Hello, i have a customer that wants to create a Search Head Cluster. He has deployed me 4 Search Heads and 2 Search Deployer. Customer idea is to have 2 Search Deployer, one acting as master and one acting as backup server that replaces master in case of its failure. It's possible? Thanks a lot

Handy search for a dashboard earliest=-90d@d `notable` | eval isSuppressed=if(match(eventtype,"Suppression"),1,0) | stats count(eval(like(urgency,"informational"))) as informational_count count(eval(like(urgency,"low"))) as low_count count(eval(like(urgency,"medium"))) as medium_count count(eval(like(urgency,"high"))) as high_count count(eval(like(urgency,"critical"))) as critical_count, sum(isSuppressed) as suppression_count, sparkline(count) as activity by rule_name | join rule_name [| rest splunk_server=local count=0 /services/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | rename action.correlationsearch.label as rule_name action.risk.param._risk as risk_json | eval status = if(disabled=="1","disabled","enabled") | fields rule_name status ] | search status!=disabled | eval informational_count = if(isnull(informational_count),0,informational_count), low_count = if(isnull(low_count),0,low_count), medium_count = if(isnull(medium_count),0,medium_count), high_count = if(isnull(high_count),0,high_count), critical_count = if(isnull(critical_count),0,critical_count) , suppression_count = if(isnull(suppression_count),0,suppression_count) | fields rule_name activity suppression_count informational_count low_count medium_count high_count critical_count | addtotals critical_count high_count medium_count low_count informational_count | sort - Total critical_count high_count medium_count low_count informational_count | rename Total as total_reported

Hello, Presently my hot/warm index occupies 50GB on disk (there are no limits specified in indexes.conf). I'd like to move it to a faster volume of 10GB size. What would be the correct steps to achieve this? For example: - specify  maxDataSizeMB = 10000 - restart splunk (will it shrink the hot index and move the rest of it to the cold path)? - add new volume, manually move hot index files to new location Thanks Andrei        

One server has splunk service failling and it seems splunk-winevtlog.exe is not started. there of two services are up and one is alwasys down and not started. reinstalled agent but still didnot help.   SplunkForwarder Service Windows Service Monitor Up Up splunkd.exe Process Monitor - Windows Up Down splunk-winevtlog.exe Process Monitor - Windows Down  

Content mapping is not working correctly in Security Essentials Apps after the version upgrade to 3.5.0. We have upgraded to 3.5.1 still it is not working as expected   Local Saved searches name  in Security Essentials app are not as per the correlation search name in ES Splunk Custom Content is getting piled up with all enabled correlation searches when we update the Content Introspection Overall performance of this page is also very very slow.

Hi, I have an index of log events and I have been asked to exclude all events with a certain string in it. The String I need to omit is drminprtmgmt.isus.emc.com. This string (which represents a device) is not mapped to any field currently. How can I filter all events to exclude this string? This is currently what I have (which does NOT work):   Many thanks, Patrick

Hi I have read that  parallelIngestionPipelines  is not working in 8.1, however, that post was old, so I am not sure if it was fixed in 8.1.9. I also read it was fixed in 8.2.3 onwards. Regards Rob

I have some data and  I am trying to  extract fields from multi line raw data.   TIMESTAMP=23-12-2021,Eligible_to_be_Purged=0,Total_Records_Inserted=79871,Row_Count=0,NUMORDERSPURGED=14267,INVOCATIONS=781016,AVERAGE=101.76,MAXIMUM=171465,NUMOFGETJOBSPROCESSED=163,GETJOBS_AVERAGE=17114.57 TIMESTAMP=24-12-2021,Eligible_to_be_Purged=0,Total_Records_Inserted=51367,Row_Count=0,NUMORDERSPURGED=206884,INVOCATIONS=471196,AVERAGE=981.21,MAXIMUM=237037,NUMOFGETJOBSPROCESSED=97,GETJOBS_AVERAGE=14298.03 TIMESTAMP=25-12-2021,Eligible_to_be_Purged=0,Total_Records_Inserted=57405,Row_Count=0,NUMORDERSPURGED=51558,INVOCATIONS=205747,AVERAGE=960.54,MAXIMUM=301445,NUMOFGETJOBSPROCESSED=45,GETJOBS_AVERAGE=36616.87   I wanted exact all fields from all 3 lines.        

Hi, I need list of all the successful events details in the 'If' condition. For those successful list I need to extract few more details and send alert.  I tried stats count it is giving only count and for the eventstats it is giving all the values(Success and Failed events). Please help me here to get the detail list of successful events. Please see the below attachment.

Hi all,   New to splunk and i have seen that this has been asked many times but most of the results are based on matching one column from a search with another, my query is slightly different.   I have the following :   A search  that outputs the following in a table/columns/rows:   name, feed, alarm attack, true, false block, true, true   I also have a lookup table which has a predefined list of the above with the correct values, i.e   name,feed,alarm attack, true,true    .....and so on. What i am looking for is for the search to compare its results with the lookup table and if there are any rows from the search that do not match those rows from the lookup to represent those to me as a result. I'm only interested in what isn't matching.   At the same time i would like to handle the possibility of there being an result from the search that doesn't exist in the lookup table. Thank you in advance and i look forward to your answers :).

Dear Splunkers, I'm trying to get data from a Pub/Sub but i receive a 403 error. I configured the add-on in a HF, following the splunk documentation and I setup a proxy because the HF is in an internal network. I tried a curl following this guide "https://blog.differentpla.net/blog/2017/10/05/google-pub-sub-bash/"(adding -x for proxy) and it's worked, so the credentials are correct and the service account has right permissions. Thank you.

Hello dear commnuity I contact you because I realized my machine learning model that I implemented in splunk (mltk) but when I apply my model on my data here is the error I get : Error in 'apply' command: Failed to load model "modele": Failed to load algorithm with an invalid name: <class 'algos.LinearRegression.LinearRegression'>.

2022-04-11 05:46:26 POST /BestMarket.Internal.Market.Transactions/MarketTransactionService  ContractName="BestMarket.Platform.Transactions.Contracts.IProviderTransactionServiceAsync"+OperationName="WithdrawAsync"+RequestType="WithdrawRequest"+WithdrawRequest="{'ProviderName':'NIkora'+'BrandName':'Vazisubani'+'CustomerId':'2ed928f1-3bec-4794-adce-a3ed9221152b'+'Amount':0.6+'TransactionId':'6253c0b3eb303a42bed6ffc1'+Reference':'8382608392617'+'WalletmarketId':12946+'Comment':'market+round:+0cb0d4b0-13b1-41ff-b367-ad34446c717a:8382608392617'+'IsRepeatable':true+'IsFinal':false+'BonusContext':'best.Market'+'BonusContribution':0.0+'Device':1+'TransactionType':null+'DeviceType'                    I want to  Get Amount As Table, but when i write    |  table  Amount -- Column is empty empty 

Hi Team, I need to find difference between two tables and generate an alert when the diffence between Table B and Table A is greater than 3 and publish the diffence in table. Kindly help on this Table A       Table B    3234          3240 4234           4236 2345           2348 1345           1349