I have been using the Splunk Add on for Salesforce Add on for while now but i want to know if anyone else is using it and noticed if the number of events being ingesting has decreased? When i loo...
See more...
I have been using the Splunk Add on for Salesforce Add on for while now but i want to know if anyone else is using it and noticed if the number of events being ingesting has decreased? When i look back to December i could see i could see Splunk would ingest mutiple UserLicense events per day but now its one event every 4 days.
Thank you. For some reason I am still only able to filter for type accounting. At this point, I am wondering whether it is an issue with splunk or ISE does not send this information as part of syslo...
See more...
Thank you. For some reason I am still only able to filter for type accounting. At this point, I am wondering whether it is an issue with splunk or ISE does not send this information as part of syslog. Regards, Martin
You can query all alerts using this REST command. Filter the results to find the information you seek. | rest splunk_server=local /servicesNS/-/-/saved/searches
| search alert_type!="always"
But how will our indexers accommodate this? That is my question here? We have 6 indexers with 6.9 TB disk space. What happens if we exceed this space in single day?
Thank you, that's a neat solution. However in my simplified query I have removed some eval conditions and filters. One of them being the caller and caller_party formats are different in the sourcetyp...
See more...
Thank you, that's a neat solution. However in my simplified query I have removed some eval conditions and filters. One of them being the caller and caller_party formats are different in the sourcetypes. So below the rename I have `| eval caller_party=substr(caller_party, 2)`. Could you please advise how your solution would change to account for this? Thank you!
Hi @ITWhisperer , Thank you for sharing the details. I configured the same in my source xml and I can modify the colors accordingly. Can you also help me to change the legend color 'forecast' as it...
See more...
Hi @ITWhisperer , Thank you for sharing the details. I configured the same in my source xml and I can modify the colors accordingly. Can you also help me to change the legend color 'forecast' as it is not showing in green.
Hi @Karthikeya , you can exceed the license limit without any violation (only a message) for 45 times in 60 solar days. So it shouldn't be a problem you situation. for more information see at http...
See more...
Hi @Karthikeya , you can exceed the license limit without any violation (only a message) for 45 times in 60 solar days. So it shouldn't be a problem you situation. for more information see at https://www.splunk.com/en_us/resources/splunk-enterprise-license-enforcement-faq.html?locale=en_us Ciao. Giuseppe
Hi @osh55 , let me understand: is the issue the number or results of the subsearch that are more than 50,000? did you tried to put bo the searches in main search? index=sample1 ((sourcetype=x host...
See more...
Hi @osh55 , let me understand: is the issue the number or results of the subsearch that are more than 50,000? did you tried to put bo the searches in main search? index=sample1 ((sourcetype=x host=host1) OR sourcetype=y)
| eval caller=coalesce(caller, caller_party)
| stats
count(eval(sourcetype=x)) AS all_calls
count(eval(sourcetype=y)) AS messagebank_calls
BY caller
| search all_calls=* Ciao. Giuseppe Ciao. Giuseppe
Perhaps this will help. index=*1644* container_name="ls2-sdp-java" $selected_countries$
| rex field=_raw "for \[(?P<country>\w+),\s*(?P<cobDate>\w+),\s*(?P<sdpType>\w+)"
| rex field=_raw "records: (...
See more...
Perhaps this will help. index=*1644* container_name="ls2-sdp-java" $selected_countries$
| rex field=_raw "for \[(?P<country>\w+),\s*(?P<cobDate>\w+),\s*(?P<sdpType>\w+)"
| rex field=_raw "records: (?P<Recordcount>\w+)"
| rex field=_raw "^(?<dateTime>\S+)"
| eval DateTime=strptime(dateTime, "%Y-%m-%dT%H:%M:%S.%3N%Z")
| eval CreatedTime=strftime(DateTime, "%H:%M")
| eval CreatedDate=strftime(DateTime, "%Y-%m-%d")
Hello Team, We have been using Corelight APP for Splunk to ingest Corelight IDS events to our distributed Splunk environment. This app is working absolutely fine on Indexer. We are unable to launc...
See more...
Hello Team, We have been using Corelight APP for Splunk to ingest Corelight IDS events to our distributed Splunk environment. This app is working absolutely fine on Indexer. We are unable to launch this app on Search head. Can you please assist us with the details to get the App working on Search Head? Regards, Prathamesh
I have the following simplified version of the query where for each caller, I need all_calls (from sourcetype=x) and messagebank_calls (from sourcetype=y). index=sample1 sourcetype=x host=host1
| s...
See more...
I have the following simplified version of the query where for each caller, I need all_calls (from sourcetype=x) and messagebank_calls (from sourcetype=y). index=sample1 sourcetype=x host=host1
| stats values(caller) as caller by callid
| stats count as all_calls by caller
| rename caller as caller_party
| appendcols
[ search index=sample1 AND sourcetype=y
| stats count as messagebank_calls by caller_party]
| search all_calls=* messagebank_calls value is incorrect and I'm guessing because of the subsearch/appendcols? How do I increase the limit or re-write so I can get the same results caller, all_calls, messagebank_calls?