Hi Daniil,   you can package Apps like that in multiple ways see: https://dev.splunk.com/enterprise/docs/releaseapps/packageapps/ Easiest would probably be to utilize Splunk. example: /opt/splunk/bin/splunk package app <appname> ... View more

Its hard to say without a search-example.  Could you post an example-search, which has the issue? Usually  |fields - _raw does help already. ... View more

What sizes are all other Searchresults usually? Take a look at the Job Activity. ... View more

This issue can be caused by a static blocksize in the filesystem.  Indications ist the regular occurance of 128M or 250/255/256M sizes across search-results. Splunk does read the blocksizes in full.  Run "mount" on your cli to see what the mount options are for your filesystem. In example if you use XFS and you see an option like allocsize=<a big number>, then just get rid of this option.  Usually the default option are sufficient anyways. ... View more

Splunk Docker container do not currently work. As Splunk Software(possibly WebServer) is running into a QEMU Bug. qemu: uncaught target signal 11 (Segmentation fault) - core dumped The container works but Splunk upon starting the Webserver will fail due to this issue. As there is no ARM64 version of Splunk Enterprise, there is only one workaround, that is to install locally.  ... View more

Hi bgill0123,   in order to get an overview of the data ingestion rates by host you can use this example:   index=_internal sourcetype=splunkd fwdType=* group=tcpin_connections(connectionType=cooked OR connectionType=cookedSSL) | timechart minspan=30s avg(eval(tcp_KBps)) as "KB/s", avg(tcp_eps) as "Events/s" by hostname     Additionally if you are using the Monitoring Console you can find desired information here: https://<your_MC>:8000/en-GB/app/splunk_monitoring_console/forwarder_deployment In order to only get the the dramatically increased ingestion-rates you need to define what "dramatic" means. If we are going with "double" == "dramatic" then we can run the following example:   index=_internal sourcetype=splunkd "group=tcpin_connections" ("connectionType=cooked" OR "connectionType=cookedSSL") earliest="-2d@d" latest=@d | fields hostname, tcp_KBps | bin _time span=1h | stats max(eval(tcp_KBps)) as "max_kbs" by _time, hostname | stats avg(max_kbs) as avg_max_kbs latest(max_kbs) as latest_max_kbs by hostname | eval dramatic_threshold=avg_max_kbs*2 | eval dramatic=if(latest_max_kbs>dramatic_threshold,"true","false") | where dramatic=="true" This will give you a list of hosts where in the last 1h there was a peak higher than the average peaks in the last 2 days. This can be modified to calculate the Volume as well.  ----- Hope this helps. If this answer helped you, please upvote/mark as resolution. Kind, Florian   ... View more

Hi dfurtaw In order to fulfill your requested action you would do the following (eval and makeresults are not necessary, only as an example):     | makeresults | eval _raw="Feb 23 11:45:51.469604 host-qa log {start 1614098751.47494} {addr xx,xx.xx.194} {port 85488} {method GET} {url /statictest.html} {bytes 399} {status 200} {end 1614098751.461997} {host 88.10.30.7} Feb 23 11:45:51.469604 nstop-qa CommonLog: Feb 23 11:45:51.469604 nstop-qa 10.13.80.7 - - [23/Feb/2021:11:45:51 -0500] \"GET /statictest.html HTTP/1.0\" 200 399 Feb 23 11:45:51.470248 host-qa ' Feb 23 11:45:51.470248 host-qa" | rex mode=sed field=_raw "s/.*({host\s(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)}).*/\1/g"         What are we doing here? mode=sed -> Run rex command using stream editor mode. -> nice SED documentation(gnu SED): https://www.gnu.org/software/sed/manual/sed.html field=_raw -> Run the following sed command on the _raw field of the event. "s/.*({host\s(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)}).*/\1/g" First thing we set sed command s for substitution. That way everything we match gets replaced with the second part of the expression. In your case we match everything before and after host in order to discard it. See: .* next up ({host\s(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)}) this is the capture group "()" to match the curly brackets including "host" a space-character and a valid IP address: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3} -> 3 first octets like "169." (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?) -> last octet of ip address What is (:?  ? The notation of colon question mark  disables the capturing of the group. This is important i order for the replacement to take the right group. Each capturing group is silently assigned an index. We can then use that index for the replacement. Third part of the expression: /\1/g -> Replace with the captured match index \1 globally "g".  Conclusion 1: Match everything and put the important stuff into a capturing group and use the reference to replace everything  with the desired capturing group. ------------------------ Now. If you only care for the actual ip occurring at the time. You could also extract the host field. That way you can use _raw for other queries. Matching could be similar to the previous example we just don't have to match everything:     | makeresults | eval _raw="Feb 23 11:45:51.469604 host-qa log {start 1614098751.47494} {addr xx,xx.xx.194} {port 85488} {method GET} {url /statictest.html} {bytes 399} {status 200} {end 1614098751.461997} {host 88.10.30.7} Feb 23 11:45:51.469604 nstop-qa CommonLog: Feb 23 11:45:51.469604 nstop-qa 10.13.80.7 - - [23/Feb/2021:11:45:51 -0500] \"GET /statictest.html HTTP/1.0\" 200 399 Feb 23 11:45:51.470248 host-qa ' Feb 23 11:45:51.470248 host-qa" | rex field=_raw "{host\s(?<host>(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))}" | timechart count by host    You we are now only capturing the ip address, since { host is outside of the capturing group. Additionally (?<host> indicates a named capturing group overwriting the existing host field with the captured value (the IP in this case). Conclusion 2: Named capturing groups can help creating new fields to work with down the stream. For more help with regex and easier testing I highly recommend regex101.com If you found this posting helpful please mark as solution and upvote.  ... View more

From 8.1 + : You can now use a more intuitive and better readable Syntax like index=main mysearchterm ```This is a comment``` | stats count by host   ... View more

Yes. You can edit  /opt/splunk/etc/system/local/server.conf to meet your requirements.  ... View more

Splunk will never set pass4SymmKey on its own. Except it is not set, which it then sets it to a default key. Either things are happening: - conf file gets removed/changed - $SPLUNK_HOME/etc/auth/splunk.secret gets removed/changed ... View more

Not 100% familiar with the Kubernetes implementation.  But make sure the mounted volumes are only used on this cluster and not destroyed. ... View more

According to the Docs-Link provided by woodcock, depends is an "AND" logic where as rejects is an "OR" logic. ... View more

Hi you can check the definitive configuration with BTOOL. This is very useful to identify applied configuration. Make sure you are having the pass4SymmKey in the right place without typo. Splunk encrypts pass4SymmKey on startup(once). /opt/splunk/bin/splunk cmd btool --debug server list general | grep pass4SymmKey /opt/splunk/bin/splunk cmd btool --debug server list clustering | grep pass4SymmKey   ... View more

This doesnt work in more recent versions and results in the following error: ERROR AggregatorMiningProcessor - Uncaught exception in Aggregator, skipping an event: Can't open DateParser XML configuration file "./local/datetime.xml": No such file or directory - data_source So currently you have to use a static path and separate apps per deployment. ... View more

What was the Solution to this? ... View more