I have 2 types of events that come in the following, random, format: AAAAAAABAAAAAABAAAAAAAAABAABAAA B's never repeat, and they are always surrounded by an A. The A prior to B has source information, and the A after the B has result/destination information. The information in B has command information. I am trying to compare the values of fields in the A events both before and after the B, as well as correlate with what the B event contains. Pseudo example: Event A: mac_address, ip_address,  new_session_flag Event B: mac_address, new_ip_address Event A: mac_address, ip_address, new_session_flag I need to know the source IP address (a.ip_address before), the IP address it was attempted to move to (b.ip_address), and the resulting IP address (a.ip_address after) and session flag status (a.new_session_flag after) How can i do this? i am working w/ millions of records so i cannot use append/join/etc. Example of a search where the new_session_flag begins with 0 and ends with 1, but I dont want to filter based on new_session_flag. I want all events where B is the 2nd event, regardless of new_session_flag status     (event=A OR event=B) | transaction mac_address startswith=new_session_flag=0 endswith=new_session_flag=1 maxevents=3 unifyends=true mvlist=true | fields event mac_address new_ip_address ip_address new_session_flag | where mvindex(event,1) == "B"      

After recently reviewing 8.2.3 hardware requirements, I noticed my deployment is a bit under spec. For instance, Splunk recommends 800 IOPs and 300GB for Search Head node disks. https://docs.splunk.com/Documentation/Splunk/8.2.3/Capacity/Referencehardware#What_storage_type_should_I_use_for_a_role.3F Search heads with a high ad-hoc or scheduled search loads should use SSD. A HDD-based storage system must provide no less than 800 sustained IOPS. A search head requires at least 300GB of dedicated storage space. Indexers should SSD or NVMe drives.  In my case, I have a dedicated NVMe "data" drive for all indexed data (except _internal) and a SSD drive for the OS and Splunk application (like on the Search Heads).      Does an indexer require the same 800 IOP / 300GB disk as a Search Head?  Does an indexer need to write information to disk per search execution?    Also has anyone experienced issues with using the GP3 disks on SHCs or IDXCs ?  (excluding the use as a specific data drive, which I use NVMe)   Thank you

Dear All, So I have a Linux script that runs vmstat as a daemon and writes the output every minute to a csv file. Here is some typical output ... _time, metric_name:vmstat.procs.runwait, metric_name:vmstat.procs.blocking, metric_name:vmstat.memory.swapped, metric_name:vmstat.memory.free, metric_name:vmstat.memory.buffers, metric_name:vmstat.memory.cache, metric_name:vmstat.swap.in, metric_name:vmstat.swap.out, metric_name:vmstat.blocks.read, metric_name:vmstat.blocks.written, metric_name:vmstat.system.interupts, metric_name:vmstat.system.contxtswtch, metric_name:vmstat.cpu.user, metric_name:vmstat.cpu.system, metric_name:vmstat.cpu.idle, metric_name:vmstat.cpu.iowait, metric_name:vmstat.cpu.stolen 1637263961, 11, 0, 301056, 13188244, 52, 1645532, 0, 0, 258, 20, 4, 2, 2, 3, 96, 0, 0 1637264021, 3, 0, 301056, 13193028, 52, 1645648, 0, 0, 0, 37, 1480, 2090, 0, 1, 99, 0, 0 1637264081, 3, 0, 301056, 13193448, 52, 1645724, 0, 0, 0, 13, 700, 1097, 0, 0, 100, 0, 0 1637264141, 3, 0, 301056, 13192100, 52, 1645812, 0, 0, 0, 17, 756, 1154, 0, 0, 100, 0, 0 Now every so often I get an error in the message board like The metric value=metric_name:vmstat.procs.runwait provided for source=/opt/splunkforwarder/etc/apps/TA-linux-metrics/log/read_vmstat.log, sourcetype=csv, host=foo.bar.baz, index=lnx_os_metrics is not a floating point value. Using a numeric type rather than a string type is recommended to avoid indexing inefficiencies. Ensure the metric value is provided as a floating point number and not as a string. For instance, provide 123.001 rather than 123.001. This is not consistent and when I look at the file it is perfectly formed, the above is an example that just threw me an error.  The stanza from inputs.conf is [monitor:///opt/splunkforwarder/etc/apps/TA-linux-metrics/log/read_vmstat.log] index = lnx_os_metrics sourcetype = csv I tried with sourcetype csv as well as metrics_csv,  both give the same result.  What on earth could be going on here? Thanks, R.

I'm responsible for a Cisco IM & Presence system.  It can support logging of messages to an external SQL database or a 3rd party compliance server (like Verba). I'm not very familiar with Splunk and its suite of products.  I'm being asked if Splunk can be used to log Jabber instant messages but I'm not sure it can be used in that capacity.  Based on Cisco's IM compliance documentation: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/im_compliance/12_5_1/cup0_b_im-compliance-guide-1251/cup0_b_im-compliance-guide-1251_chapter_01.html it seems like Splunk can be used to view messages in the SQL database being used to archive messages.  Other than that, I've haven't seen any documentation showing that Splunk can be used to view or store Cisco IM & Presence instant messages between Jabber clients. Has anyone had any experience trying to use Splunk to access Cisco IMP Jabber messages?  If so, do you have any experience or documentation that you could share? Thanks,    

I see below log in operation_install showing continuous failure to connect to https://gravity-site.kube-system.svc.cluster.local:3009/healthz. ================ Wed Nov 10 02:40:41 UTC [INFO] [DAPD02] Executing postInstall hook for site:6.1.48. Created Pod "site-app-post-install-125088-zqsmd" in namespace "kube-system". Container "post-install-hook" created, current state is "waiting, reason PodInitializing". Pod "site-app-post-install-125088-zqsmd" in namespace "kube-system", has changed state from "Pending" to "Running". Container "post-install-hook" changed status from "waiting, reason PodInitializing" to "running". ^[[31m[ERROR]: failed connecting to https://gravity-site.kube-system.svc.cluster.local:3009/healthz Get https://gravity-site.kube-system.svc.cluster.local:3009/healthz: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) ^[[0mContainer "post-install-hook" changed status from "running" to "terminated, exit code 255". Container "post-install-hook" restarted, current state is "running". ^[[31m[ERROR]: failed connecting to https://gravity-site.kube-system.svc.cluster.local:3009/healthz Get https://gravity-site.kube-system.svc.cluster.local:3009/healthz: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) ^[[0mContainer "post-install-hook" changed status from "running" to "terminated, exit code 255". Container "post-install-hook" changed status from "terminated, exit code 255" to "waiting, reason CrashLoopBackOff". ================ The gravity cluster status after the installation failure: ================ [root@DAPD02 crashreport]# gravity status Cluster name: charmingmeitner2182 Cluster status: degraded (application status check failed) Application: dsp, version 1.2.1 Gravity version: 6.1.48 (client) / 6.1.48 (server) Join token: b9b088ce63c0a703ee740ba5dfb380d Periodic updates: Not Configured Remote support: Not Configured Last completed operation: * 3-node install ID: 46614e3c-fcd1-4974-8cd7-dc404d1880b Started: Wed Nov 10 02:33 UTC (1 hour ago) Completed: Wed Nov 10 02:35 UTC (1 hour ago) Cluster endpoints: * Authentication gateway: - 10.69.80.1:32009 - 10.69.80.2:32009 - 10.69.89.3:32009 * Cluster management URL: - https://10.69.80.1:32009 - https://10.69.80.2:32009 - https://10.69.89.3:32009 Cluster nodes: Masters: * DAPD02 / 10.69.80.1 / master Status: healthy [!] overlay packet loss for node 10.69.89.3 is higher than the allowed threshold of 20% (current packet loss at 100%) [!] overlay packet loss for node 10.69.80.2 is higher than the allowed threshold of 20% (current packet loss at 100%) Remote access: online * DWPD03 / 10.69.80.2 / master Status: healthy [!] overlay packet loss for node 10.69.80.1 is higher than the allowed threshold of 20% (current packet loss at 100%) [!] overlay packet loss for node 10.69.89.3 is higher than the allowed threshold of 20% (current packet loss at 100%) Remote access: online * DDPD04 / 10.69.89.3 / master Status: healthy [!] overlay packet loss for node 10.69.80.2 is higher than the allowed threshold of 20% (current packet loss at 100%) [!] overlay packet loss for node 10.69.80.1 is higher than the allowed threshold of 20% (current packet loss at 100%) Remote access: online ================

I have panel on a dashboard that lists events in a security log.  I can list them by Event ID but I would like it listed by Event ID count so that the most frequent are at the top.  If I change "count by Event" to "count by count" I get an error "The output field 'count ' cannot have the same name as a group by field." <query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event</query> How do I get it to list them in descending order by count?