×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
romainbouajila
Path Finder
Member since: ‎10-09-2019
‎04-30-2024
Community Statistics
Posts 19
Solutions 0
Karma Given 8
Karma Received 0
Member Since ‎10-09-2019
Activity Feed
View All

Re: ZSTD Journal compression working for hot/warm ...

by SplunkTrust in All Apps and Add-ons
‎04-30-2024 03:20 AM
‎04-30-2024 03:20 AM
Hi @romainbouajila, JournalCompression setting is related to only new created warm buckets. Freezing process just copies warm buckets rawdata from warm folder to frozen folder when their freezing rules valid (size or age).   In your case it seems your zstd setting applied after 28 Feb. That is why previous created buckets  are gzipped. You should see zstd files in your frozen buckets after some time.   ... View more

Re: How to tag all events from clients to defined ...

by SplunkTrust in Security
‎10-21-2020 01:52 AM
1 Karma
‎10-21-2020 01:52 AM
1 Karma
Hi @romainbouajila, the advantage to use eventtypes is that every updates has to be done in only one point, so if your hostnames chage you has to update only one eventtype. Anyway, are you sure that your eventtyper change frequently? it's a strange thing! If instead the problem is that you haven't a rule (e.g. italian servers tart with IT), you can list all the hosts of a group. e.g. eventtype italian_HT will be: (host=server1 OR host=server3 OR host=server4) as I said, if your list will change, you have to update only one eventtype. Otherwise, you could use a lookup correlating each host to a tag, but in this way you have to manage the lookup, in my opinion the choice dependa on the user that has to manage the list: for a Splunk admin it's easier to manage an eventtype, for a Splunk user it's easier to manage a lookup using Lookup Editor. Ciao. Giuseppe ... View more

Re: Best way to segregate hosts

by SplunkTrust in Security
‎10-20-2020 11:24 PM
1 Karma
‎10-20-2020 11:24 PM
1 Karma
Hi @romainbouajila, good for You. Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Re: Line breaking behavior questions

by in Splunk Search
‎01-22-2020 01:57 AM
‎01-22-2020 01:57 AM
try: SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+)\d\d:\d\d:\d\d, NO_BINARY_CHECK=true TIME_FORMAT=%H:%M:%S,%3N TIME_PREFIX=^ MAX_TIMESTAMP_LOOKAHEAD=15 ... View more

Re: Why is line breaking not working as expected ?

by in Splunk Search
‎01-20-2020 05:07 AM
‎01-20-2020 05:07 AM
I also tried this props.conf as suggested by @whrg : [log] pulldown_type = true DATETIME_CONFIG = NO_BINARY_CHECK = true TIME_PREFIX = ^ TIME_FORMAT = %H:%M:%S,%3N MAX_TIMESTAMP_LOOKAHEAD = 12 SHOULD_LINEMERGE = false (& true) BREAK_ONLY_BEFORE_DATE = true but I had the same result as before. How long after restarting Splunk service should I check my logs ? ... View more

Re: How to compare fields from csv and search, the...

by in Splunk Search
‎10-25-2019 03:49 PM
‎10-25-2019 03:49 PM
Come back and try it now. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-30-2024 06:15 AM
Karma given to
View All