Query1 is more useful for your licensing needs since it shows you the amount of data being ingested Query2 is more useful for disk space forecast since this calculates the disk utilized after replication and field extractions are done.  ... View more

Do you mean HEC vs File monitoring? HEC can live on your Heavy Forwarder.    With the assumption that you are looking for file monitoring vs HEC, you are looking at pull vs push processes, file monitor keeps monitoring a directory and pulls data when new files or updates to existing files are made. On the other hand, HEC listens on a port and you push data to it. Using one vs the other entirely depends on your use case.  Unfortunately, without more context on what your end goal is, this is all the info I can provide.   ... View more

not sure why it isn't working since I don't have the raw data, you could try this alternative   | eval error=if(tonumber(line.status)>399, 1, 0) | stats count as total_requests, sum(error) as errors by line.url | sort -"errors"    If this isn't working, check if error is being set properly in the eval. ... View more

Can you post a sample of your raw data line and what you need extracted? for your question, it isn't clear, if you want one variable to extract the entire phrase or if you want to extract fields from the pasted line. ... View more

Try adding attribute count=0 to you rest query   https://<host>:<mPort>/services/search/jobs?sid=<sid>&count=0     ... View more

Try this   | stats count as total_requests, count(eval(tonumber(line.status)>399)) as errors by line.url     ... View more

The source is HEC. The forwarders are on a load balanced url for HEC inputs. I'm trying to override the host from the LB url to the forwarder that receives it. ... View more

Actually, This resides on a heavy forwarder. ... View more

If your retention policy is 90 days, then data older than 90 days is archived/deleted based on how the environment is setup. Check with your splunk admin on if the data is archived, if yes, she/he should be able to thaw the data for you. But if your data has been deleted, then the only way to do it would be to re-index the data. Another option is if you are looking for only aggregated data, you can summarize them to a summary index or KV stores depending the volume of the data. This however is only effective from the day you implement this and cannot go back to any data that has already been deleted. All these options need to be discussed with your Splunk Admin ... View more

You can edit the savedsearches.conf or use the REST API to programmatically disable the alerts - http://docs.splunk.com/Documentation/Splunk/8.0.2/RESTREF/RESTsearch#saved.2Fsearches ... View more

Custom JS and custom SPL commands are the way to go on this, there is no direct way. You can however upload a csv through the lookups menu if you are ok with not doing it through the dashboard. ... View more

I also added dest_ip to the group by 🙂 ... View more

Edited my answer to accommodate this condition (lines 13 onward) i'm calculating over_time which is the duration over 60 and adding it to the next hours time. I haven't tested the query, just going with the algorithm in my head and converting it to code. Some fixes may be needed. 🙂 Cheers ... View more

Hi @gcusello Give this a shot, slight tweaking might be needed base_ search for events, time converted to epoch. this query is duration per user. if you need per user per dest_ip, please add dest_ip to all the group_by and sort What i'm doing here is basically removing overlapping timelines and grouping them into one continuous session base_search | fields user, dest_ip, start_time, end_time | sort user, dest_ip, -start_time | streamstats max(start_time) as next_start by user, dest_ip window=1 reset_on_change=true current=false | sort user, dest_ip, start_time | eval next_start=coalesce(next_start, start_time), row_group=1 | where end_time>next_start | streamstats sum(row_group) as row_group by user, dest_ip reset_on_change=true | eval row_group=(floor(coalesce(row_group,0)/2)) | stats min(start_time) as start_time, max(end_time) as end_time by user, dest_ip, row_group | eval duration=end_time-start_time | rename start_time as _time | bucket span=1h | stats sum(duration) as duration by user, dest_ip, _time | eval over_time=if(duration>60, duration-60, 0) | streamstats max(over_time) as add_time by user, dest_ip window=1 reset_on_change=true current=false | fillnull value=0 add_time | eval duration=duration + add_time - over_time Hope this helps Cheers ... View more

does the dest_ip matter? is it per user per dest_ip or just per user ? ... View more

Can you post your expected output? I also don't see the field duration in your data, nor do i see it being calculated here. ... View more

can you run btool to check if the new index is visible ? ... View more

"I need to integrate with Splunk" is an extremely broad statement. Please use this forum to ask specific questions or provide the specific use case you are stuck with. ... View more

Your code is unnecessarily complex import requests from requests.auth import HTTPBasicAuth import json username = 'username' password = 'password' hecBaseUrl = 'https://myServer:8088' response = json.loads(requests.get('{}/services/collector/health'.format(hecBaseUrl), auth=HTTPBasicAuth(username, password), verify=False).text) print(json.dumps(response, indent=4)) ... View more

have you tried using the cli ? $SPLUNK_HOME/bin/splunk reload index Full cli reference here - https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/CLIadmincommands ... View more