Once copied to etc/apps/, make sure the copied folders and files are owned by the splunk user, e.g., sudo chown -R splunk:splunk $SPLUNK_HOME/etc/apps You may need to restart Splunk ... View more

I am told by our Splunk PS support that 7.3.1 is stable (and we need it for DFS). ... View more

As I understand your question, you want to get the counts of events in indexes, then be able to compare them to a threshold from a lookup file. I created a sample lookup file "index_test.csv" with index_name and threshold. The serach below adds the threshold value to the event data for each index count: | tstats count where index=* by index | lookup index_test.csv index_name AS index outputnew threshold | eval busted_limit=if(count>threshold,"BUSTED","OK") | table index,busted_limit,count,threshold You can use whatever search you want in line 1 to get a count by index. Line 2 maps (looks up) the lookup file field name (index_name) based on the search name (index) and adds (outputnew) the field threashold to the results Line 3 compares the count to the threshold and sets a flag Line 4 just displays the results Hope this helps ... View more

thanks I am going to check the difference between outputlookup or outputcsv ... View more

tsheets13 - thank you, that answers my question. I had not stumbled on that section yet! Post-migration bucket behavior After migration, all buckets created before migration continue to adhere to their single-site replication and search factor policies, by default. You can alter this behavior so that pre-migration buckets adhere instead to the multisite policies, by changing the constrain_singlesite_buckets setting on the master's server.conf to "false". ... View more

It depends by what you mean by monitor and what your resources are. If you are using a Universal Forwarder on the system to monitor the folder I would just configure the UF to input the files as is (zipped). You do not say if your Splunk Enterprise deployment is a single node (Search+Index on a box) or distributed with seperate search, index, forward nodes. I would first try just monitoring the zip as is and make sure you are not overloading the node doing the input. That would be the simplest/cleanest approach and simplify your operations. ... View more

sweet. submitted a bug report via support portal ... View more

I implemented basically what you suggested - a subsearch for the criteria which works well. I took it a step further and added two map searches to then use the results of the first search for the next two stages of the processing pipeline. I did have to increase my subsearch timeouts since our data sets are quite large. ... View more

KB = bytes/1024 MB = bytes/(1024*1024) = bytes/1,048,576 GB = bytes/(1024*1024*1024) = bytes/1,073,741,824 There is a ~7% difference in volume using the binary values versus the straight decimal value (decimal rate will appear "higher") ... View more

Add index at the end of line 1 and you will have a more complete picture if that is what you are looking for. ... View more

I have worked on this also. It almost appears like: jms_system_properties = javax.net.ssl.keyStore=/opt/splunk/keystore.jks,javax.net.ssl.keyStorePassword=changeit,javax.net.ssl.trustStore=/etc/pki/tls/certs/allTrustedPartners.jks,javax.net.ssl.trustStorePassword=Changeit1 is NOT being processed by the JMS App. File permissions and ownership have been verified as accessible for the Splunk application. Other attributes do appear to be processed, just not this one. We made a Java stand alone app with the same settings and that does work. ... View more

Hello guys, it looks like frozen data is around -50% compared to hot/cold, is this correct? Thanks. ... View more