As far as I remember (but I'm no Cloud expert so you can double-check it) when subscribing to Splunk Cloud you have a choice between AWS and GCP hosting. And, to add to this confusion 😉 if you don't want Splunk to manage whole infrastructure for you (it has its pros and its cons) you can also just deploy your own "on-premise" Splunk Enterprise environment on your own cloud of choice VM instances. But this has nothing to do with Splunk Cloud. It would still be Splunk Enterprise. ... View more

I have explain this and also searchable buckets in this post https://community.splunk.com/t5/Deployment-Architecture/SF-and-RF-How-much-count-should-we-keep/m-p/580574/highlight/true#M25165. You didn't say if you have normal cluster in one site or multisite cluster have you a smart store in use If You have smart store then you must use SF=RF, otherwise it's possible that spunk try to upload your new bucket from replicate bucket which is not searchable and then it didn't work with S2. If you have multisite cluster then you will have also site replication factor and site search factor which manages  those copies over your sites. As @PickleRick already said your installation arise questions as you said that you have 9 indexers and 7 search head. I need to say that it's quite weird combination especially if those SHs are individual and not in SHC. ... View more

Hi @dtsao  I'm afraid you lost me at transaction - I dont think I've seen a good usecase for transaction for a number of years, where stats would be much better. The way I would approach this is to use something like foreach to loop through your array/multival field to set a fixed field with the value you are trying to transaction against. Once you've got this you should be able to do things with stats like | stats range(_time) as timeRange, count, etc BY yourField If you're able to provide some sample data (redacted if needed) then I'd be happy to create a full query for you. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

I am working on implementing this query, but I need to rename and standardize the output to the C_Label values so i can stats count on those. I need a count per source. I dont think i cram my eval statements with the OR statements. Ill try to incorporate this in my query   Thanks ... View more

Understood.  To test this, I'll actually need to down an interface for at least 60 seconds to see the Down result.  I'll need to get a network engineer involved to test.  I will get back ASAP. ... View more

Hi, the dnslookup is available in Splunk cloud; but not like in enterprise. You might be missing your internal network information on default. Since Splunk Cloud is not hosted in your own network anymore, the platform does not talk to your private DNS servers and therefor misses internal DNS information.  ... View more

Agree 100%.  Hope they consider implementing a self-updating feature if they expect to have the frequency of updates that come along with postgresql. ... View more

Hi @Corky_  Regarding the first option of applying the span after the _time and before other fields in the "BY" of your tstats command, I personally prefer to put the span at the end rather than in the middle of the by list to keep it cleaner and not to be confused with a field. The tstats docs also suggests it should be at the end:  [ BY (<field-list> | (PREFIX(<field>))) [span=<timespan>]]  The second query Im confused as to how you could bin by _time with tstats if you havent specified _time in the by clause initially. If you do not split by _time in the initial part of the query then the _time field wont be available to the bin command.  FWIW - I find the bin command good for doing stats by multiple fields over _time, when you cannot do with timechart.   🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Love the code but  it seemed to only do one value in the lookup. What if that event (comparing host in table to event) has 2 fields that don't have null values that need compared to the 2 in the lookup table.  Like in your example they all had the same columns, 3 fields were in the table and the event had 4 different fields. But I have something to start playing with. I will continue to play with this while onboarding other stuff. Look forward to hearing from you again. ... View more

Both @livehybrid and @richgalloway 's solutions are OK but the question is what problem are you actually trying to solve. It's relatively unlikely that you have - let's say - 8k or 9k characters long events which are perfectly "ok" and suddenly when the event hits the 10k limit the event is "worthless" for you so you're dropping it. It doesn't make much sense since the hard threshold of the data size doesn't seem to be a reasonable way of differentiating between different types of data. I'd be hard pressed to find a scenario where this actually makes sense instead of checking the data syntactically. BTW, Splunk operates on characters, not bytes so while TRUNCATE indeed cuts to the "about" given size in bytes, the len() functions returns number of code points (not even characters! It might differ in some scripts using composite characters) instead of bytes. ... View more

Have you checked the search log or splunkd.log on the remote search head? ... View more

This query will give the number of warnings for each indexer. index=_internal source=*license_usage.log type=SlaveWarnSummary ... View more

Actually, I believe the docs are correct since BREAK_ONLY_BEFORE applies to the line-merging stage which - if enabled - happens after line breaking. Anyway, @jackin  unless you have a very, very peculiar use case, as a rule of thumb you should never enable line-merging. It is resource-intensive and most often you can achieve the same result by simply chosing a proper line breaker. So, how I would approach this - I'd firstly try to use the default ([\r\n]+) linebreaker and check if the stream gets broken into separate lines (disable SHOULD_LINEMERGE!). If it does, you can start searching how to anchor the breaker to the opening bracket. If it doesn't, that means you have some other characters in your data stream and you have to check what it is. ... View more

@hemant_lnu wrote: We have one index os_linux which has 2 source type and i see props and transform is written . can you help me to understand how its working . linux:audit Linux_os_syslog   props.conf [Linux_os_syslog] TIME_PREFIX = ^ Tells Splunk to look for the event timestamp at the beginning of the event TIME_FORMAT = %b %d %H:%M:%S Tells Splunk what a timestamp looks like MAX_TIMESTAMP_LOOKAHEAD = 15 How far from TIME_PREFIX the timestamp is allowed to be SHOULD_LINEMERGE = false Don't combine lines LINE_BREAKER = ([\r\n]+) Events break after a newline (CR and/or LF) TRUNCATE = 2048 Cut off each event after 2048 characters TZ = US/Eastern Event timestamps are expected to be in this time zone Transforms.conf [linux_audit] DEST_KEY = MetaData:Sourcetype REGEX = type=\S+\s+msg=audit FORMAT = sourcetype::linux:audit Look for "type=", some text followed by white space, then "msg=audit".  If it's found, set the sourcetype field to "linux:audit" [auditd_node] REGEX = \snode=(\S+) FORMAT = host::$1 DEST_KEY = MetaData:Host Look for "node=" in each event and set the 'host' field to the word that follows it. ... View more

There are no defaults for charting.fieldColors. ... View more

The url is  "http://127.0.0.1:8088" in log4j2  and localhost(splunk) is running on  port 8000.Whereas the project listener is 8081 port. Yes i have enabled ssl. Most documentation have the same setting so i followed the same ,yet cannot see the logs. ... View more

@ProPoPop  You can increase the speed (throughput) of your Universal Forwarder, but this will also use more network bandwidth. To do this, change the maxKBps setting in the limits.conf file on the Universal Forwarder. More details are here: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf  I also recommend following this : https://community.splunk.com/t5/Splunk-Search/How-do-you-know-when-to-increase-the-bandwidth-limits/td-p/156419  It explains how to safely increase bandwidth and check its usage. You can monitor the bandwidth usage by checking the Universal Forwarder logs on the machine at: $SPLUNK_HOME/var/log/splunk/metrics.log  Or use this Splunk search to see the data: index=_internal source="*metrics.log" group=thruput ... View more

Hi @danielbb  It could be something like a field extraction happening after the line breaking which is causing this, or something else. Without access to your instance we could do with seeing some sample logs along with a btool output ($SPLUNK_HOME/bin/splunk btool props list <sourceTypeName>) for your event's sourcetype.  The thread you posted from 2013 looks like could have been related to the events having a line-break in. Please let us know if you're able to provide a sample + props output.  Thanks ... View more

Two small points:  1. I would avoid the usage of the /lib directory in app code. It was intended to work around an issue that no longer exists (outside of persistent custom REST endpoints) and causes additional issues for extension points that distribute resources to search peers (i.e. certain types of custom search commands and external lookups) - you will need to update .conf files to make sure that the /lib directory is distributed correctly. There are no advantages to using /lib over /bin and /bin is automatically distributed to search peers as required.  2. Similarly, the guidance to do import manipulation using sys.path.insert is also outdated, as it does not prevent import collisions within the context of persistent custom REST endpoints).    e: In the context of a scripted input it shouldn't matter either way. I just want to make sure it's understood where the /lib guidance came from and why it is out of date today.  I'm working to get the old guidance removed from dev.splunk.com and examples on github - appreciate your patience in the meantime.  ... View more

This seems to be some fancy modern top-like program. And I supose it shows separate threads of single splunkd process. Notice that the memory usage is identical for all those entries. ... View more

Hi @Kenny_splunk  Really the only way to "clean" an index is for the data be aged-out. Running the "| delete" on an index will stop it appearing in searches however it will still be present on the disks, just with markers that stop it being returned, therefore it wont actually give you any space back if this is what you are looking for. The best thing you can do is control the data arriving in the platform and reduce this as necessary, hopefully over time the older/larger/waste data will age out and free up space.  What is your retention on this index(es)? If its something like 90 days then you wont have too long to wait, but if its 6 years then you might be stuck with that old data for some time! 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Another reason could be that your events contains timestamps from very far away each other. This also leads that buckets will close earlier than those are full. There should be some indications for reason in _internal logs or even some CMC -> Indexing -> Data quality. ... View more

There's no need to edit props or transforms for Ingest Actions as they can be configured easily using the UI.  In fact, use of the UI is recommended to avoid errors in the ruleset config.  If you need to edit the config files for Splunk Cloud, do so in a custom app and upload the app to your Splunk Cloud search head. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Data/DataIngest#Deploy_a_ruleset_on_an_indexer_cluster   ... View more

Hi There isnt quite enough info in the post to work out exactly what you need - however the following should get you started. Note: I wouldnt recommend looking back 24 hours every time, what is the reason for this? I would recommend just looking back 60 minutes, you could use earliest=-70m latest=-10m to make sure you get data which is up to 10 minutes late arriving. Run a search which returns the events you want to be alerted on: index=your_index action=update subcategory=WEB_DLP_POLICY earliest=-1d@d latest=now Click Save As-> Alert. Name the alert and change the settings to make it run hourly.  You'll need to make sure you apply some throttling because otherwise you may get the alerts duplicated every time it runs. Then scroll down and setup your chosen Alert action - presumably Email? Configure this according to your requirements and then save. Some useful docs: https://docs.splunk.com/Documentation/Splunk/9.4.1/Alert/Definescheduledalerts 🌟Did this answer help you? If so, please consider: Adding kudos to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more