Ended up with the same challenge as listed here and none of the suggested replies on this article helped in any way. Here is my solution: <my search> | rex field=New_Time mode=sed "s/[^ -~]//g" | rex field=Previous_Time mode=sed "s/[^ -~]//g" | eval time_drift = (strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9QZ") - strptime(Previous_Time,"%Y-%m-%dT%H:%M:%S.%9QZ")) | table _time New_Time time_drift Problem: The field with the Windows timestamps includes non-printable character - I thinks it's a x80, but it doesn't really matter. I use the rex mode=sed to remove anything that is not in the printable range. [^ -~] matches all non-printable character, and mode=sed will just remove them from the string. After this replacement, the strptime() function works correctly.
... View more
Taking a chance on replying to this old thread.... there are probably a lot of you out there with the same issue. I am running the free license for learning and lab purposes at home feeding it whatever that could be interesting. After numerous times getting this hit by free license violation due to some system decided to send a lot of data to Splunk after a reconfiguration or change in traffic pattern, I have learned how to rebuild it. Email forwarding and alerts are not available with the free license, we have to connect every day and check messages for any license violations. Since this was not too practical I decided to write a script using the CLI and sendmail. This is now added to crontab running each day shortly after midnight. It will send me an email with the last 4 days of license usage like below: time usage
2020-06-08 16.44 Here is my script: #!/bin/bash
# Email last days of Splunk license usage - file: license-check.sh
# Emails settings # From is optional - will use hostname if not specified
# run splunk search /opt/splunk/bin/splunk search 'index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-3d@d | eval usage=round(100*b/poolsz,2) | eval time=strftime(_time, "%F") | table time usage ' > $BODY_FILE
# send the report with sendmail (cat - $BODY_FILE)<<HEADERS_END | /usr/sbin/sendmail -i $TO Subject: Splunk License usage To: $TO From: $FROM
HEADERS_END Add the file to crontab: 10 0 * * * /root/license-check.sh Modify your postfix install to use a relay host /etc/postfix/main.cf ... and that's all. Although not the best practice to run under root, but it works....
... View more
If I'd guess on this, it seems like a better practice to deliver a datamodel but with acceleration disabled, because everybody's needs are different. Acceleration can place additional load on a system, and not everybody needs it, so it's better to ship it disabled, and have people enable it if needed. 😉
... View more