This is a thread in which latest response was 11 years ago. I wouldn't count on a reasonable answer. ... View more

Dunno about Edge Processor but the general answer to any "inter-event" question regarding forwarding/filtering is "no". Splunk processes each event independently and doesn't carry any state from one event to another (which makes sense when you realize that two subsequent events from the same source can be forwarded to two different receivers and end up on two completely different indexers). ... View more

We talked about this on Slack. 🙂 Six indexers might or might not be sufficient for 1TB/day. Depends on the search load. Remember about two things: 1. Acceleration searches are quite heavy. They plow through heaps of data to create DAS (which they write additionally stressing I/O). 2. Acceleration searches are at the far end of the priority queue when it comes to scheduling searches. So your acceleration searches might simply be running when there is already a whole lot of other things going in your system. That's one thing. Another thing is that CIM datamodels rely on tags and eventtypes which on the other hand rely on the raw data and how the fields are extracted. You might simply be having just "heavy" sourcetypes. You could try to dry-run an acceleration search as an ad-hoc search (get it with the acceleration_search option for the datamodel command) and inspect the job to see where it spends most of its time. It doesn't have to be directly tied to the datamodel or acceleration settings themselves (although it still might). Of course, you could try to run more shorter searches as was already suggested (and what is recommended in  https://help.splunk.com/en/splunk-enterprise/manage-knowledge-objects/knowledge-management-manual/9.3/use-data-summaries-to-accelerate-searches/accelerate-data-models#id_80506253_eb97_4bd6_9185_739b6a6e6087__Advanced_configurations_for_persistently_accelerated_data_models) but this will probably not lower your i/o load. ... View more

As I said before - if it worked, good for you. And I'm not gonna go through your logs. For several reasons. Don't take it personally but this is a public forum where people give time whenever they want, the way they want. Answers is not a free support/consulting service. If you want something specific done - reach out to your local Splunk Partner or hire Professional Services. To put it bluntly - it costs money. Secondly, you've already done the migration and apparently you're running the new system as prod. My looking into your logs won't change anything. Thirdly, I might miss something, especially considering the first point. You asked, you have been advised, you did otherwise. I won't pat you now on the back and say "it's ok". It might. But don't have to. And I don't have spare time just to ease your mind, to be frank. I hope it is ok. But I won't check it. ... View more

There are several things which "work" but which are unsupported and might bite you here and there at some point. Just saying. As @isoutamo pointed out (I admit I didn't bother to check this one), straight jump to 9.2 from your old version isn't supported so whilie the migration seems to have gone well, you might have skipped some step normally performed on migration to 9.0, for example, which later versions might rely on. Again - you might get away with doing unsupported things if you're lucky. But you might not. And debugging will be more difficult later if you have some issues lingering from a few versions back. ... View more

Table is just a method of visualizing data. You need to parse your data into fields. So the question is what the real data looks like (please copy-paste the raw event into a code block or a preformatted paragraph) and what it means. For now you have a lot of pipe-delimited "fields" but no way of knowing which of them are the "header", which are "data" and how many of "data" rows are there. ... View more

OK. If by "fresh" you mean "I had Splunk before on this machine but uninstalled it", this doesn't count as completely fresh as some data from the old installation might have been left. The error suggests some old KVstore contens lying around. If this is supposed to be a fresh install, I'd go for cleaning the computer completely from all leftovers - most importantly delete (or move away) old director C:\Program Files\Splunk. You could also remove old Splunk user and comb through the registry whether anything pertaining to Splunk was left. After that I'd rerun the installer with logging - see https://docs.splunk.com/Documentation/Splunk/9.4.2/Installation/InstallonWindowsviathecommandline#Install_Splunk_Enterprise_with_verbose_logging_to_C:.5CTEMP.5CSplunkInstall.log   ... View more

1. This is a very old thread. People involved probably don't use this forum anymore. Instead of hijacking ancient threads it's better to create a new one describing the problem and debugging steps alreadh taken. Possibly linking to the old thread for refetence. 2. The issue is so vaguely specified it's difficult to advise anything. We don't know what and how you're sending, we don't know how your receiving side is configured. We don't know the extent of your problem - are all your events duplicated or just some od them? We don't know if you did any debugging at all. ... View more

OK. You can't have multiple httpout groups. It's not tcpout. At this point you have either tcpout (possibly multiple output groups) or a single httpout output. And there is no _HTTP_ROUTING key. It mistakenly appeared in the docs back around 7.something version but was removed since it was an error. ... View more

There are several cons to receiving syslog directly on a HF (or UF). - it's more complicated to manage - Splunk doesn't reliably capture network-level metadata so for receiving different types of sources you need to bend over backwards, use multiple ports and/or do strange things in index-time. - it's usually more resource intensive than using dedicated syslog daemons - it's more robust to use a separate syslog component - especially with UDP transport and especially with HF which can take significant time to restart when needed causing holes in your received data. In some situations (as your might as well be) it's "good enough" but I'd rather use a dedicated syslog component in prod. ... View more

While that is doable with JS code in simpleXML dashboard it's worth considering what's the goal here. I mean each load of the dashboard (unless it uses a scheduled report to power the widgets) will execute searches. If their results aren't supposed to change you might - instead of go for rotating dashboards, create one bigger dashboard and use JS to toggle visibility of panels - this will give you the same result carouseling the panels but will not stress the server by spawning the same searches repeatedly. ... View more

As I said before - move an upgrade in one move was risky. I don't see the point in uninstalling and reinstalling the package. ... View more

I'm not familiar with these add ons so I'm not sure how your process works. If you're indeed receiving data on the HEC input, it's up to you on the source side to export only a subset of your events. That's usually the most effective way because it's better to not send the data than to send it, receive and then filter out wasting resources on stuff you don't need and don't want. If you cannot do that, the document I pointed you to describes how you can filter your events. ... View more

Don't go for the 10 beta unless you're gonna do beta testing. Just spin up a normal 9.x environment and try there. Unless you're testing for compatibility between the app and Spiunk 10... Anyway, as far as I remember, there was a beta license file somewhere around the place where you downloaded the installer from. You must use that file, not your "general" license. And I think there is no free/trial license tier with the beta release at this time. ... View more

There is a whole chapter in docs on that. https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/forwarding-and-receiving-data/9.4/perform-advanced-configuration/route-and-filter-data But that's only if you can't configure your inputs (and with cloud services I suppose you'd be using a pull-mode API inputs or something similar) to only give you a subset of your logs. ... View more

We'd have to see your config to see why your httpout didn't work. In general it does work. And SC4S is something completely different. You shouldn't receive syslog directly on a HF anyway. ... View more

When you edit the search in this state is it still initially enabled or disabled? Did you check the config with btool? ... View more

You can use this app - https://splunkbase.splunk.com/app/5738 But it seems to have support for many destinations... except local file. You can get around it by connecting back to the host you're running your Splunk instance on.   ... View more

1. Is it a fresh installation or an upgrade? 2. You have the immediate debugging steps on screen. ... View more

Could be. I didn't copy-paste it but written here by hand so there might have been a typo. ... View more

OK. It seems that even with "where" Splunk optimizes this search and it turns into index=whatever source=CASE("stderr") "stderr" Which obviously again searches for the source as indexed field only. (same goes  You can make it work if you disable optimizations index=whatever stderr | noop search_optimization=false | where source="stderr"   ... View more

That is intriguing because I was pretty sure it would work. I tried to recreate your case locally with makeresults | collect and it indeed doesn't find it with where. I'll keep digging. ... View more

If it works, it works. 🙂 It's worth noting though that it's a rather "heavy" way of doing it. Spath is a fairly intensive command and you're doing it over all your events. I suppose for a one-off ad-hoc search it might be OK but if you do it often, you might want to optimize it a bit. ... View more

I think the easiest way to verify whether that field is indexed (there might be some additional index-time extraction, apart from simple indexed-extraction configuration for the whole event; yes, I know it's confusing ;-)) is to try to search for index=your_windows_index EventID::4624 The important thing is that you're not looking for  EventID=4624 but for  EventID::4624 If you get any results that will mean that this field is indeed indexed and you have to search where it's extracted in index time. ... View more

Are you sure you don't have indexed extractions enabled by any chance? Since automatic KV extractions happen after manual extractions the EventID field should not be populated when you're hitting the transforms so the first transform (EventID_as_EventCode) should _not_ set the field to any value. ... View more