more...
Hi @Karthikeya , is the question is on the license exceedings, you don't have problems exceeding less than 45 times in 60 days. if the problem is the storage, you could change the dimension of the index where these logs are stored so they will be deleted more frequently and you will not use all the disk space. You could also change this max dimension when you have excessive data ingestion and then restore the normal parameter at the end, anyway the easiest method is configure the max dimension for your indexes. Ciao. Giuseppe
I have been using the Splunk Add on for Salesforce Add on for while now but i want to know if anyone else is using it and noticed if the number of events being ingesting has decreased? When i loo...
See more...
I have been using the Splunk Add on for Salesforce Add on for while now but i want to know if anyone else is using it and noticed if the number of events being ingesting has decreased? When i look back to December i could see i could see Splunk would ingest mutiple UserLicense events per day but now its one event every 4 days.
Thank you. For some reason I am still only able to filter for type accounting. At this point, I am wondering whether it is an issue with splunk or ISE does not send this information as part of syslo...
See more...
Thank you. For some reason I am still only able to filter for type accounting. At this point, I am wondering whether it is an issue with splunk or ISE does not send this information as part of syslog. Regards, Martin
You can query all alerts using this REST command. Filter the results to find the information you seek. | rest splunk_server=local /servicesNS/-/-/saved/searches
| search alert_type!="always"
But how will our indexers accommodate this? That is my question here? We have 6 indexers with 6.9 TB disk space. What happens if we exceed this space in single day?
Thank you, that's a neat solution. However in my simplified query I have removed some eval conditions and filters. One of them being the caller and caller_party formats are different in the sourcetyp...
See more...
Thank you, that's a neat solution. However in my simplified query I have removed some eval conditions and filters. One of them being the caller and caller_party formats are different in the sourcetypes. So below the rename I have `| eval caller_party=substr(caller_party, 2)`. Could you please advise how your solution would change to account for this? Thank you!
Hi @ITWhisperer , Thank you for sharing the details. I configured the same in my source xml and I can modify the colors accordingly. Can you also help me to change the legend color 'forecast' as it...
See more...
Hi @ITWhisperer , Thank you for sharing the details. I configured the same in my source xml and I can modify the colors accordingly. Can you also help me to change the legend color 'forecast' as it is not showing in green.
Hi @Karthikeya , you can exceed the license limit without any violation (only a message) for 45 times in 60 solar days. So it shouldn't be a problem you situation. for more information see at http...
See more...
Hi @Karthikeya , you can exceed the license limit without any violation (only a message) for 45 times in 60 solar days. So it shouldn't be a problem you situation. for more information see at https://www.splunk.com/en_us/resources/splunk-enterprise-license-enforcement-faq.html?locale=en_us Ciao. Giuseppe
Hi @osh55 , let me understand: is the issue the number or results of the subsearch that are more than 50,000? did you tried to put bo the searches in main search? index=sample1 ((sourcetype=x host...
See more...
Hi @osh55 , let me understand: is the issue the number or results of the subsearch that are more than 50,000? did you tried to put bo the searches in main search? index=sample1 ((sourcetype=x host=host1) OR sourcetype=y)
| eval caller=coalesce(caller, caller_party)
| stats
count(eval(sourcetype=x)) AS all_calls
count(eval(sourcetype=y)) AS messagebank_calls
BY caller
| search all_calls=* Ciao. Giuseppe Ciao. Giuseppe
Perhaps this will help. index=*1644* container_name="ls2-sdp-java" $selected_countries$
| rex field=_raw "for \[(?P<country>\w+),\s*(?P<cobDate>\w+),\s*(?P<sdpType>\w+)"
| rex field=_raw "records: (...
See more...
Perhaps this will help. index=*1644* container_name="ls2-sdp-java" $selected_countries$
| rex field=_raw "for \[(?P<country>\w+),\s*(?P<cobDate>\w+),\s*(?P<sdpType>\w+)"
| rex field=_raw "records: (?P<Recordcount>\w+)"
| rex field=_raw "^(?<dateTime>\S+)"
| eval DateTime=strptime(dateTime, "%Y-%m-%dT%H:%M:%S.%3N%Z")
| eval CreatedTime=strftime(DateTime, "%H:%M")
| eval CreatedDate=strftime(DateTime, "%Y-%m-%d")
Hello Team, We have been using Corelight APP for Splunk to ingest Corelight IDS events to our distributed Splunk environment. This app is working absolutely fine on Indexer. We are unable to launc...
See more...
Hello Team, We have been using Corelight APP for Splunk to ingest Corelight IDS events to our distributed Splunk environment. This app is working absolutely fine on Indexer. We are unable to launch this app on Search head. Can you please assist us with the details to get the App working on Search Head? Regards, Prathamesh