| timechart count, sum(qty) by product usenull=f useother=f This would show you the count of events, and sum of the qty field (assuming that field is extracted) by product over time. ... View more

good catch! ... View more

As far as I can tell, when using IN the CIDR address is seen as a single value and not as a CIDR value to expand. You would need to do it the old fashioned way: All_Traffic.src_ip=10.16.72.20 OR All_Traffic.src_ip=10.128.124.0/22 If you have several individual IPs, you could do those via IN: WHERE All_Traffic.src_ip IN (10.16.72.20, 10.16.73.20 ) OR All_Traffic.src_ip=10.128.124.0/22 OR All_Traffic.src_ip=10.34.124.0/22 ... View more

Glad it it worked for you! ... View more

Because these are bulletin style messages, found in a single notification location (kvstore). Per-user preferences aren't stored, possibly due to the overhead....would be up to splunk to explain the philosophy of that. You users might not have seen the messages if they weren't scoped for the correct audience, details can be found here: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Customizeuserexperience If you don't want your users to be able to delete the notifications, you can take the delete_messages capability away: https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Rolesandcapabilities However, as stated, the way that system is built it does not record per-user preferences regarding the messages displayed. ... View more

Sort of... You would monitor the location the files are produced: https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Monitorfilesanddirectorieswithinputs.conf You would create a search looking for new events from the input you just created. Assuming your inputs, timestamps, and timezones are set correctly, any new events would indicate a new file. In which case, you would schedule a search every X minutes, configure the email to generate a single email, and attach the search results. ... View more

I dont know of any way for Splunk to attach a non-search produced file to an email using the standard "Send Email" alert action. This can be accomplished by creating an alert action, which could send an email and attach a document: https://docs.splunk.com/Documentation/Splunk/7.3.1/Alert/Configuringscriptedalerts ... View more

The speed of I/O is the primary concern, encrypting will add delay and reduce IOPs. As long as IOPs are still in the acceptable range for your splunk instance, you should be fine. ... View more

You would map your AD groups to user roles (role=AD groups) . Then in the App permissions, you would remove read access from "everyone" and assign it to only those roles (roles=AD groups) you want to have access to those app. When you configure the role, you can set the default app for those users, indexes they can search, and capabilities. https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Aboutusersandroles ... View more

Did it work? ... View more

Try this.... .... | streamstats current=f last(iops) as p_iops by volume_id | eval diff=iops-p_iops | where diff>0 | table _time, iops, p_iops, diff ... View more

Ok, so on indexer B, did you configure the index? The index settings will need to be configured on the indexerB. You will need to configure it to point to the locations you just copied over. If you are still having issue, check your internal logs...look for any issues splunk might be having accessing or reading the new index data. ... View more

How about the following: (index=1 OR index=2) | eval cve=if(isnotnull(cve), cve, CVE_ID) | mvexpand cve | stats values(title), values(signature) by cve ... View more

I have a field called volume_id =vol-0h8383hjk and has iops=3990 at 9AM and and the same volume_id has value 1000 at at 11:30 If you aren't looking to sort the results by time, then you could do something like: | streamstats current=f last(iops) as p_iops by volume_id | eval diff=iops-p_iops | where diff>0 | table _time, iops, p_iops, diff Which will just generate show results when it changes. ... View more

Ok, so I would rsync the index from indexerA to indexerB Shutdown A, disable restcall index (move the data or whatever cleanup you want to do). Make sure the permission and ownership of the data on B is correct. Start A and B. Add B as a peer to your search heads (A should remain a peer) ... View more

Soemthing like.... | timechart span=1d avg(iops) as iops | delta iops as diff ... View more

Check out the following on using extreme search to baseline activity and identify anomalies: http://www.georgestarcher.com/splunk-getting-extreme-part-one/ ... View more

If you're not using clustering, rsync is perfect. We ran incremental rsync's while the indexers were in production. Shutdown, final rsync, put new indexers into production. As long as you arent copying buckets from multiple indexers onto a single index (where you would need to adjust the bucket IDs to prevent duplicates), you should be fine. ... View more

Make sure the splunk user, or whatever account is running splunk, has access to read /var/log/messages. Also, just a note, the /var/log/messages file sourcetype is normally linux_messages_syslog: https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Listofpretrainedsourcetypes ... View more

Splunk takes the raw data an indexes it, you can then run searches against the data. You can access the data by running searches in Splunk, which can be done via the REST API: https://dev.splunk.com/restapi The following is a list of the aggregate functions that can be used: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Stats Via rest, you could run a basic search like "index=*" , which would return the raw events. You use the stats functions against fields in the data, "index=* | stats sum(kb) as "kb sent" by host" What aggregates you can calculate will depend on the data you have, and what fields are available. Splunk has several add-on available for parsing and reporting on data from common tools, systems, etc.. ... View more