the 2nd one is ess_analyst ... View more

Sorry! I did not get time to check on this. Today i checked it and it worked fine.   Thank You! ... View more

Hi @rupeshn, with Universal Forwarder, you can set the time limit of your ingestion with the parameter ignoreOlderThan = 10d in inputs.conf of your Universal forwarders, as you can see at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf . Ciao. Giuseppe ... View more

What software/hardware are you using as a reverse proxy? And how is that set up? Any info on what is inside the following two files could also be helpful. $SPLUNK_HOME/var/log/splunk/web_access.log $SPLUNK_HOME/var/log/splunk/web_service.log Also the logfiles for the reverse proxy could be helpful. ... View more

Thanks @nickhillscpl ... View more

Hi @jarizeloyola, Yes we do have GUI monitoring console. We don't have any access to GUI of license master. In GUI monitoring console, when we see disk usage - it shows 409 GB around and when we see size of indexes for today 390GB. and there's no change in config files ans still we can see that disk usage is increasing day by day 1 to 2 GB while size of indexes remains same almost. Could you help here and let me know what would be issue? ... View more

We don't have privilege to forward the logs of license master to indexer(Test Environment) due to other country Rules and Regulations. Is there any other way to get total amount of data indexed per day? ... View more

Thank You gcusello ... View more

Literally, like this: index="prd" "PassiveReceiver" PID_3="*" | stats dc(PID_3) But better: index="prd" "PassiveReceiver" PID_3="*" | stats count BY PID_3 ... View more

Hi, You could write the regex to match the field values to capture the commands in your newly extracted field. See below, | makeresults | eval commands="vi,cd,hello,world" | makemv delim="," commands | mvexpand commands | rex field=commands "(?<abc>.*)" | eval contains_command=if(match(abc,"vi|cd"),"Yes","No") Here I have extracted field abc from field commands and then I used eval and simple regex using match function to identify the commands in field abc If it's there then I will see result as yes and no respectively. ... View more

If you think the results are incorrect, you can break the search down and review the data: index="A" sourcetype=B action=Yes OR action=No | stats dc(action) as action_count, values(action) as action, by User Will show all the results, you can sort by action_count, action, etc.. Look for anomalous values for action. ... View more

How to disable DS? -- uninstall the Splunk Enterprise from the host that is serving as the DS -- if the Splunk Enterprise is working not only as a DS but other Splunky purpose and so you don't want to uninstall the Splunk in it, then delete all serverclasses, deployment-apps, and go to each client and delete the deploymentclient.conf If I disbale DS. Will the Apps pushed through DS earlier will be deleted from deployment clients? -- nope. apps in the clients will just stay as though they're installed there manually If Yes, How to avoid deletion of Apps deployed through DS from deployment clients? -- ... ... View more

Thank You! ... View more

Tje very first thing that I would do in your situation is move the DS, if that is changing. The problem with that is that most people who do not know better use the CLI and set deploy-server to setup Deployment Clients instead of dropping a DeploymentClient app in $SPLUNK_HOME/etc/apps/ . Make sure that when you update your DCs that you fix this mistake and use an app. ... View more