HI Everyone, Hope you all are doing well.   I am trying to deploy the CIM on Search Head Cluster Environment, and I have some questions: 1- I found under /default two files (inputs.conf & indexes.conf) that seems to me they are related to indexer cluster not search heads cluster, am I true? 2- what is "cim_modactions index definition is used with the common action model alerts and auditing", i didnt know the actual meaning? Splunk Common Information Model (CIM)  ... View more

Hello,   I want to create Input: HEC on the indexers => Indexer Cluster.   Create inputs.conf under /opt/splunk/etc/master-apps/_cluster/http_input/local: [http] disabled=0 enableSSL=0 [http://hec-input] disabled=0 enableSSL=0 #useACK=true index=HEC source=HEC_Source sourcetype=_json token=2f5c143f-b777-4777-b2cc-ea45a4288677 Push these configuration to the peer-app (Indexers).   But we go to the Data inputs => HTTP Event Collector  at indexer Side we still found it as below:     ... View more

Hello Splunker,   I have two volumes with the following specs: Hot/Warm Volume: 5.25 TB Cold Volume: 4.75 TB ================================ [volume:hot] path = /opt/splunk-hwdata maxVolumeDataSizeMB = 7602176 [volume:cold] path = /opt/splunk-Colddata maxVolumeDataSizeMB = 4980736 ================================== [Win] repFactor = auto homePath = volume:hot/$_index_name/db coldPath = volume:cold/$_index_name/colddb thawedPath = /opt/splunk-Colddata/$_index_name/thaweddb homePath.maxDataSizeMB = 7602176 coldPath.maxDataSizeMB = 4980736 maxWarmDBCount = 720 frozenTimePeriodInSecs = 5184000 maxDataSize = auto_high_volume [FW] repFactor = auto homePath = volume:hot/$_index_name/db coldPath = volume:cold/$_index_name/colddb thawedPath = /opt/splunk-Colddata/$_index_name/thaweddb homePath.maxDataSizeMB = 7602176 coldPath.maxDataSizeMB = 4980736 maxWarmDBCount = 720 frozenTimePeriodInSecs = 5184000 maxDataSize = auto_high_volume   ==================================== Notice we have re-configured the below: [diskUsage] minFreeSpace = 20000 Finally, we have reached the bottom of the question 😀.   I am doubt if this configuration can maintain the below requirements: The data retention period for the online data is 2 months. - Hot/Warm – 1 month - Cold – 1 month         ... View more

Hello Esteemed Splunkers, I have a long question, and I wish to have a long and detailed discussion ^-^  First of all:                    We have a distributed environment:                    Deployer with 3x search heads.                    indexer master with 3x indexer.                   Deployment server with 2x heavy forwarder. and we want to deploy "Splunk_TA_fortinet_fortigate" the below is the content: the question is: should we deploy this app from the deployer to all search heads? should we deploy this app from the Indexer Master to all indexers? should we deploy this app from the deployment server to all heavy forwarders? should we change the name of the default folder to local? In a nutshell, what should we do and the consideration should we look at?   Thanks in advance! ... View more

Hello ES Splunker,   I want to know if any applications can be installed to enhance the security posture alongside with Enterprise Security. is ITSI App added value for the security posture?   ... View more

Hello, I am writing to ask from which point regarding the EPS OR Daily ingested GB/day and the number of users simultaneously access the search head. at what point should i consider a cluster search head cluster, as it will be (one-single SH ) OR (three SH + Deployer)? from your technical perspective?     ... View more

Hello Splunker, Hope you had a great day! as per the below picture :             Q1:- I need to understand the exact process of creating the TSIDX file and its content and how actually it speeds the search? Q2:- Why the size of the tsidx file is bigger than the raw data itself 35% /15%? Q3:- what is the difference between tsidx file and datamodel summary? I am expecting a long answer and more details, actually i like details! Thanks in advance!   ... View more

I Have used the below two events to test the SOURCE_KEY =     <132>1 2023-12-24T09:48:05+00:00 DCSECIDKOASV02 ikeyserver 8244 - [meta sequenceId="2850227"] {Warning}, {RADIUS}, {W-006001}, {An invalid RADIUS packet has been received.}, {0x0C744774DF59FC530462C92D2781B102}, {Source Location:10.240.86.6:1812 (Authentication)}, {Client Location:10.240.86.18:42923}, {Reason:The packet is smaller than minimum size allowed for RADIUS}, {Request ID:101}, {Input Details:0x64656661756C742073656E6420737472696E67}, {Request Type:Indeterminate} <132>1 2023-12-24T09:48:05+00:00 DCSECIDKOASV02 ikeyserver 8244 - [meta sequenceId="2850228"] {Warning}, {RADIUS}, {W-006001}, {An invalid RADIUS packet has been received.}, {0xBA42228CB3604ECFDEEBC274D3312187}, {Source Location:10.240.86.6:1812 (Authentication)}, {Client Location:10.240.86.19:18721}, {Reason:The packet is smaller than minimum size allowed for RADIUS}, {Request ID:101}, {Input Details:0x64656661756C742073656E6420737472696E67}, {Request Type:Indeterminate}   Using the below Regex: [xmlExtractionIDX] REGEX = .*?"]\s+\{(?<Severity>\w+)\},\s+\{\w+\},\s+\{(?<DeviceID>[^}]*)\},(.*) FORMAT = Severity::$1 DeviceID::$2 Last_Part::$3 WRITE_META = true   till that it's working fine then i want to add more precise extraction and want to extarct more info from the Last_Part field using the SOURCE_KEY =    [xmlExtractionIDX] REGEX = .*?"]\s+\{(?<Severity>\w+)\},\s+\{\w+\},\s+\{(?<DeviceID>[^}]*)\},(.*) FORMAT = Severity::$1 DeviceID::$2 Last_Part::$3 SOURCE_KEY = MetaData:Last_Part REGEX = Reason:(.*?)\} FORMAT = Reason::$1 WRITE_META = true   But it doesn't work now, Is there any advice to do that using SOURCE_KEY      ... View more

Hello, I hope all is well. Need your help to monitor the F5 Interface utilization throughput (performance Monitor). Any Idea! @community  #performanceMonitor ... View more

Hello, have a nice day!   I have followed the Distributed Search document and create a dshborad.xml file and push it through the deployer, and i could find it in the search heads app as below: hit Edit properties  cause the below ERROR: Also, I didn't find the dashboard under the dashboard tab to view it. =========================================================   ... View more