Thank you woodcock, I will try that Macro in a lab! Thanks! ... View more

hello woodcock, we are using this two syntax: example: | datamodel Malware Malware search | search | from datamodel: "Malware.Malware" ... View more

hello alemarzu, That is the key. Thank you very much !! and thanks all the people that helps!! Regards, Leonardo ... View more

Hello Frank, yes , a datamodel search. The combination of splunk version 6.6.7 and CIM 4.6 permit this kind of search. Nevertheless I think that this change is for the splunk version not for the CIM addon version. thanks for your response! ... View more

Thanks p_gurav I see the documentation but this procedure i need to do for all the CIM tables right?, In spite of I have thought this option, is not apply in particular to my case because I need to resolve this issue without re-configuring all the alerts/reports, because taking in consideration that I need to add the splunk_server to all the CIM tables, we need to change splunk_server in the syntax of all reports/alerts with for example "all_traffic.splunk_server" ... View more

Hello p_grav yes, I have checked all fields but when we make the search on CIM syntax, only shows the CIM table fields and source, host, sourcetype (nothing more). thanks! ... View more

Hello Dkeck, thanks for your response! No, that messages are related to other things, error on lookups, something like that. ... View more

Hello teunlaan, 1) Its set to 0, so the maxkbps is unlimited. 2) no, on the side of the indexer , I dont see blocked messages or performance problems. Thanks!! ... View more

Hello Douglas/teunlaan, First of all thanks for your responses. @teunlaan All the queues ar filling up. @douglashurd We have tried change the WorkProcesses parameter to 12 cores but the issue persist : Speaking of the hardware resources, the HF have 12 GB of RAM and 12 Cores of CPU . I dont know exactly how much logs are inyected because when we turn on the log deliver, the queues go to 100% and all the process become inestable. There is any extra tunning to make? thanks! ... View more

Sorry, missunderstanding. I said that i dont change that parameter in the HF either on the indexer. On the indexers I not see any errors on health check, all the queues are un 0%, so I think that the problem is before the data have arrived to the indexer (network). Thanks! ... View more

Hi Woodcock, Thanks for your response. I havent set that parameter. The indexer have 90 percent of free space. ... View more

helo esix, Thanks you for your reply, I answer point by point: 1) Yes, you are right. The thing is that the HF dont do any parsing at all, but if I not installed the addons, the data not have parsed (Instead of installing the addon on de Indexers and the searchhead), so when we have installed the addons on the heavy fowarders, its OK. So, this is ver weird maybe I need to check the configuration on HF but like I said to nittala the index and foward parameter is set to false... 2) I have tested the bandwitch and its ok, no problem of saturation, etc. The indexer queues are fine. I have checked. Regarding to this phrase: After that, you need to understand that if Splunk cant send TCPOut (indexing queue..) It will hold the data and keep trying. Once that queue is filled, it back pressures against the Typing, then the Aggregation, and then the Parsing Queues. So if you really are not doing any filtering on your Heavies, I would say you're network connectivity would be one of the primary areas I would look. I am agree with you. because I have this messages on heavy fowarder: 07-17-2018 11:33:58.136 -0300 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 100 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. 07-17-2018 11:35:38.963 -0300 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 200 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. 07-17-2018 11:38:12.260 -0300 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 100 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. ... View more

Hello Nittala, Thanks you for your reply. Your are right, I know, so i use de HF only to deliver the data (Not doing any parsing ), but when we configured the arquitecture, the logs not parsing if I not install the addons on the HF instead of The index and foward parameter is set to false.. ... View more

another comment: It seems that the parameter "maxHotSpanSecs" apply for hot/warm buckets, I see on the indexes.conf: maxHotSpanSecs = * Upper bound of timespan of hot/warm buckets in seconds. So if i set maxHotSpanSecs= (24 hours) , the hot and warm buckets will only save 1 day ???? because it that case It isnt good the idea. question 2: how I can know when the buckets roll? thanks in advance!! ... View more

hello daIJeanis, Maybe You dont understant my question! Thanks you anyway! ... View more

sorry, my mistake. I was thinking about to set the parameter "maxHotSpanSecs to 3 days maybe, And do the backups of the warm buckets every 3 days for example. thanks! ... View more

hello adonio, thanks for your reply. If i only backup the warm buckets, that it seems that covers the most data, I will lost (in case of an emergency) the data that is in hot buckets. Maybe I could set the "maxHotSpanSecs = " to 1 day for example to convert after 24 hs a hot bucket into a warm bucket, so If a disruption exist I will lost only one day of data (because I backup all the warm buckets). I dont know if could be a good opcion, what do you think? The client need to have 1 year events online. Thanks. ... View more

Thanks you all very much! ... View more