Hi there im currently at a search to get the usage of Indexes, so i have an overview which indexes gets used in searches and which indexes doesnt so i can speak with the usecase owner if the data is still needed and why it doesnt get used. Thats the current state of the search:   | rest "/services/data/indexes" | table title totalEventCount frozenTimePeriodInSecs | dedup title | append [search index=_audit sourcetype="audittrail" search_id="*" action=search earliest=-24h latest=now ``` Regex Extraction ``` | rex field=search max_match=0 "index\=\s*\"?(?<used_index>\S+)\"?" | rex field=search max_match=0 "\`(?<used_macro>\S+)\`" | rex field=search max_match=0 "eventtype\=\s*(?<used_evttype>\S+)" ``` Eventtype resolving ``` | mvexpand used_evttype | join type=left used_evttype [| rest "/services/saved/eventtypes" | table title search | stats values(search) as search by title | rename search as resolved_eventtype, title as used_evttype] | rex field=resolved_eventtype max_match=0 "eventtype\=\s*(?<nested_eventtype>\S+)" | mvexpand nested_eventtype | join type=left nested_eventtype [| rest "/services/saved/eventtypes" | table title search | stats values(search) as search by title | rename search as resolved_nested_eventtype, title as nested_eventtype] ``` Macro resolving ``` | mvexpand used_macro | join type=left used_macro [| rest "/servicesNS/-/-/admin/macros" count=0 | table title definition | stats values(definition) as definition by title | rename definition as resolved_macro, title as used_macro] | rex field=resolved_macro max_match=0 "\`(?<nested_macro>[^\`]+)\`" | mvexpand nested_macro | join type=left nested_macro [| rest "/servicesNS/-/-/admin/macros" count=0 | table title definition | stats values(definition) as definition by title | rename definition as resolved_nested_macro, title as nested_macro] | where like(resolved_nested_macro,"%index=%") OR isnull(resolved_nested_macro) ``` merge resolved stuff into one field ``` | foreach used* nested* [eval datasrc=mvdedup(if(<<FIELD>>!="",mvappend(datasrc, "<<FIELD>>"),datasrc))] | eval datasrc=mvfilter(!match(datasrc, "usedData")) | eval usedData = mvappend(used_index, if(!isnull(resolved_nested_eventtype),resolved_nested_eventtype, resolved_eventtype), if(!isnull(resolved_nested_macro),resolved_nested_macro, resolved_macro)) | eval usedData = mvdedup(usedData) | table app user action info search_id usedData datasrc | mvexpand usedData | eval usedData=replace(usedData, "\)","") | where !like(usedData, "`%`") AND !isnull(usedData) | rex field=usedData "index\=\s*\"?(?<usedData>[^\s\"]+)\"?" | eval usedData=replace(usedData, "\"","") | eval usedData=replace(usedData,"'","") | stats count by usedData ]    The search first gets the indexes via | rest with its eventcount and retentiontime. Then audittrail data gets appended and used Indexes, Macros and Eventtypes gets extracted from the searchstring and resolved (since some apps uses nested eventtypes/macros in my environment they get resolved twice). Still needs some sanitizing of the extracted used-indexes. that gives me a table like this (limited the table to splunkinternal indexes as example) title totalEventCount frozenTimePeriodInSecs count usedData _audit 771404957 188697600     _configtracker 717 2592000     _dsappevent 240 5184000     _dsclient 232 5184000     _dsphonehome 843820 604800     _internal 7039169453 15552000     _introspection 39100728 1209600     _telemetry 55990 63072000     _thefishbucket 0 2419200           22309 _*       1039 _audit       2 _configtracker       1340 _dsappevent       1017 _dsclient       1 _dsclient]       709 _dsphonehome       2089 _internal       117 _introspection       2 _metrics       2 _metrics_rollup       2 _telemetry       2 _thefishbucket But i didnt managed to merge the rows together so that i have count=1039 for _audit plus the 22309 from searches that uses all internal indexes  in one row for each index. ... View more

Hi there, i have a file monitoring stanza on a universal forwarder where i filter using transforms.conf to only get logentries i need, because the server writes logentries of multiple business processes into the same logfile. Now i need entries of another process with different ACL in a different index from that logfile but in our QS cluster while the first datainput still ingests into our PROD cluster So i have my inputs.conf [monitor://<path_to_logfile>] disabled = 0 index = <dataspecific index 1> sourcetype = <dataspecific sourcetype 1> a props.conf [<dataspecific sourcetype 1>] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = true TRUNCATE = 1500 TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = [%y/%m/%d %H:%M:%S] TRANSFORMS-set = setnull, setparsing and a transforms.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = (<specific regex>) DEST_KEY = queue FORMAT = indexQueue As standalone Stanza i would need the new input like this, with its own setparsing transforms [monitor://<path_to_logfile>] disabled = 0 index = <dataspecific index 2> sourcetype = <dataspecific sourcetype 2> _TCP_ROUTING = qs_cluster   to be honest i could just create a second stanza thats a little different and still reads the same file, but i dont want two tailreader on the same file. What possibilities do i have? Thanks in advance ... View more

Hi, i have a question on Authenticating to IDX Cluster Peer via REST. We have the following Environment: 3 IDX in Cluster 3 SH in Cluster 1 CM (License Manager, IDX Cluster Manager, Deployer & Deploymentserver) Our normal Authentication for Web is currently with LDAP. With my LDAP-User i can directly perform a GET request to an Indexer, but with a local User created over WebUI (tried local user in SHC and on CM) i cant perform any request to an indexer.  The WebUI is disabled on the Indexers and they dont have the LDAP Configuration as the Searchheads does. How does it come, that the Indexer know my LDAP User but not the locally created? And how can i let the indexers to get to know a locally on SH or CM created user? ... View more

Did the blacklist/whitelist got replaced by denylist/allowlist in Splunk 9? In some Blogs i read that Splunk 9 replaced blacklist with denylist? Or is blacklist still usable? In the Changelogs of Splunk 9 i didnt found any evidence for the change, but the Splexicon and some Blogs say something different. https://docs.splunk.com/Splexicon:Denylist https://www.splunk.com/en_us/blog/leadership/biased-language-has-no-place-in-tech-a-follow-up.html?locale=en_us Thanks for explanation 🙂 ... View more

Hi Splunkers, i work with Splunk Enterprise and wonder if i can modify content in share folder. I would like to change the fonts of the web-GUI to our corporate fonts and found the fonts used by splunk in $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/fonts and the CSS for that in ../exposed/build/css/bootstrap-enterprise.css (searched for proxima in the css) Will it have any Impact on splunk Version updates or Splunksupport if i change the Fonts to corporate Fonts? Thanks in Advance for your answers ... View more