Hi @jorma ,   There are a few things you need to check for certificates. Check if the certificate is pointing to the right file in web.conf If you have a different name for the Splunk web URL, make sure that you have all of them the SAN part of the certificate file. I had encountered both of the above issues and once I made the change, our Splunk instance was working perfectly.   Thanks, Pravin ... View more

Hi @gcusello ,   I agree with you. But I still don't know how accurate this can be as its uses a look up and what would be the case when the person logs in from an another country not mentioned in the lookup.  Since, we use SAML I was hoping to get the information from the internal team to check if they have some sort of logs to capture such details. If they have, I might have an accurate technique to track details. If not then, lookup is the solution.   Thanks, Pravin ... View more

Hi @gcusello ,   Thanks for answering my question. We use VPN within out organisation so the original IP is masked and also we have implemented SAML authentication recently, so it's tough to get the exact IP of the user. I have asked internally if there is some way of logging the user location.   Thanks, Pravin ... View more

Hi @gcusello ,   I tried the inverse condition as well, but didn't work.   Regards, Pravin   ... View more

Hi @gcusello ,   The empty values are present in interesting fields.   Regards, Pravin ... View more

Hi @gcusello ,   When I run the below search, I get results like these. Not sure if this is empty value or no value. Regards, Pravin   ... View more

hi @gcusello ,   I get an empty cell for the column Module.  Regards, Pravin   ... View more

Hi @gcusello ,   The SPL is actually a report, so the data has not even been sent to the function t has been invoked.  I tried to add just the one line to the report and noticed that the report just disappears.  I am also attaching the code below | mstats sum("mx.process.logs") as count WHERE "index"="mx_metrics" mx.env=$mx.env$ log.type=log span=10s BY pid service.name replica.name service.type module.names severity host cmd mx.env\ | rename module.names as Module | rename host as Hostname | rename severity as lvl | rename pid as PID | eval Module=if(Module!="",Module,"UNDEFINED") | eval temp=split(Module,",") | mvexpand temp | eval recipient=("MX_MONITORING_".temp . "@mx.com") | fields - temp | rename _time as timestamp | mvcombine delim="," recipient | rename timestamp as _time | fields _time count PID service.name replica.name service.type Module lvl Hostname cmd mx.env recipient | sort 0 - _time | stats values(service.name) as Services values(replica.name) as Replicas values(PID) as PIDs values(Hostname) as Hosts sum(count) as Count_Of_Errors earliest_time(replica.name) as Earliest_Error_Time latest_time(replica.name) as Latest_Error_Time values(lvl) as Severities values(recipient) as Owners by Module mx.env | eval Earliest_Error_Time=strftime(Earliest_Error_Time,"%d/%m/%y %H:%M:%S") | eval Latest_Error_Time=strftime(Latest_Error_Time,"%d/%m/%y %H:%M:%S") | table Module Services Replicas PIDs Hosts Count_Of_Errors Earliest_Error_Time Latest_Error_Time Severities mx.env I tried using the line in an another report, and the other report also disapperas in the report filter. Now I feel that this is more of a bug that a code functionality issue. Please let me know what you feel about this?   Regards, Pravin ... View more

Hi @gcusello ,   Even I feel that the eval command doesn't always match and so the SPL is not working. I tried the isnull(), len()>0, and even reversing the condition to look for empty cells, but neither of them worked.   Thanks, Pravin   ... View more

Hi @gcusello ,   Thanks for responding. I figured out that the report was not being shown because of the eval command in the search. ( marked in red) When I remove the line and save the report, I can see the report when the filter is applied. Not sure how could the eval command affect the report.   Regards, Pravin   ... View more

Hi @gcusello  and @richgalloway,   One final question to get clarity about data models. Let's assume I have an index that has data retention time of 1 month and a data model acceleration summary for 3 months. How will the data model act in this case. Will data models have accelerated data that goes until 3 months or will the data models drop the data once the index drops them?   Regards, Pravin ... View more

Sorry, I meant to say that the size of indexes (index1, index2, index 3, and so on) all together sums upto 250 GB. But the sizing case with datamodels was 250 Gb for 1 on them, 11GB of another, some megabytes for the next one., and so on. Actually, the datamodel has only the requested field accelrated but the summary range is 1 year. This obviously makes sense for the growing size of data models.   Thanks, Pravin ... View more

Hi @gcusello ,   Our datamodels don't use the same space as in the index so the accelerated data don't have a cap on the limit. I really liked your extended answer but could you please explain the line below in quotes, I find it a bit confusing. "Usually the space occupation for one year of an accelerated DataModel is around the daily license consuption for that index moltiplicated for 3.4."   Regards, Pravin   ... View more

Actually, we had the similar issue recently when the server memory shot up. Actually it was some splunkd process in the background that used all the memory. We couldn't figure out what was the exact process that caused the problem. You could try is stop splunk cluster, kill all the splunkd process, and then restart the splunk binary or directly stop splunk, restart the sever, and start splunk. ... View more

Hi @tscroggins ,   Thanks for the help. It seemed to fix the issue.   Regards, Pravin ... View more

Hi @ssuluguri ,   Whenever there is an upgrade the CPU usage increases a bit but the major problem came from the data model accelerations. So what I did was reduce the concurrent summarization threads used by data models and increase the summarization period. This helped me reduce the CPU usage for the Splunk install. You could also give it a try and let me know if that helped you.   Thanks, Pravin ... View more

I see a similar issue but I have set cliVerifyServerName = false. But from your answer, if it doesn't make a difference I am interested to see what changes we need to employ. ... View more

Hi @scelikok ,   Your answer was informative but doesn't fix my issue. All I can conclude was that this is not to do with the version of Splunk but rather the underlying hardware. I also can't find a single process that is overutilizing the resource. Please feel free to share more information if you come across similar issues.   Thanks, Pravin ... View more