The REST API seems to return default values for max_searches_per_cpu, while the btool command brings back the actual values.     | rest splunk_server=* /services/search/concurrency-settings/search | table *     Any thoughts?   ... View more

When producing reports, the recipients receive only the first 100 lines, is this a known limitation? ... View more

We are trying to invoke alerts from Splunk to NetCool, and wondering what the right approach would be. We came up with 3 proposals - Solution 1 : Create a script, and invoke in alert actions, and pass the parameters.  Solution 2 : Create a custom command, and append it to the SPL, and pass the arguments.  Solution 3: Create a custom alert action, with html form fields. (Just like Send Email/Snow) - Preferred    We also came across Splunk dev documentation at Create custom alert actions for Splunk Cloud Platform or Splunk Enterprise  Any feedback would be appreciated.   ... View more

Has anybody managed to integrate a dashboard with FIRST's cvsscalc31.js? We would like to get the cyber data scored using this script - Common Vulnerability Scoring System v3.1: Calculator Use & Design    ... View more

Is there a way to configure Splunk to make scheduled searches having a higher priority than ad-hoc searches?  I know that we can do it using the Workload Management but since we don't use it yet, I hope there is a way to do it without the Workload Management. ... View more

I'm trying to run -      | tstats count where index=wineventlog* TERM(EventID=4688) by _time span=1m     It returns no results but specifying just the term's value seems to work -    | tstats count where index=wineventlog* TERM(4624) by _time span=1m   https://conf.splunk.com/files/2020/slides/PLA1089C.pdf explains the subject well but my simple query is not working. ... View more

Does anybody know where the failures of sendemail are being logged? I wonder about cases where the e-mail address no longer exists and what type of error is generated and where. _internal and _audit don't seem to have this data. ... View more

We are receiving syslog data via UDP and we noticed that some data is missing. When running -  tcpdump -i eth0 port <udp port> I see lines such as -  UDP, bad length 5158 > 1472 And the data is not being ingested.  https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnetworkengineering.stackexchange.com%2Fquestions%2F74563%2Ftcpdump-output-with-bad-length-indicator-present&data=05%7C01%7CDan.Drillich%40ey.com%7Cdd747e3eb5df4e69f41f08daccba043e%7C5b973f9977df4bebb27daa0c70b8482c%7C0%7C0%7C638047396551230716%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rM9Xbj7iD2jaOFqjWl3ZyzwUr9rJB0i5v0A7nRS9suE%3D&reserved=0   says -  The 1472 is the maximum payload length for the UDP datagram. Any ideas how to deal with it?   ... View more

How difficult is it to make the EventID an index field for the wineventlog index? Can it increase indexing time significantly?  ... View more

Hello, Is there a way to convert this query to run with tstats? It is _slow_ when running it for two weeks of data... index=index_name host=IP_name | eval lag_sec = (_indextime - _time) | eval lag_min = lag_sec/60 | timechart span=1h avg(lag_min)   ... View more

We have the outliers SPL and visualizations  work, but I don't know how to create the alerts themselves?  How do we go about it?  We can use sendemail, but it won't be captured within _audit, which is a shame. ... View more

A dashboard which uses tabs.js and tabs.css worked all along and suddenly we get the error message -    A custom JavaScript error caused an issue loading your dashboard, likely due to the dashboard version update. See the developer console for more details.     What can it be?   ... View more

As we work on the migration to the cloud, we have the following case - We are sending the syslog data to a heavy forwarder on the cloud (and to the on-prem indexers), to its 9997 port. When reaching this HF, we would like to fork just the firewall data to a subset of the indexers. Is it possible to make such a routing? We would like to have something like -    [<transforms_stanza_name>] SOURCE=index REGEX=^firewall DEST_KEY=_TCP_ROUTING FORMAT=<subset of cloud indexers>     ... View more