Hey Splunkers, I am trying to fine tune usage of our Splunk Cloud instance to reduce instances of concurrent searches and I am looking to turn off acceleration for unused data models to assist in this effort. How do I use search to find data model usage by users for a specific app? I'd assume index=_internal and sourcetype=splunkd would be a good place to start but I'm having trouble finding the standard Splunk fields for "data_model". Are there any? Thanks! ... View more

Hi Splunkers, I'm having issues with the Box App for Splunk where it seems to be missing a place to enter the URL for the API. The instructions seem to indicate that there is an "Endpoint URL" but I don't seem to be able to enter one in anywhere. Does anyone know what the format might be for the URL inclusion in the inputs.conf for the API input? Thanks! ... View more

Hello, I am trying to see if the Cisco Security Suite will provide benefit in using the following logging levels or if they can be disabled: logging buffered informational logging trap informational logging history informational logging asdm informational Ultimately, we are trying to tailor our logging to fit Splunk and I am trying to see what the best logging configuration is for the ASA's in our environment to be set at to provide the best visibility. It sounds like not necessarily everything needs to be enabled though. Where do I find this information? Thank you! ... View more

Hello Splunkers, Just checking to see if this is possible or If I'm running into a limitation I didn't know about... I have a very simple "source of truth" .csv file used as a lookup file. It has a single field with about 70 unique values. I am trying to compare that against a single field with about 60 of the same unique values in an index. I need remove the 60 values in the index from the 70 values in the lookup table so that only the 10 values that are not in the index remain. I had tried by using a simple |inputlookup NOT index field value NOT index field value NOT index field value etc, but I am getting the error: Error in 'inputlookup' command: Invalid argument: 'NOT'. I'm guessing you can't NOT a lookup table. Is there some other equivalent command we can use for a lookup table? Alternately, is there a way for me to accomplish this outside of a simple NOT statement? Thanks! ... View more

Hello Splunkers, I am running two separate searches, both of which are running fine. The results of these two searches are two lists of host names that match partially, which is expected. There are more in list A than in list B. I am trying to mash them together in a way that tells me which are missing in list B. |inputlookup DNS.csv | eval hostname=upper(hostname) | join hostname type=inner[|search index=dns |stats count by host | rename host AS hostname | fields + hostname] I also tried an outer on the join, but that's not quite doing it either. Any suggestions on how I show which are missing from column B? Thanks, Lindsay ... View more

Hello, Just checking to see if it is okay to upgrade my Linux universal forwarders directly from 6.0.3 to 6.3.0 or if I need to make an intermediary jump. Thanks. ... View more

Hello Splunkers, I am trying to find a way to determine the rate of events of a single index compared to all non-internal indexes. There are numerous indexes, and so I am going to have to use a base search of index=* NOT index=D | timechart span=1h count but then I need to overlay index=D | timechart span=1h count over the top of it for the timechart. I'm guessing I need to do an appendcols with the index=D data, but am unsure of syntax. Any suggestions? Thanks! ... View more

I am new to this particular Splunk environment and need to familiarize myself with its content and layout. The majority of logs are being parsed by syslog servers and universal forwarders, but not all reference a deployment server. What is the best search to find out what devices are currently reporting into Splunk by network? I currently have the following search. Does this look about right? index=_internal sourcetype=splunkd (111.111.111.* OR 222.222.222.* OR 333.333.333.*) | dedup sourceIp I am returning entries that look like the following: 08-17-2015 12:01:23.745 -0700 INFO StatusMgr - destPort=9998, eventType=connect_done, sourceHost=111.111.111.3, sourceIp=111.111.111.3, sourcePort=30703, statusee=TcpInputProcessor What is this search returning for me exactly? Is there a better way for me to determine what endpoints are reporting into Splunk by subnet? I don't have direct access to the forwarders at the moment and can't check the rlog server directories. Thanks. ... View more