Hi everyone, I want to prevent warm buckets from becoming cold, not to disable it since it's mandatory to have coldPath. The reason is that since my Hot/Warm and Cold buckets are all on the same fast storage, as well as I also need to define maxVolumeDataSizeMB for coldPath, I want to use up all my storage for homePath as much as possible. Here's an example of what I mean. Total Disk Space: 100GB homePath's maxVolumeDataSizeMB: 90GB coldPath's maxVolumeDataSizeMB: 10GB No frozenPath I want to configure the indexes not to move to Cold buckets as much as possible, so that I can reduce the coldPath configuration to be 1GB only, hence freeing up 9GB of space to allocate for the homePath of my other 30 indexers. From my Monitoring Console, I see that the coldPath is not used much so 9GB of all indexers add up to lots of space that are under-utilized. Based on this stats, I could set to 1GB today but it might suddenly increase one day, which leads to my question above, as I want to set it in a deterministic way. Any advice is appreciated.

Default range of Overall Service Health Score is: Critical;0-20 , High;20-40 , Medium;40-60 , Low;60-80 , Normal; 80-100 where in service analyzer it will show color: Critical;Red , High;Amber , Medium;Orange , Low;Yellow , Normal;Green. Basically, I want to change the default range where when the score is 89, it will be Low severity instead of Normal and the service node will show Yellow color instead of Green. Is it possible to change the default range?

Hi guys. Question: what's the best "maxKBps" settings in such Environment? 1Gbit LAN About 2000 Forwarders 6 Indexers I know, the correct answer does not exist, since may vary from server to server, and from Env to Env, but there's surely a Best Practice to set this fundamental value, right? So, from months to now on i stay well with 0 value (no bandwidth limit), but sometimes i get a real Indexers stress while people load many many GB of logs (more than 1TB, for pregress analisyes), since Indexers receive so many datas to saturate their resources, so i need to force a maxKBps to 10240 ONLY for some servers to stay well. Now, is a 10240 value a right compromise for *ALL* Forwarders, maybe, to raise the value succesively after?

Hi, I have an use case that I need to forward the logs to TCP listener (third party system) as and when the logs load to splunk. For the, I am loading windows security logs to splunk from windows machine using Splunk Forward service. Then configured splunk forwarder to forward raw logs to TCP listner as below. ================= props.conf =============== [ tcp:9080] TRUNCATE = 0 [default] # unless a more specific stanza clears the value of this class, the transform will be run TRANSFORMS-selectiveIndexing = selectiveIndexing [WinEventLog:Security] TRANSFORMS-routing=transforms-windows-security-logs # note the empty list of transforms to run in this class, overridden from the [default] TRANSFORMS-selectiveIndexing = =========================================   ================ transforms.conf =========== [transforms-windows-security-logs] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = windows-security-routing =========================================   ================ output.conf =============== [indexAndForward] index = true [tcpout] defaultGroup=everythingElseGroup [tcpout:windows-security-routing] server=xx.xx.xxx.xxx:9522 sendCookedData=false ======================================== Now, I have Logstash listener which is listening on port 9522 and writing the data to file. I see the logs being written to file as below =============== Windows security logs forwarded to third party system ========= {"@timestamp":"2022-05-24T10:15:57.680Z","@version":"1","port":33332,"message":"LogName=Security","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.680Z","@version":"1","port":33332,"message":"EventType=0","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.680Z","@version":"1","port":33332,"message":"SourceName=Microsoft Windows security auditing.","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.680Z","@version":"1","port":33332,"message":"RecordNumber=24054056","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.680Z","@version":"1","port":33332,"message":"TaskCategory=Process Termination","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.680Z","@version":"1","port":33332,"message":"Message=A process has exited.\r","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.680Z","@version":"1","port":33332,"message":"Subject:\r","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.680Z","@version":"1","port":33332,"message":"\tAccount Name:\t\tBDELYSYS07$\r","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.680Z","@version":"1","port":33332,"message":"\tLogon ID:\t\t0x3E7\r","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.680Z","@version":"1","port":33332,"message":"Process Information:\r","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.680Z","@version":"1","port":33332,"message":"\tProcess Name:\tC:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-winevtlog.exe\r","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.680Z","@version":"1","port":33332,"message":"05/23/2022 08:51:21 PM","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.681Z","@version":"1","port":33332,"message":"EventCode=4689","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.681Z","@version":"1","port":33332,"message":"ComputerName=BDELYSYS07.bdelysium.internal","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.681Z","@version":"1","port":33332,"message":"Type=Information","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.681Z","@version":"1","port":33332,"message":"Keywords=Audit Success","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.681Z","@version":"1","port":33332,"message":"OpCode=Info","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.681Z","@version":"1","port":33332,"message":"\r","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.681Z","@version":"1","port":33332,"message":"\tSecurity ID:\t\tS-1-5-18\r","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.681Z","@version":"1","port":33332,"message":"\tAccount Domain:\t\tBDELYSIUM\r","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.681Z","@version":"1","port":33332,"message":"\r","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.681Z","@version":"1","port":33332,"message":"\tProcess ID:\t0x2798\r","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.681Z","@version":"1","port":33332,"message":"\tExit Status:\t0x0","host":"xx.xx.xxx.xxx"} {"@timestamp":"2022-05-24T10:15:57.681Z","@version":"1","port":33332,"message":"LogName=Security","host":"xx.xx.xxx.xxx"} ================================================= Going through the logs, it seems like logs are not forwarded event by event.  I would like to know with the above setup, how can I forward the logs to TCP listener event by event. Also, is there a way to forward the splunk parsed data logs in JSON format to TCP port.

Hello,  I am trying to figure out how to rex extract from text that starts with a newline and ends with a newline.  For example:  \\nCAR PRODUCT: bat mobile\n Does anyone know a good way around this situation so that only "bat mobile" is extracted?   Thank you for your help. Spencer

hi Expert,  i have a question for this issue. What methods are you used to detect malware? Does it have anything to do with SVM or machine learning? Please help me answer this question. Thanks and best regards.

Hi Splunkers, I am stuck at how can I get counts for Yesterday and Last week. so ask is when select relative time from timer(in Dashboard) it should give me counts for yesterday in one panel and in another panel for last week.  For Example, 1) I am searching for 9pm to 10pm in my Dashboard so I want to setup a query that gives me same time data but yesterday's 9pm to 10pm (Query for Yesterday) 2) If I run same data then other panel should give me counts for last week at same time (Query for last Week) so I am looking for two separate queries for both. Basic Query:- index::name type=sample_events "service"="auth" "successReason"=VALID | stats count  

Hello! I'm working on a project where we would like to use Splunk Synthetic Monitoring to improve our monitoring of several web applications, but I'm running into issues where waiting for elements to be present is causing timeouts. Is there any way to set a custom wait time on a step? And if that way involves executing Javascript, what are the best practices for defining the custom wait times? Apologies if I'm posting this in the incorrect location!

If I run the below search the statistics output changes while the search is progressing and when the search is completed not all results that was seen during the search is visible.  | tstats summariesonly=f count from datamodel=Network_Traffic by All_Traffic.app,All_Traffic.src,All_Traffic.dest,All_Traffic.dest_port,All_Traffic.action | lookup xxxx CIDR AS All_Traffic.src OUTPUT CIDR as cidr_ip2 fullzonename as sourcenetwork ZoneType as sourcezonetype | lookup xxxx CIDR AS All_Traffic.dest OUTPUT fullzonename as destinationnetwork ZoneType as destinationzonetype | where (cidrmatch(cidr_ip2,'All_Traffic.src')) | search sourcezonetype="yyyy" AND destinationzonetype!="*zzzz" | stats count by sourcenetwork sourcezonetype destinationnetwork destinationzonetype All_Traffic.action