Hi, I have a KV time-based lookup generated from DHCP logs with content like this: time,ip,hostname,mac 1709093697,10.223.5.43,host-43,aa:bb:cc:dd:ee:ff and transforms.conf for it: [dhcp_timebased_lookup] collection = dhcp_timebased_collection external_type = kvstore fields_list = _key,time,ip,hostname,mac max_offset_secs = 691200 min_offset_secs = 0 time_field = time time_format = %s Lookup works well when I run search which pulls events from index: index=test source=timebased | lookup dhcp_timebased_lookup ip AS dest_ip OUTPUT hostname | table _time dest_ip hostname Hostname is there: _time dest_ip hostname 1709093697 10.223.5.43 host-43   But when I use this lookup after non-event-generating commands it does not work: index=test source=timebased | table _time dest_ip | lookup dhcp_timebased_lookup ip AS dest_ip OUTPUT hostname OR index=test source=timebased | stats count BY _time dest_ip | lookup dhcp_timebased_lookup ip AS dest_ip OUTPUT hostname OR | makeresults | eval dest_ip = "10.223.5.43", _time = 1709093697 | lookup dhcp_timebased_lookup ip AS dest_ip OUTPUT hostname OR | tstats from datamodel=SomeDM count BY _time SomeDM.dest_ip span=1s | lookup dhcp_timebased_lookup ip AS "SomeDM.dest_ip" OUTPUT hostname Hostname doesn't show up. If I turn time-based setting for this lookup off it outputs hostnames for all searches above. It makes me think there is some difference between _time field in events' metadata and _time field in statistics. Is it so? And is there solution besides "join with inputlookup and addinfo" workaround? ... View more

Hello! Is it possible to extract EDNS fields from DNS packets using Splunk Stream? In particular, I mean CSUBNET (option 8, see image).   ... View more

Hello! I'm setting up Stream Forwarders on Linux DNS servers to index DNS traffic. Splunk_TA_Stream is deployed to Universal Forwarders by Splunk Deployment Server with all relevant configs and is working correctly except one thing: streamfwd process consumes 800-1000 MB of RAM which I think is a huge overhead for DNS servers with 1,5-2 GB RAM. Configuring queue sizes, bandwidth limits and so on in streamfwd.conf makes no difference. I see such behavior both on heavy loaded DNS servers (stream:dns traffic around 8-10 MBps) and on idle test servers - memory usage by streamfwd is +- the same. So I have 2 questions: 1. Is there a way to limit streamfwd memory usage somehow by config settings? 2. How is streamfwd launched? I mean where is the line of code in Stream scripts or elsewhere by which /opt/splunkforwarder/etc/apps/Splunk_TA_Stream/bin/linux_x86_x64/streamfwd executable is run? I think of experiment by prepending this command line with ulimit or similar Linux command to set memory restrictions. Or, maybe, such memory consumption is not a bug or misconfiguration but is by design? Splunk Enterprise 7.2.6, Splunk_TA_Stream 7.2.0, Oracle Linux Server release 7.8. ... View more