Ahhh. So you do have the data itself you just want to know how much of it falls into a specific timerange? You can use the dbinspect command to list buckets. From them you can chose some subset by date and sum their size. But it will not tell you how much space your datamodels summaries used to occupy. ... View more

Hi @splkjk, you could use the stats command, something like this: (supponing that you already extracted the fields I'm using, otherwise you have to extract them) index=your_index | stats dc(Vendor) AS dc_vendor values(Vendor) AS Vendor BY User_ID | rename User_ID As "User ID" if possible don't use field names with spaces, you can rename fields at the end of the search. Ciao. Giuseppe ... View more

A similar problem (extracting fields from source) is solved here: https://community.splunk.com/t5/Splunk-Search/extract-a-field-from-event-source-filename/m-p/36029 Depending upon the order of the words and what part is static, the regex will change accordingly. e.g. if "intranet" is always the 3rd segment and "output" is 6th, following regex could work: ^\/usr\/local\/(?<fieldName1>[^\/]+)\/([^\/]+\/){2}(?<fieldName2>[^\/]+) in source   ... View more

Hi @noobsplunker_, have you seen the installation procedure on AIX at https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Installanixuniversalforwarder#Install_the_universal_forwarder_on_AIX ? Ciao. Giuseppe ... View more

Hi @AIOPs_Lite, did yu followed the installation procedure  at https://docs.splunk.com/Documentation/Splunk/8.2.6/Installation/InstallonWindows ? If yes, what's the error message or the not correct situation ? Ciao. Giuseppe ... View more

Hi @asdinesh, to use earliest or latest is a your decision that doens't move the approach. If you haven't any result check the conditions, you can debug all searches deleting, one by one, rows from the end and understanding which is the one that block results. Ciao. Giuseppe   ... View more

source="test.csv" sourcetype="csv" | stats values("MFA Factor") as MFA, values("Last Enrolled_ISO8601") as "Last Enrolled", values( "Last Used_ISO8601") as "Last Used" by User, Login | regex MFA!="Okta|FIDO|Google|Voice" ... View more

Is anybody can help please? ... View more

Thanks for both response!   Meanwhile i was working different method like below, I got percentage results, wanted to confirm if this is correct way of doing it? or anything wrong in it. ( (index=compliance sourcetype=site1-ip ) OR (index=automation sourcetype=site2-asset)) | eval ip=case(sourcetype="site1-ip", 'src.ip', sourcetype="site2-asset", ip ) | eval te=if(sourcetype="site2-asset","yes","no") | eval ta=if(sourcetype="site1-ip","yes","no") | stats max(eval(if(te="yes",1,0))) AS SCANNED max(eval(if(ta="yes",1,0))) AS CTA values(fqdn) as fqdn_ta values(resourceOwner) as ip.owner by ip | search (CTA=1) | stats count(eval( SCANNED > 0)) AS tes, count(ip) as total | eval percent = round((tes/(total))*100,2) Thanks again! ... View more

Hi @nalagito, if the values of mn are always: my_mn1, my_mn2. in this case you can make operations using my_mn1 and my_mn2 as column name. Ciao. Giuseppe ... View more

Hi @rvk_sp_user, No, when an event with the sourcetype you defined in props.conf (mysourcetype) arrives to the Indexer or (if present) to the Heavy Forwarder, it's checked if the event contains the regex that you defined in transforms.conf: if the regex matches, the value for index that you fixed in inputs.conf is overwritten with the new value that you defined in transforms.conf (your_new_index), if it doesn't matches, original index value remains. This means that in inputs.conf you have to put the default value for index and in transforms.conf you have to put the new index value associated to a regex. If you have to assign more index values, you have to create more stanzas in props.conf and transforms.conf with different regexes. Ciao. Giuseppe ... View more

Hi @JoeHubner, you should see the addinfo command (https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/SearchReference/Addinfo). It gives you the informations you need. Ciao. Giuseppe ... View more

If your daily ingest amount with syslog is only 4GB then you can use almost anything as it's hw. That 6(v)CPU + 1GB should work excellent with it. And with 4GB/day I suppose that 1vCPU + 1GB memory works also.  As @PickleRick said, the amount of CPUs and mem is totally dependent what you are doing with syslog and how many and which kind of inputs you have for it. But I propose that start with small virtual machine and increase it's size if/when needed.  r. Ismo ... View more

Hi @Esky73, the action you are describing is called normalization and it's usually done to normalize logs to CIM compliance. At first I hint to see if there's an Add-on that already made normalization for your logs, if there isn't I hint to use calculated fields, e.g. something like this: | eval action=case(action="Block","blocked",action="block","blocked",action="not sent","blocked",action="tagged","delivered", action="delivered","delivered", action="logged","delivered") About the multivalue, see if it's possible to extract fields in a different way or use "like" in the above condition. Ciao. Giuseppe ... View more