Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Question about the PCI Application

jambajuice
Communicator
‎10-28-2010 07:59 PM

What is the "stash" sourcetype used for in the application? We're getting two huge spikes of events from that sourcetype every day at 10 pm and 7 am. They are consuming a significant amount of our license. The messages look like the following:

51  
10/28/10
7:59:00.000 AM  
10/28/2010 07:59:00, search_name="PCI 7.1 - Successful Access by Target - Summary Gen", search_now=1288278900.000, info_min_time=1288277700.000, info_max_time=1288278600.000, info_search_time=1288278935.693, dest_bestmatch=0741BOH, psrsvd_gc=2, psrsvd_v=1
host=semvsplunkprd   Options|  sourcetype=stash   Options|  source=PCI 7.1 - Successful Access by Target - Summary Gen   Options

52  
10/28/10
7:59:00.000 AM  
10/28/2010 07:59:00, search_name="PCI 7.1 - Successful Access by Target - Summary Gen", search_now=1288278900.000, info_min_time=1288277700.000, info_max_time=1288278600.000, info_search_time=1288278935.693, dest_bestmatch=0706BOH, psrsvd_gc=1, psrsvd_v=1
host=semvsplunkprd   Options|  sourcetype=stash   Options|  source=PCI 7.1 - Successful Access by Target - Summary Gen   Options

53  
10/28/10
7:59:00.000 AM  
10/28/2010 07:59:00, search_name="PCI 7.1 - Successful Access by Target - Summary Gen", search_now=1288278900.000, info_min_time=1288277700.000, info_max_time=1288278600.000, info_search_time=1288278935.693, dest_bestmatch=0661BOH, psrsvd_gc=2, psrsvd_v=1
host=semvsplunkprd   Options|  sourcetype=stash   Options|  source=PCI 7.1 - Successful Access by Target - Summary Gen   Options
Tags (1)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎10-28-2010 08:10 PM

The "stash" sourcetype is used for summary indexing. The Summary Gen in the search names is a good clue. Are the results with sourcetype="stash" showing up outside of index=summary? If properly configured, summary indexing should not count against your indexing volume.

Reply

araitz
Splunk Employee
Splunk Employee
‎10-28-2010 10:06 PM

Isn't everyone using the latest/greatest??? 😛

0 Karma
Reply

southeringtonp
Motivator
‎10-28-2010 08:21 PM

Note that this is only true from 4.0.10 onward. Older versions did count summary indexing against your license.

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...