Hi All, I need to create a query where user access a same destination from 5 or more sources, also in that query opposite should also be achieved i.e. 5 or more destination and 1 source, is it possible? ... View more

What is the recommended sequence of upgrading Splunk enterprise to 8.0? Should i upgrade all apps& add-ons first and then Splunk Enterprise or vice-versa? Normally in 7.x.x version i'd done first enterprise and then apps-addons, however this link says different, https://docs.splunk.com/Documentation/Splunk/8.0.2/Installation/Python3LowEffort Also evaluating some apps documents, it states for some apps you need to have Splunk 8.0 first and then upgrade the app, confused! ... View more

Hi, 1) I want to move my hot/warm bucket to cold after 90 days, is it possible to roll buckets based on time duration or only can roll volume based? Want to keep Hot and Warm for 90 days as i am using ssd for it and move it to cold in slow disk after that. Can this setting be applied maxHotSpanSecs = [90days] 2) Also i intend to keep hot/warm in same path and cold in another, below config is right for the same? Do i need to mention volume: in homepath too(my hot/warm buckets should be in /opt/splunk/var/lib/splunk )? 3) Also where should be accelelarated(tstats) be stored ideally [default] homePath = $SPLUNK_DB/$_index_name/db coldPath = volume:[cold]/$_index_name/colddb thawedPath = $SPLUNK_DB/$_index_name/thaweddb tstatsHomePath = volume:_splunk_summaries/$_index_name/datamodel_summary Thanks in advance! ... View more

I am using this query "index=oswin* source="WinEventLog:System" (EventCode=6005 OR EventCode=1074 OR EventCode=6006) | table _time dvc EventCode | transaction dvc" 6005=eve nt service start 6006=event service stop 1074=server reboot If event id 6006 at time x occurs and before and after 5 minutes of x if 6005 or 1074 occur then i dont need the output, for this i used transaction to count the duration between the 3 eventcodes and getting the output, however when in a day 2 or more reboots are done than duration i get is large as it calculates difference of between the two reboots of the same dvc. I need separate grouping of the two reboots done. Sample ouput attached ... View more

Got Cluster Master, Indexers, Deployment Server, Heavy Forwarder, Deployment Server, Search Heads, Universal Forwarders. In what sequence should i decommission the servers so as to shutdown the whole environment smoothly? ... View more

Strange thing happened in my environment, we have got multisite cluster where all logs were distributed near perfectly. There are 2 site, let's say site 1 and site 2. Now most of the Logs(90%) are getting transmitted only to site 2 and not site 1, we have similar pass4symkey on all indexers and forwarders, so issue due to this may be ruled out. What may be the possible cause for this? Any solutions? ... View more