[Splunk] 增加監控告警數量

[Splunk] 增加監控告警數量

 

#Step 01 – 增加監控告警數量

C:\Program Files\Splunk\etc\system\default\limits.conf
Or 
Linux

vi /opt/splunk/etc/system/default/limits.conf

修改後要記得要重新Restart Splunk services

預設值如下，可用即時告警計算出來，以4 core CPU的話，是只能使用5組
############################################################################
# Concurrency
############################################################################
# This section contains settings for search concurrency limits.
# The total number of concurrent searches is
# base_max_searches + #cpus*max_searches_per_cpu

# The base number of concurrent searches.
base_max_searches = 6

# Max real-time searches = max_rt_search_multiplier x max historical searches.
max_rt_search_multiplier = 1

# The maximum number of concurrent searches per CPU.
max_searches_per_cpu = 1


調整如下後可放大到18組
############################################################################
# Concurrency
############################################################################
# This section contains settings for search concurrency limits.
# The total number of concurrent searches is
# base_max_searches + #cpus*max_searches_per_cpu

# The base number of concurrent searches.
base_max_searches = 10

# Max real-time searches = max_rt_search_multiplier x max historical searches.
max_rt_search_multiplier = 2

# The maximum number of concurrent searches per CPU.
max_searches_per_cpu = 2


####################################################################

數據保留策略 retention policies

查看數據保留策略
show retention policies on db_xxx

創建資料保留策略
create retention policy "rentionpolicy_xxx" on "db_xxx" duration 4w replication 1 default

刪除資料保留策略
drop retention policy "rentionpolicy_xxx" on db_xxx


-nnvvi 0.0:nnn -s0

host="xxx.xxx.xxx.xxx" reason="policy deny" OR reason="Denied by policy" AND source_address="xxx.xxx.xxx.xxx" |stats count by source_address destination_address source_port destination_port source_zone_name destination_zone_name |sort 100 -count

-