Hi if this 100GB is your daily ingesting amount of data, then this is the license size which you need to buy. Or actually you should by something like 100GB * x% to get some additional space for total license size. There is no need for you to calculate those other. And actually you couldn't even choose those as Splunk is defining those based on your daily ingesting data. You should just connect to your local Splunk Partner or directly to Splunk and asking quota for this. r. Ismo ... View more

Apart from the issues already covered by @ITWhisperer and @gcusello there is also the possibility of duplication caused by useACK parameter, communication problems and retrasnsmission. Check your _internal log for "possible duplication". ... View more

I wanted to show an example to my junior in practical setup ... View more

it opens the dashboard in another tab, can we open it in the same dashboard instead? ... View more

Hi @VijaySrrie , you have to create another field extraction usig this regex ^((?<domain>\w+)\\\\)*(?<user>\w+) in user that's the same thing to run the following command: | rex field=user "^((?<domain>\w+)\\\\)*(?<user>\w+)" you can test the regex at https://regex101.com/r/j6kC26/1 Ciao. Giuseppe ... View more

May fault, just assumed TCPDUMP was for TCP only, but according to manual it can look at UDP and ICMP as well.  Bad name of the application 😉   ... View more

Hi @ITWhisperer , Thanks for the reply, I have pasted the answer that worked for me. ... View more

So if you intend to run the query once every 60 minutes and then look for an orderId with no success after 10 minutes, then the search has to be a little bit different. For example, if you look at 10 minute periods 9:00, 9:10, 9:20... and there is a start at 9:09 and a success at 9:14, you need to look at the whole event stream as a stream. Also, be aware that if you run the search at 10:00 am and there is a start at 9:59, but the success does not happen until 10:02, then you will not see the success in the search, but when you run the search at 11, you will not see the start, so you really need to run your search once every hour for 70 minutes. The search would then be something like this, using streamstats to look at all 10 minute windows   your search | streamstats time_window=10m dc(Status) as Statuses by OrderId | stats max(Statuses) as Statuses by user | where Statuses!=2   Your earliest and latest times would be earliest=-70m@m+1s latest=@m So, this looks for -69m and 59 seconds to now, just to handle the sliding window across the schedule. Then it counts the unique values of Status for each OrderId - note, this assumes you only have a Start/Success pairing. It then finds out if you have 2 Statuses. ... View more

Hi @VijaySrrie, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

I believe the batch input will be ignored if move_policy is missing. ... View more

Hi @dkeck  What is the use of  move_policy = sinkhole   And In which scenario we go for batch ?  ... View more

Hi @VijaySrrie, an installation for 2TB of logs isn't an immediate architecture, and it isn't a good idea to design it in this way. I hint to engage a Splunk Professional Service or at least a Splunk Architect to design it. Anyway, the number of Indexers depends on many factors: Have you a cluster? how many copies of the data you want to maintain? have you Enterprise Security or ITSI? Anyway, if you haven't ES or ITSI, you should use around 10 Indexers. You could take some idea viewing the Validated Splunk Architecture (https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf). the hardware reference depends on the number of users and scheduled searches (https://docs.splunk.com/Documentation/Splunk/latest/Capacity/Referencehardware). At the same time, you should also design the number of Search Heads and the other components of the Splunk architecture. For all these reasons, I hint to engage an Architect! Ciao. Giuseppe ... View more

Hi @VijaySrrie, the features of SoS are in the Splunk Monitoring Console that you can find by default in every Splunk installation. Ciao. Giuseppe ... View more

You can use this https://regex101.com/r/juMbja/1 to understand this (and other) better. Named Capture Group cc (?<cc>\w+@[^\"]+) \w matches any word character (equivalent to [a-zA-Z0-9_]) + matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy) @ matches the character @ with index 6410 (4016 or 1008) literally (case sensitive)Named Capture Group cc (?<cc>\w+@[^\"]+) \w matches any word character (equivalent to [a-zA-Z0-9_]) + matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy) @ matches the character @ with index 6410 (4016 or 1008) literally (case sensitive) Match a single character not present in the list below [^\"] + matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy) \" matches the character " with index 3410 (2216 or 428) literally (case sensitive) Match a single character not present in the list below [^\"] + matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy) \" matches the character " with index 3410 (2216 or 428) literally (case sensitive)   ... View more

Awesome!!! Thanks a lot!!! ... View more

I have the same issue where i have to calculate the total duration between request and response. the above query works but duration is not being calculated, or displayed  when i run the query : search query |  stats earliest(dateTime) AS request latest(dateTime) AS response BY TransactionID | eval duration=response- request    result for above query : TransactionID                                                                          Request                                              Response 000877d43ef8778123243454bda780c5e5     2022-05-05 01:36:12.916      2022-05-05 01:36:13.27 Please help ... View more

@bharathnetskope- If you have access to the Tenable Support Portal, there should be a spec. That describes if that is supported. It was not in the version of SC I was using. ... View more

Hi @VijaySrrie, No sorry I didn't used it, here you can find some docs https://www.splunk.com/en_us/form/stay-afloat-using-aws-security-hub.html https://www.youtube.com/watch?v=7pd2PLMVqrA https://github.com/splunk/splunk-for-securityHub https://pages.awscloud.com/rs/112-TZM-766/images/Global_PTNR_AWS_Splunk_Ebook_09252019.pdf Ciao. Giuseppe ... View more

When the dashboards were on-prem how did you make sure they were working fine?  You should be able to use the same method in cloud. You can check for Splunk errors by search ... View more