All, I have a clean install of Splunk ES with the latest Splunk App For Nix enabled. The Account Management dashboard is not populating in a useful. I have this log event which is my test - Apr 10 19:44:10 myhost useradd[5965]: new user: name=mysql, UID=997, GID=994, home=/var/lib/mysql, shell=/bin/bash SHOULD pull field extraction from this out of the box transform stanza - [useradd] REGEX = .*?((new) (user|group|account))(?:: | (?:added) - )(?:name|account)=(\w+), FORMAT = vendor_action::$1 object_category::$3 name::$4 user::$4 I confirmed you stanza SHOULD work in regex101.com Can you help me understand why this isn't working as I expect? I believe users added, removed, groups added, removed should appear here by who executed the command. ... View more

All, I can't get access to admin tools on this instance of Splunk, just want to confirm this LEN command is accurate within reason for determining gigs used? example - index=pcf | eval total=len(_raw) | eval mygigs=1024/1024/1024 | stats sum(mygigs) ... View more

All, Is there a supported and easy way to exclude Splunk's internal logs from the access_center in Splunk ES? possible to just block reading the hidden indexes? ... View more

All, Sorry guys, don't do this much and the docs are not giving me the warm and fuzzy's about about how to do this. I'd like to take advantage of the fact I have pretty snappy local disks on my new servers to keep a day or two logs events there before rolling to cold. Never really done this before. Where I am running into trouble here is that config for the hot/warm. What's the setting here to get Splunk rolling from FASTDISk to BIGDISk isntead of just running out of space and crashing? Does Splunk just "know" as it appraoches 700gigs to start rolling? I assume this would be volume level setting but not seeing it. # 12TB store [volume:bigdisk] path = /data maxVolumeDataSizeMB = 110000000 # 1TB local SSDs [volume:fastdisk] path = /splunk_local maxVolumeDataSizeMB = 700000 [default] # 10gig buckets maxDataSize = auto_high_volume # Company requires min 120 day logs available frozenTimePeriodInSecs=36820000 # Hot/Warm - should just roll to cold when fastdisk is low on space homePath = volume:fastdisk/$_index_name/db homePath.maxDataSizeMB = 700000 # Cold - should drop data when full - not crash coldPath = volume:bigdisk/$_index_name/colddb coldPath.maxDataSizeMB = 110000000 thawedPath = $SPLUNK_DB/$_index_name/thaweddb [main] [os] [windows] ... View more

All, I just installed ES. We're moving nice and slow here. I see it installs a supporting app called "Extreme" Search. Is there any reason to leave this isVisible=true? Should I just hide it from the menu's or is this something eventually users really get into? ... View more

All, I know Splunk ES is a little picky about apps installed with it and created. I was going to create an app called mycompany_splunkes_base and toss in all my configs like server.conf and alert_actions.conf there. Any reason that would be a bad idea? ... View more

All, Per a request from our security team, I moved Splunk to LDAP only and blasted the local admin account. But ES is going crazy about orphanded objects now. Any recommendation? I was thinking I can get away with creating a service account and reassign the objects there. Will that be fine? ... View more

All, Anyone have a list of all the URL's IPs I need to open Splunk Enterprise Security up to for its threat lists? I have to get the firewall exceptions places in this week, but won't have the actual Splunk bits for a few more weeks. thanks -Daniel ... View more

All, let's say I have 6 data centers. one is INSANELY small and another very large. How does mutli-site indexer replication handle that? Does it keep a full copy of every data center's data, in every other data center. That is the Smallest data center would have a copy of all data from the largest? ... View more

All, I have the following inputs.conf on a clean install of Splunk. But when I restart the instance I get a message that says "All the tokens are currently disabled. They can be enabled in the Global Settings." What config am I missing here? # inputs.conf [http://pcf] disabled = 0 index = pcf indexes = pcf token = aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa [http] disabled = 0 ... View more

All, A user just asked me this, any ideas on how to do this? Splunkj Q: is the following supported? I create an alert with a search trigger condition. If alert is triggered, run a different query, dump the results of that second query in an email to me i.e., I want an alert to trigger a secondary search (because this additional search would contain useful diag. info on the main problem that triggered the alert originally) and have that secondary search data as the email (edited) concretely alert trigger: index=siebel "SBL-EAI-04117" earliest=-5m | stats count | where count>200 (edited) if triggered, execute: index=siebel "SBL-EAI-04117" earliest=-60m | bin _time span=5m | stats count by _time | sort _time (if error count threshold breached, show me the last 60 minutes of data in an email) ... View more

All, My CentOS7 indexers in a cluster are crashing prety regularly now. /var/log/messages shows OOM errors and I can confirm we're pretty high on jobs being dispatched to Splunk. Is there any way to limit memory per search? I see some notes say limits.conf on the Search head, but my issue is the indexers. Same config? ... View more

all, I have set of indexers. One set is index clustered, modern hardware and super fancy. ANd I have my old stuff. For the time being I need to evenly balance between them. How could I configure my outputs.conf to do so? [tcpout] defaultGroup = default-autolb-group connectionTimeout = 10 forceTimebasedAutoLB = true [tcpout:default-autolb-group] server = myindexer01:9997 [tcpout:legacyindexerswithbigdisks] server = myoldindexer01:9997 ... View more

All, I am expecting to need to collect up to 1 billion collectD metrics per second for a Cloud install we're helping support. Anyone have a scoping guide for how many ref indexers I might need? thanks -Daniel ... View more

All, What are my hardware recommendations for a HEC? How many instances would I need for say 24gigs of logs a day? Didn't seem like much so I am thinking 2 VMs at 12CPU/12gigss ram? Thoughts? Any docs I should be reading here? ... View more

All, Anyone have a search handy I can run that shows the gigs per day by each indexer? thanks -Daniel ... View more

All, I have a user who's job used 6+gigs of ram. Is there a way for me to cap their memory usage? If so how does that "appear" to the user when they go over ram? Some sort of "exceeding memory error" I woudl guess? ... View more

All, I am trying to convert some superfluous parenthesis from this log. Duration value can be up to 4 digits. Looks like 1/2/2017 12:34 severity=INFO post call (duration=5) What I want 1/2/2017 12:34 severity=INFO post call duration=5 Here is what I got so far, but not clicking. SEDCMD-log4jwild_fix_duration_parenth = s/((duration=(0-9)*))/\1/ Any ideas? ... View more

All, Can I use props/transform to make MULTIPLE changes to the same event from a log? Lets say I have an app log, with a lot going on. I have a certain subset of logs I need to move to a compliance index and change the sourcetype and do a little clean up. if (event = hello world) then change sourcetype to "myxactdata" change index to "compliance" SED away credit card I can anyone of these to work, but not all three at once. What's the trick here? ... View more