The important part (and missing from your post) is how much of that allocated space is actually "in-use"? If you are using all 8TB of hot and 160TB of cold, then there is no way around it - you need more disk. However, if your true usage of space falls below this, then you can set your limits to match the space that is available. For example. if your only using 4TB of your 8TB actual hot-device you can safely amend the maxVolumeDataSizeMB to 1TB on each host. You should also understand that if you set the maxVol.. to a value smaller than what you have in current use will only cause that data to roll to cold - not be removed. The limits only tell Splunk what to do at those limits, so as long as you have a small amount of Cold space you can add your new indexers leaving the cold  maxVol... set to 40TB each (320 total) Let the cluster replicate and balance, then when that process is complete you can reduce it to 20TB each. But, Ideally your retention should be dictated by dates rather than volume. I tend to think of the maxVol.. setting as a safety net incase you are getting close to the physical limits of the hardware, but what really drives my storage is how long i need to keep that data for.   ... View more

How are you installing the package - are you using the UI, or copying the package directly? Also are you certain you are using specific Windows version? https://apps.splunk.com/app/2883/   ... View more

Can you provide a bit more detail on what you are trying to do - are you trying to trigger a webhook as an alert action? ... View more

@splunkreal wrote: So sc4s is just a filter, we can't use it as log collector to store data for several months if I understood? That is correct. SC4S is a transient combined syslog receiver and Splunk forwarder. It is not a useful tool without a platform (Splunk) to send the data to. The big advantage with SC4S is the "rule soup" which helps classify and route data into appropriate sourcetypes and indexes without needing any further configuration ... View more

If your metrics are coming from the nix or windows TA then changing the DS version would not have any effect as it is the TA providing that data not the Splunk version.  With that said, so far, my limited testing of v9 I haven’t seen any differences in any of the internal metrics either, so you *should* be ok.  if you need anything further you are better off starting a new topic so more people will see your question!  ... View more

Thanks to the Splunk Docs team for updating the table I referenced above. Hopefully this makes it clearer for anyone approaching this in the future! ... View more

Workaround From 7.3.9 > 8.0.0 Stop the splunk service using the services snapin. Snapshot the VM/Backup the system From the $SPLUNK_HOME/bin folder delete the following files (take backups first) libxml2.dll libeay32.dll ssleay32.dll Run the Splunk 8.0.0 installer (leaving the Splunk service stopped) Validate that the install process completes and check and test the upgrade. ... View more

I think the wording is a little confusing, but "tstatsHomePath" allows you to dictate where this data is stored if you wanted to separate it from the rest of your index data, but importantly you do not have to specify a "tstatsHomePath"! The wording in the spec file says that you should not configure this value for an index with remote storage, so this just means for a Smartstore index do not define "tstatsHomePath"  - the cachemanager will handle this for you.     ... View more

If the syslog receiver is using UDP you can't test it with telnet, instead try netcat. nc -z -v -u <your_IP> <your_port_number>   Although, a good start is to use netstat on the recieving host and confirm the host is listening on the right interface/port/proto! netstat -ln|grep <your_port_number>   ... View more

I made a minor change to the answer above, but I can not reproduce the scenario you describe. https://regex101.com/r/FXD0Q4/2 ... View more

Splunk will not perform CIDR matches against regular expressions. You will need to construct your regex to match the range of addresses you need   (10\.) (172\.1[6-9]\.)|(172\.2[0-9]\.)|(172\.3[0-1]\.) (192\.168\.)   But you should be able to do this in one stanza if you wish   [internal_IPs] REGEX = dst\=((?:10\.)|(?:172\.1[6-9]\.)|(?:172\.2[0-9]\.)|(?:172\.3[0-1]\.)|(?:192\.168\.)).+ DEST_KEY = queue FORMAT = nullQueue   ... View more

try changing it to    if(action="File quarantined","blocked",action)   That looks to me like the intent is to re-write the action to be "blocked" for a quarantine message, otherwise leave action as it was if (action = quarantine, re-write it as action="blocked", otherwise set action=action( i.e whatever it already was) )     ... View more

@gozdeyildizz Thats great news! Don't forget to accept an answer and upvote posts that helped you!  ... View more

I am pleased you have it working, but for the record, chmod'ding to 777 is not a sensible fix for a production system. 🙂   ... View more

In that case, unless you set up the splunk user by hand, it wont exist. At a guess you were therefore running Splunk as root. If root has permission issues then you probably have bigger problems! Can you access the contents of /opt/splunk? ... View more

How was splunk installed? rpm/deb or from the tar.gz? Who owns files in /opt/splunk?   ... View more

Thats odd. Can you run "sudo id splunk" It should return something like uid=xxx(splunk) gid=xxx(splunk) group=xxx(splunk)  or does it report "splunk" no such user ... View more

Splunk only allow you to download currently supported versions, since 6.6 has fallen out of support that's why it is not available for download. Raise a support ticket via the support portal, or if you have no access you should speak to your reseller/account manager.   ... View more

Was Splunk configured to run as "root"? If you configured Splunk to run as "splunk" (recommended) you should not start it as root. If you do, it may mess about with the folder permissions, which means the next time you start it as "splunk" you get permission errors. If this is what happened, you should stop Splunk (if running) then (assuming linux) sudo chown -R splunk:splunk /opt/splunk   Then start Splunk as "splunk" - probably easier to reboot the system and let the Splunk boot-start process handle it.   ... View more

Did you set ratio to match the search sample ratio? I am guessing you are not using sampling, so set the ratio=1 ... View more

I think ( @priyastalin correct me if wrong) it looks like this is just so you can filter on the groupId? I'm not sure if seeing the contents of the macro would help to understand if its doing a simple filter or if there is something more complex going on to get the set of results. If this is something you run frequently, I think a lookup might be a far simpler (and faster) approach. ... View more