Splunk has good compression capability, avg 50% also things get another angle with ES or ITSI or any major use of DM Acceleration in general, this is the basic formulas Splunk uses, frmo docs: http://docs.splunk.com/Documentation/Splunk/7.1.2/Capacity/HowSplunkcalculatesdiskstorage ... View more

You have to disable the SSLv3 Support on the Forwarder in the local/server.conf . [sslConfig] sslKeysfilePassword = <your_password> sslVersions=*,-ssl2,-ssl3 cipherSuite = TLSv1.2:!eNULL:!aNULL Then it should work again. ... View more

Are those indexers being EOL? If not, why not just have your search heads querying them as additional peer nodes. Then you don't have to worry about logs moving, but you still get the results you need. ... View more

Ah gotcha - thanks and will do! 🙂 ... View more

somesoni2 has already linked to it but the Splunk Capacity Planning manual is what you want to refer to... ... View more

Oh my mistake I'm thinking of the rb and db files which are the raw data as you said... So in a cluster both the replicated copies and the original copies get copied ... View more

I'm glad that fixed it! It's also worth noting that most of the lookup gen searches are performing useful internal tasks like this, and when making the effort to reduce the number of searches running overall, it's useful to dig into what the searches are doing before disabling them. ... View more

That's funny! ... View more

Thanks to you both! I figured as much..... ... View more

Hello there, First i would like to say that i think you are on the right track and your research is valid and that you found good events. windows logs are verbose and there is plenty to look for and see. having said that, I have seen many windows admins and ops guys, looking at different events for same or similar use cases. before i continue, i will highly recommend to consult your windows admins / SMEs and ask them what do they see more often? what is important for them to be alerted at? from many many sources online on this subject, these 2 links are pretty good. I choose those since they also add some security aspect to the mix: http://www.redblue.team/2015/09/spotting-adversary-with-windows-event.html http://www.redblue.team/2015/09/spotting-adversary-with-windows-event_21.html from an operational perspective, i have seen that many times the WinHostMon (windows host monitoring) can be very useful as a source on top (or by itself) of system logs hope it helps ... View more

Splunk can only report on whatever data it has, so if you want the report, then the source of that data needs to be identified, along with any required data plumbing. For example, you could easily use splunk to COMPILE a list of everyone who had logged onto a particular box over a period of time, and then, given access, you could do a call to the box to identify what the person's groups, and current status are. That won't get you the names of people who HAVE access and have never used it... unless the creation of the account has also been logged (which it should be). It's not perfect, but if you have the data -- windows 4720 events, for example, or ubuntu logs containing the term "useradd" -- then you can do it using the data you already administer. ... View more

Perfect! Thanks All.....I appreciate you guys weighing in on this. Indeed, we are pushing all the _internal logs down to the indexing cluster (which all of the elements in our distributed environment can search). ... View more

Does anyone know what causes this. I have never seen this before until now. Unix team deployed UF to around 20 systems and they all had the same GUID. ... View more

That was it! Had to add splunk_server=* to my SPL query for this to work. Thank you! ... View more

@vanderaj2 - Did the answer provided by rphillips help provide a solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks! ... View more