1. Be a bit more precise on how you defined the HF 2. You don't need an index on the HF. ... View more

As always - there are two questions. 1. Will it run? Probably. I've worked with 9.0 Splunk servers supplied with UFs going as far back as 6.6.x. 2. Is it a good idea? Depends on the circumstances. As the others already said - if you have no other choice, you're running what you have. But it's usually better to upgrade (unless there are some critical bugs affecting your particular use case). If not for any other reason - 9.0 introduced configuration tracking so you can see what changed and when. ... View more

No worries. It's just that some assumptions which are obvious to the one writing the question might not be clear at all to the readers. Again - there are some ways of approaching this problem, but we need to know what you want to do 🙂 Splunk can carry over the value from the previous result row but as for the additional logic - it has to know what to do with it. Compare this: | makeresults count=10 | streamstats count | eval field{count}=count | table field* With this: | makeresults count=10 | streamstats count | eval field{count}=count | table field* | streamstats current=f last(*) as * The values are carried over. But if there is additional logic which should be applied to them - that's another story. ... View more

OK. People use their own spare time to help others. Not specifying the problem properly is simply wasting their time. Present your problem as clearly and completely as possible. Sure, there might sometimes be some unclear things but guessing not only the solution but also the problem itself is not gonna cut it. So if you want to get some serious help, invest something firstly into specifying what you're trying to achieve - what the data is, what is the relation between the data and the desired output, what is the logic behind the output. Just saying "three versions per day" doesn't tell anything about how the input data corresponds to the output. Maybe some counts should be aggregated, maybe not. How the versions are ordered? Do the counts "spill down"? What is going on with that data? ... View more

Use https://regex101.com to verify your regexes. In this case it won't work for "string" not being a number because \d+ means a sequence of digits. Depending on how precise you want to be with this match, you might want \S+ or some other variation. ... View more

I can't propose any solution because I have no idea where the problem is. I don't even know which endpoint you're using. The remark about line breaking is just something worth knowing. ... View more

Ok. So it seems you're not just filling down because at the end you're substracting from what's already been counted. There is much more logic here. Are there any limitations to the versions per day? What if there are more than two versions? It seems much more complicated. ... View more

HEC sources, if writing to /event endpoint can provide own set of indexed fields beside the raw event. Also - with /event endpoint no line breaking takes place. ... View more

Oooof, that's a golden shovel for you, Sir. 😉 But to the point - no. It's how Splunk works. It will allocate a single CPU for each search on a SH it's being run from as well as on each indexer taking part in the search. So the way to "add cores to the search" is to grow your env horizontally in the indexer layer _and_ write your searches so that they use that layer properly. ... View more

First thing to debug inputs is usually, after verifying the config checking the output of splunk list monitor and splunk list inputstatus   ... View more

To be precise, "connection reset by peer" means that the other end sent a packet with a RST flag. This might happen when: 1) The traffic is not filtered but the port is not open on the other side. In this case a server would simply respond with RST to the initial SYN packet and no session would be established at all. 2) The session is established (there is normal three-way handshake) but either: 2a) There is some low-level problem with the connection and the IP stack on the other end decides that it's unrecoverable and decides to close the session abruptly. 2b) There is some intermediate solution monitoring/inspecting/whatevering the traffic and breaking the connection in case it finds anything "wrong" or "suspicious". In my experience I encountered IPS solutions which would send spoofed RST both ways (to the client and server) because it was seeing unknown TLS certificates. 2c) The connection on the TCP level is working OK but there is some problem with a higher layer protocol and the protocol doesn't have signaling for that and doesn't allow for graceful shutdown and instead just closes the connection. Typical example is again TLS-oriented - when the server doesn't like client's crypto proposals (or client's certificate if you're using mTLS), it will send a TLS alert within the TLS negotiation session and then simply close the connection. It should be reflected in logs on the server's side in such case. It's often good to get a network dump (tcpdump/wireshark) from both ends of the connection to see who's sending the RST and at which moment. ... View more

Have you checked that there is actually something to forward from that file? Modern RHELs don't write there by default relying on journald instead. ... View more

Since you're posting this in the Cloud section I'm assuming you're gonna want to send the events to Cloud. There is no way to send such data directly to Cloud. So you will need at least one server on-prem to gather data from your local environment. Depending on your sources and what you want to collect (and the goal of your data collection) you might use one of various possible syslog receiving methods (dedicated syslog daemon - rsyslog or syslog-ng either writing to files or sending directly to HEC input or SC4S). There are multiple methods of handling SNMP (SNMP modular input, SC4SNMP, self-configured external snmp collecting script and/or snmptrapd). And API enpoints can be handled by some existing TAs or you can try to handle them on your own by external scripts or Addon-builder created API inputs. So there is plethora of possibilities. ... View more

App's description on Splunkbase doesn't list any specific external licensing requirements so you should be able to just download the app from there and use it. ... View more

Please use code block or preformatted paragraphs for config snippets. It greatly improves readability. And your config's syntax is completely off. If that is your actual config, use splunk btool check to verify your config. If not, please copy-paste your literal settings. ... View more

There are several possible approaches to such problem. One is filldown mentioned already by @richgalloway. Another is streamstats or autoregress. Or you might simply reformulate your problem to avoid this altogether. It all depends on particular use case. ... View more

Amd what events are you expecting? As per the TA description, it provides custom search commands, not inputs. ... View more

You might simply cut the prefix from your URI. Something like this | rex mode=sed field=uri "s/^\\/\S+((arabic|english)\\/)?//"  @yuanliu 's pooint about /experience/ part is also valid. But searching for */experience/* is not a best idea (search terms with wildcards at the beginning are usually best avoided). ... View more

In this case values(SourceIP) might be more desirable than list(SourceIP). The former will show unique values while the latter will show a list of fields, however many times they appear. ... View more

That might be a bit more complicated than that. The main premise that for thawing data you're not ingesting anything is of course true but. 1) If you don't have a specific license, Splunk Enterprise installs with the default trial license. It has all (ok, most) of the features but it is time-limited. 2) After the trial period ends - you end up with the free license which doesn't let you schedule searches or define roles/users. You might try to run the zero-bytes license normally meant for forwarders. ... View more

But what constitutes those as "common"? As long as you can answer this question, adjusting your results will be relatively easy. ... View more

Add to this the fact that searches can be created dynamically by means of subsearches and/or map command and there is no way to find all indexes (not) accessed by looking at searches. One could hypotesize that you could try to leverage some OS-level monitoring to find whether the actual index directories are accessed but that could also not yield reasonable results since Splunk's housekeeping threads must access the indexes to enforce retention policies and data lifecycle. Having said that - you can search _internal and _audit logs for executed searches and try to build a list of indexes which were used and thus limit your investigation whether anyone uses the ingested data to only a subset of indexes not mentioned in that list. ... View more

This is one huge search. Check each of the "component searches" on their own and see how they fare. Since some of them are raw event searches over a half a year worth of data, possibly through a significant subset of that data, I expect them to be slow just because you have to plow through all those events (and one of those subsearches has a very ugly field=* condition which makes Splunk have to parse every single event!). If you need that literal functionality from those searches, I see no other way than using some acceleration techniques - the searches themselves don't seem to be very much "optimizable". You might try to change some of them to tstats with PREFIX/TERM but only if your data fits the prerequisites. ... View more

1. As @richgalloway mentioned, a (typically small but it realy depends on the input) lag between _time and _indextime is a normal state. Or at least on its own it doesn't mean that something is wrong. 2. DATETIME_CONFIG=none explicitly disables timestamp recognition. Are you sure it is what you want? 3. If there is a difference between the timestamp included in the raw event and the timestamp stored in the _time field, the data is not properly onboarded. Tenable.io is a cloud service so I suppose there is some modular input which pulls the data from the cloud and pushes them to Splunk. But I have no idea whether the timestamps should be parsed by the input itself and fed "as is" to Splunk or if the data should be parsed in Splunk. Infortunately, it's a third party add-on so there can be completely everything happening inside... ... View more