We are in the process of updating the certificates and we go manually to check each one via the browser whether the certificate truly expires next year, is this information in _internal, by any chance? ... View more

What is the best app to detect unused data? any suggestions? ... View more

I have this regex - ^(?:[^ \\n]* ){7}(?P<src_host>[^ ]+)[^:\\n]*:\\s+(?P<event_id>[a-f0-9]+:\\d+)(?:[^/\\n]*/){2}(?P<dest_zone>[^\\.]+) I put it in the field extraction with the right sourcetype as inline field extraction, and it still won't show the extracted fields when searched.  _internal shows that its status is - "applied" Any idea why? ... View more

As we prepare to transition our Splunk deployment to the cloud, we are aiming to estimate the Splunk Virtual Compute (SVCs) that may be incurred during typical usage. Specifically, we are interested in understanding how to best calculate on-prem SVC usage using data available from the _audit index, or any other recommended sources. Our primary focus is on dashboard refreshes, as they represent a significant portion of our ongoing search activity. We’re looking for guidance on any methodologies, SPL queries, or best practices that can help us approximate SVC consumption in our current environment to better forecast usage and cost implications post-migration. ... View more

Are these fields mutually exclusive? I'm not sure about the relation between these four fields. ... View more

We would like to produce statistics about the usage of Splunk and we would like to categorize the searches by ranges, whether they cover the last day, past week or past month, and I wonder which fields in _audit provide the beginning and end interval of the search.   ... View more

We have case of a customer that developed a dashboard within Splunk that has 10 panels (visualizations), and he uses the dashboard from outside Splunk with a Java program that does web scraping, and then he produces the appropriate real-time reports in the code. Now, due to authentication issues, we would like to convert this to be done via the REST API. Do we have any other options? Like embed or anything else. ... View more

We're using the Tenable Add-on for Splunk (TA-tenable) to ingest data from Tenable.io. the app's props.conf, has the following - [tenable:io:vuln] DATETIME_CONFIG = NONE When we run the following SPL: index=tenable sourcetype="tenable:io:vuln" | eval lag = _indextime - _time We are seeing non-zero lag values, even though I expect the lag to be zero if _time truly equals _indextime. If anything, I would expect DATETIME_CONFIG = CURRENT, what am I missing? ... View more

We are receiving the following Meraki sourcetypes, and we wonder if there is any app that presents this set of sourcetypes nicely - meraki:securityappliances meraki:devicesavailabilitieschangehistory meraki:assurancealerts meraki:licensessubscriptionentitlements meraki:apirequestshistory meraki:appliancesdwanstatuses meraki:licensesoverview ... View more

We are creating a small cluster with minimal ingestions of around 2 GB a day on-prem. I wonder what would be the best way to approach the license, is the license per usage vs ingestion available for an on-prem environment? for something so small, does it make sense to switch and have it on the cloud? ... View more

We have a universal forwarder and the customer has a csv file on this machine that he would like to ingest. The customer would like to ingest it as a lookup so I wonder whether we should ingest the csv via the UF or potentially, send it via the REST api to be uploaded as a lookup. Does the latter option make sense? ... View more

We would like to dynamically populate the severity field, is it possible?   ... View more

Is there a way to avoid sending an empty report? I'm thinking about converting the report to an alert but the customer would like to keep it as a report.  ... View more