Hi, Try following steps to clear out the memory so FMC logs start to flow again: Go to: /opt/splunk/etc/apps/TA-eStreamer/bin/encore Remove "A.A.A.A-8302_proc.pid" $ ps aux | grep estreamer pkill -9 -f service.py Restart Splunk services I hope it helps! With Regards
... View more
Is it still the case that the inputs & props included in the "Splunk TA for Suricata" are not CIM-compliant? https://splunkbase.splunk.com/app/2760/#/details If not CIM compliant, has anyone indexed these events in an ES CIM-compliant format without reinventing the wheel? Thanks in advance!
... View more
I had that thought also. Then ran into a snag. We have uf on windows devices that won't work for in my understanding. Again native and not with out third party syslog\syslog-ng client on the windows node.
Again we are trying to send spl-cooked to index tier and raw to a cloudera hdfs tier.
Or am I missing something?
... View more
This has it shows half of the answer.
You should use the notable macro
notable | timechart count by rule_name
https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/notableeventsplunkes/usingnotableeventsinsearch
... View more