Yes, the DMA is only usable by the search that created it. To take advantage of DMA on the standalone SH, you need to enable the DMA there as well. Since they are separated by the splunk instance GUID (generated on first SH start and stored in $SPLUNK_HOME/etc/instance.cfg), there will be no conflict between the two. Whether that is the reason for your PA dashboards not populating is something I can't answer, but it is absolutely possible if the underlying searches are using tstats to search against the accelerated DMs. ... View more

You can take a look at this app and its documentation to see if that would help you meet your needs. It's a search-based approach to forward data via SYSLOG specifically built for 3rd-party SIEM integrations. That aside: If you followed the documentation here and it didn't work for you, can you explain what issue you were experiencing? Maybe we can collectively get you on the right track. ... View more

As already pointed out, you need to start your href with "http://" to make it an absolute address, not a relative path within your Splunk app. ... View more

FYI, I have initiated a doc update to make that more explicit in the docs on how licensing works. Not the first time this question comes up. ... View more

How Splunk Licensing works. Splunk Enterprise licenses specify how much data you can index per calendar day. Note it doesn't say it specifies how much disk space your data equates to once indexed. Compression is a network and storage optimization we do to save on transmission bandwidth and storage footprint and is unrelated to indexing volume metering. Hopefully, this is the evidence you are looking for. ... View more

Assuming for simplicity that your eventIDs are single digit, you could do something like this: | eval status=case(match(eventId,"[246]"),"good", 1=1,"bad") If you want to prevent your searches from getting too convoluted, I would recommend creating a lookup table that lists all the eventIDs that are either good or bad, and defining a lookup that returns an appropriate default match. So, if your lookup file has "good" eventIDs, return a default match of "bad" if the lookup fails and vice versa. Many ways to skin this cat. 🙂 ... View more

You can restore the default file from a clean installation of Splunk, if the error message is caused by you making changes to any files in the default Splunk directories and you don't have a backup of the original file. ... View more

Try to add ((Field1=* AND Field1=$value1$) OR (Field2=* AND Field2=$value2$)) field=* means "only select events where field has a value. This should exclude events where either Field1 or Field2 are NULL. ... View more

I don't know if this will meet your use case, but take a look at the Splunk app for CEF. It contains a new search command called cefout and contrary to the name implication, it can send data in any format you choose to a defined routing group. You can find more details in the documentation for the app. Maybe this provides a decent approach to solve your problem. ... View more

Let's distinguish "intermediary forwarder" from heavy forwarder. You can easily use a UF to serve as an intermediary forwarder, if you don't have requirements that mandate a heavy forwarder. And that's what you should use, if no such requirements exist, because the UF has a much lower resource impact, scales better and has less overhead on the wire. As a rule of thumb, filtering events before they go over the wire is only going to provide a net benefit if a large number of events are subject to be filtered (~40-50%). Otherwise, do your filtering on the indexers and take advantage of the more efficient wire protocol the UF has. Personally I think that there are more disadvantages and pitfalls with any architecture that contains intermediary forwarding tiers than there are advantages. The biggest issue that often occurs is that intermediary forwarding tiers are not properly sized to not impact event distribution of 100s or 1000s of endpoint forwarders across indexers. You want to have at least a 2x intermediary forwarding pipelines to indexer ratio to ensure that most indexers receive data at any given time. Troubleshooting also gets more complicated and you have another tier that you need to manage configurations on. Sometimes you have to have an intermediary forwarding tier, for example if network restrictions don't permit connections from forwarders directly to indexers, or if you need to do selective forwarding to third-party systems. If you can avoid them, you are almost always better off and end up with an environment that has less event distribution issues, lower data ingest latency and is easier to manage and provides you with a better TCO overall, since you need fewer servers to support your architecture. I hope this helps! ... View more

I suspect your JSON data does not wrap attribute names and values in double quotes, which is how Splunk expects it to pass json validation. But it's just a guess. ... View more

Please accept your own answer to mark as resolved. Thx! ... View more

The strftime function won't work for any data prior to the start of epoch in 1970. To do this properly, you will have to do your math discreetly. Check the accepted answer here for an approach. You'll have to massage the RegEx a bit, because you don't have any separators between your date components. Something like this should work: rex field=Date_Of_Birth "(?<y>\d{4})(?<m>\d{2})(?<d>\d{2})" ... View more

@kekac00 Please accept @richgalloway's answer so the the question is marked as answered and proper Karma is assigned. 😉 ... View more

You can do whatever you wish in the archive directory. Once data is frozen, it is 100% outside of Splunk's management and control. ... View more

The digits at the end of the hot bucket directories are sequential numbers. Hot buckets are rolled to warm (db_*) based on index configuration parameters, or when you stop/restart splunk. So those hot bucket names change all the time as new data comes in. defaultdb is (by default) mapped to the 'main' index. If you don't ingest any data here, you won't have hot buckets. I would recommend you use the Splunk Sizing Tool to figure out what your storage requirements are. Select your daily data volume, retention settings, etc. and it will give you an estimate on per-indexer and total data storage needs for HOT/WARM and COLD volumes. ... View more

This likely requires configuring a custom datetime.xml for your sourcetype. For starters, take a look at this thread and see if it gets you on the right track. Not sure how it will behave for those events that are missing the date completely. Let us know if you get stuck. As an alternative, you could pre-process these log files on the source system and rewrite events to always contain a proper timestamp (using invalid_cause/unarchive_cmd) ... View more

That should be fine. ... View more

It is not. The vast part of Splunk enterprise core (splunkd) is developed with C/C++. Python is being used for custom search commands any anything else in the are of user customization/modular inputs, etc. ... View more

Here's a crude, non-RegeEx way to do it: | makeresults | eval domain="e.f.com" | eval parts=split(domain,"."), c=mvcount(parts) | eval last2=mvindex(parts, c-2).".".mvindex(parts, c-1) In RegEx, you can simply anchor to the end of the full domain name string, no? Like so: | makeresults | eval domain="e.f.com" | rex field=domain "(?<last2>\w+\.\w+)$" Probably needs some work to cover cases where there are non-word characters in the domain name, but the principle should apply. ... View more