we are facing the disk space in HQ site with almost all the indexers with 95% disk space is fully utilized. Total disk space=10TB Indexes = 7.5 TB summary Index=1.5 500GB reserve for Splunk Operations. now management approves extra 3TB for each Indexer. my question is that: can we add 3TB as another partition/volume and move(entirely) less expensive indexes to new volume ? I need the detailed steps ... View more

I have multiple Input text boxes with comma separated input text values. below is my requirement. Box1 have domain names e.g. (www.abc.com, www.xyz.com) Box2 have multiple MD5 hashes ( 'sdfsdfsdfsdf6546545645646','6564654654564654654564sd') Now I want that If i put comma seperated input to Box1 test box, it should open a search panel and show me the results. and If copy MD5 comma seperated hashes to Box2 text box, then the panel1 should show me the results from Box2. and IF THERE IS NO INPUT AT ALL IN BOTH INPUTS BOXES THEN THE SEARCH PANEL ALSO SHOULD DISAPPEAR AND NO SEARCH SHOULD RUN IN BACKGROUND <form> <label>Threat_Intelligance</label> <description>Include a multiselect input.</description> <!-- Independent search to set the required filter from comma separated value in text box --> <!-- For example: www.abc.com,www.xyz.com,www.aaa.com converts to src_ip IN ("www.abc.com","www.xyz.com","www.aaa.com") --> <search> <query>| makeresults | fields - _time | eval iocFilter=$ioc1|s$ | eval md5Filter=$md5|s$ | eval iocFilter="url IN (\"".replace(iocFilter,",","\",\"")."\")" | eval md5Filter="process_md5 IN (\"".replace(md5Filter,",","\",\"")."\")" </query> <done> <set token="tokIOCFilter">$result.iocFilter$</set> <set token="tokmd5Filter">$result.md5Filter$</set> </done> </search> <fieldset autoRun="true" submitButton="true"> <input type="text" token="ioc1" searchWhenChanged="true"> <label>URL</label> <change> <condition> <set token="tokIOCFilter">$result.iocFilter$</set> </condition> </change> </input> <input type="text" token="md5"> <label>md5</label> <change> <condition> <set token="tokmd5Filter">$result.md5Filter$</set> </condition> </change> </input> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <event> <search> <query>index=proxy OR index=edr ($tokIOCFilter$ OR $tokmd5Filter$)</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form> ... View more

Under index=f5security sourcetype="f5:bigip:ltm:snmp:monitor:status", I can see that event pool status line is extracted as one one. but the last results are co mbined as shown in attached snapshot. how to convert them into multiline ... View more

I have many events against session_id. but I am interested to only list down three type of events 1- AD authentication successful 2- RADUS authentication successful 3- SMS generated Please advise ... View more

users with ess_analyst role cannot create new lookup file through lookup_editor. whereas i as admin can create lookup file through lookup_editor. how rights should I assign that users can create lookup file ... View more

users with ess_analyst role cannot create new lookup file through lookup_editor. whereas i as admin can create lookup file through lookup_editor. how rights should I assign that users can create lookup file ... View more

I have multi input text selection scenerio. the text input is comma seperated input(thanks to @niketnilay). 1- initially I dont want to load any search query OR text value output OR you can say that once I paste input and click on submit button then search stats. 2- once I put comma seperated input to any box ( URL OR MD5 OR SHA) then the search panal appear and show me the results and other one should disapear. ---------ONE INPUT AT ONE TIME------------------ Further to that each requested value is in different index. e.g. URL in index=proxy , MD5 in index=antivirus and so on. I have done some work. but both search windows apprear. one window with default time shows all results and other with input also search and shows the results. below is my updated code. <form> <label>test dashboard_tokens</label> <description>Include a multiselect input.</description> <!-- Independent search to set the required filter from comma separated value in text box --> <!-- For example: www.abc.com,www.xyz.com,www.aaa.com converts to src_ip IN ("www.abc.com","www.xyz.com","www.aaa.com") --> <search> <query>| makeresults | fields - _time | eval iocFilter=$ioc1|s$ | eval md5Filter=$md5|s$ | eval iocFilter="url IN (\"".replace(iocFilter,",","\",\"")."\")" | eval md5Filter="process_md5 IN (\"".replace(md5Filter,",","\",\"")."\")" </query> <done> <set token="tokIOCFilter">$result.iocFilter$</set> <set token="tokmd5Filter">$result.md5Filter$</set> </done> </search> <fieldset autoRun="true" submitButton="true"> <input type="text" token="ioc1" searchWhenChanged="true"> <label>URL</label> <change> <condition></condition> </change> </input> <input type="text" token="md5" searchWhenChanged="true"> <label>md5</label> </input> <input type="time" token="field1"> <label></label> <default> <earliest>-1s@s</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel depends="$ioc1$"> <title>tokIOCFilter: $tokIOCFilter$</title> <event> <search> <query>index=proxy $tokIOCFilter$</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="refresh.display">progressbar</option> <option name="maxLines">5</option> </event> </panel> <panel depends="$md5$"> <title>tokmd5Filter: $tokmd5Filter$</title> <event> <search> <query> index=edr $tokmd5Filter$ </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form> ... View more

| inputlookup dmc_forwarder_assets | search hostname="abc-t1" above lookup showing me duplicate hostname. we upgrade the universal forwarders from 7.1.2 to 7.3.1. now it is showing two entries. one with old connector version and 2nd with newer version. from newer version it is showing that system is receiving events from this source. interestingly both records have different guid. attaching snapshot for you better understanding. my question is that how can 1 - update the dmc_forwarder_assets manually but exludeing null values 2- OR there is some way from workstation side to fix this issue. ... View more