What Tileset are you using in the map you can export and the one you cant? are those different? ... View more

could you please provide some sample data? ... View more

Could you check the timestamps of your buckets? Only Buckets in wich ALL Data is older than the frozenTimePeriodInSecs are archived. If you have large buckets over a huge timespan this could take a while. Maybe you could take a look at the maxHotSpanSecs parameter for the future. ... View more

for windows Events you could do it with the blacklist parameter. described in the inputs.conf # Event Log filtering # # Filtering at the input layer is desirable to reduce the total # processing load in network transfer and computation on the Splunk # nodes that acquire and processing Event Log data. whitelist = <list of eventIDs> | key=regex [key=regex] blacklist = <list of eventIDs> | key=regex [key=regex] whitelist1 = <list of eventIDs> | key=regex [key=regex] whitelist2 = <list of eventIDs> | key=regex [key=regex] whitelist3 = <list of eventIDs> | key=regex [key=regex] whitelist4 = <list of eventIDs> | key=regex [key=regex] whitelist5 = <list of eventIDs> | key=regex [key=regex] whitelist6 = <list of eventIDs> | key=regex [key=regex] whitelist7 = <list of eventIDs> | key=regex [key=regex] whitelist8 = <list of eventIDs> | key=regex [key=regex] whitelist9 = <list of eventIDs> | key=regex [key=regex] blacklist1 = <list of eventIDs> | key=regex [key=regex] blacklist2 = <list of eventIDs> | key=regex [key=regex] blacklist3 = <list of eventIDs> | key=regex [key=regex] blacklist4 = <list of eventIDs> | key=regex [key=regex] blacklist5 = <list of eventIDs> | key=regex [key=regex] blacklist6 = <list of eventIDs> | key=regex [key=regex] blacklist7 = <list of eventIDs> | key=regex [key=regex] blacklist8 = <list of eventIDs> | key=regex [key=regex] blacklist9 = <list of eventIDs> | key=regex [key=regex] ... View more

Are you in an clustered enviroment or in an single instance enviroment? ... View more

it should be possible. can you pastebin an example of your data? ... View more

there are several ways to do this. you could fire a script that telnets the host on a port and reports the answer.... Or (and this is what i would do) if you are gathering data from this host in a regular intervall i would watch if there are enogh events from the host in a decent amount of time. Like, if there are less or none this could be an indicator for an not running system. Create a base search that populates the gathered events for the host you want to monitor. And than create an Alert ... View more

Did you check your inputs.conf if there are 2 stanzas pointing to the same source? ... View more

The answer from @cusello is really a good one when you want to visualize it. But as I understand you, your question is about how to get the Data in. for Windows you could make an input stanza like this: [WinHostMon://Process] interval = 600 disabled = 0 type = Process index = windows [WinHostMon://Service] interval = 600 disabled = 0 type = Service index = windows This will give you all processes and services running on your Windows Machine. They are both included in the Splunk Addon for Microsoft Windows. Does this fit your needs? ... View more

Hi Nick, yes this is possible. The way you can do this depends on your OS. What OS are you using? greetings Patrick ... View more

Here you can see the Prices for Enterprise and Cloud. The Splunk Enterprise App for Security is an App that needs an extra license ontop of your Splunk Enterprise or Cloud license. Best way is to contact a Partner in your region or the Splunk Sales Staff. Where are you from? ... View more

Hi Monica, this is not possible. In Splunk Light the App Model is not available. So you coulduse the data inputs. But you can't use the Dashboards and searchhead Apps. And this is where the magic happens. To use Splunk Enterprise Security you need Splunk Enterprise or Splunk Cloud. ... View more

It might not be the most beutiful regex but it works with your example... index=_internal| head 1 | eval field="This {field1} is {delete_this} the example {tagged_element}" | eval field=replace(field, "{([^}]+)}|([\S])", "\2") | table field ... View more

could you give me an example dataline? Than i could try it. ... View more

you could use the where clause index=app sourcetype=EPC*Event* level=ERROR |rex field=requestUrl mode=sed "s/\\d|\d\|%\/|\$amps;\/|)\/|(\/|%|\$|\d|(|)/@/g"|stats count as Counts by eventId,eventName,level,sourcetype,requestUrl|sort -Counts| head 30|rename sourcetype As Sourcetype,eventId As Eventcode,eventName as Description|fields Sourcetype,Eventcode,Counts,Description,requestUr | where Counts < 1000 ... View more

Yes this is possible. Best way is to contact your designated Sales Contact at Splunk site. ... View more

this shows you the actions by user and IP index=_internal sourcetype=splunkd_ui_access | stats count by clientip , user , _time | eval UserIP=user+" - "+clientip | timechart span=1d count by UserIP ... View more

1.) what is the result you get? 2.) in your foreach [eval sla_perc = count 100 /Total] statement... shouldnt the count be a sla_count? Asking because in the timechart you define count as sla_count "|timechart count as sla_count by sla_status " ... View more

Hi Sajeesh, you are right the license volume is not the volume on the disk. this here should do it. index=_introspection sourcetype=splunk_disk_objects component=Indexes data.name=* | eval data_birth_date = if(isnotnull('data.bucket_dirs.cold.event_min_time'), 'data.bucket_dirs.cold.event_min_time', 'data.bucket_dirs.home.event_min_time') | eval data_age_days = round((_time - data_birth_date) / 86400, 0) | eval data.total_capacity = if(isnotnull('data.total_capacity'), 'data.total_capacity', 500000) | eval disk_usage = round('data.total_size', 2) | stats max(disk_usage) as disk_usage sparkline(max(disk_usage), 1d) as trend by data.name the one above measures in MB if you want your data in GB you have to change this line: "| eval disk_usage = round('data.total_size', 2)" to "| eval disk_usage = round('data.total_size' / 1024 , 2)" ... View more

First of all it would help if you could give us the Name of the TA. In most TAs is an README File qhere you can find further Instructions. For the credential Setup. Take a look in your "%splunkroot%\etc\apps[TA_NAME]\default" directory. Are there some config files? If yes, take a look at them. (please DONT edit them) If you can find the nessesary parameters, copy the Files you need to edit to "%splunkroot%\etc\apps[TA_NAME]\local" and edit them there. ... View more