Since upgrading to ITSI 4.9, the app reverted to the free version "ITEssential Work" (ITE-W) and most premium features are gone. This is because the ITSI license is now mandatory, or that the license-master was not properly upgraded.

Looking to measure heavy sources and track how much is getting indexed per day by source. the main problem is our Splunk admin team cannot give us access to the _internal index, so i cannot run the standard  _internal metrics commands such as: index=_internal sourcetype=splunkd source=*metrics.log* group=per_source_thruput   Curious as to how accurate measuring actual log sizes with Splunk commands might be compared to _internal index stats. we dont need 100% accurate results just a ballpark estimate such as one source might be indexing 5-600Gbs per day or 1-1.5 Tb a day for example. Thinking of trying something like    index=aws-index sourcetype=someSource source="/some/source/file.log" | eval raw_len=len(_raw) | eval raw_len_kb = raw_len/1024 | eval raw_len_mb = raw_len/1024/1024 | eval raw_len_gb = raw_len/1024/1024/1024 | eval raw_len_tb = raw_len/1024/1024/1024/1024 | stats sum(raw_len_mb) as MB sum(raw_len_gb) as GB sum(raw_len_tb) as TB by source                

Hello! I have a dataset that I'd like to add a new field to where I can arbitrarily define the values with manual input without downloading and reuploading the data. I've tried editing the table but it seems as though I can only enter a calculated value, some cacatenation of fields and values, or input the same value for every record. Any help is appreciated, thanks! example: original dataset OG Field 1 OG Field 2 OG Field 3 UUID timestamp value UUID timestamp value   new dataset OG Field 1 OG Field 2 OG Field 3 New Field UUID timestamp value I can input anything I want here like a comment on the record UUID timestamp value I can input something different here   I don't necessarily need to use tables so if there's another method of adding new fields to datasets from within Splunk I'm open to that as well.

Hello we are trying to add filter on the input of windows event log. the input conf is:   [WinEventLog://Security] disabled = 0 index = windows blacklist1 = 5145,5156 blacklist2 = EventCode=4672 SubjectUserName="exchange\$" renderXml=true suppress_text=true supress_sourcename=true supress_keywords=true suppress_task=true suppress_opcode=true   blacklist1 is working good, but blacklist2 is not working. the target is to filter out the event id 4672 with the SubjectUserName equals to "exchange$". any ideas?   Thank you

im trying to setup splunk to find suspicious traffic in incoming and outgoing traffic. right now im trying to exclude traffic that comes from places that are not suspicious (whitelist) like social media websites, news websites, internal traffic etc. and use a blacklists to trigger alerts if it tries to connect to my IP. im not sure where to start here, is this even possible in splunk? there are existing blacklists online that use an api key to connect to for that blacklist, can i use that api key in splunk? do i download an entire database and upload it under my C: drive? i really hope you guys can help me here

Hi. How to set up a Health Rule from monday to fryday and from 06:00 to 23:59 h? I'm trying using this expresions Start: 0 6 * * 1-5 and 0 6 * * MON-FRY and 0 0 6 ? * MON-FRI End: 59 23 * * 1-5 and 59 23 * * MON-FRY But this message appears: "Error 0 6 * * MON-FRI is not a parseable cron expression" Wich is the right way to set up this? Thanks in advance for your help