Update savedsearches.conf

gjanders · May 13, 2024 · 9dcb489 · 9dcb489
1 parent d0f9c2b
commit 9dcb489
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/default/savedsearches.conf b/default/savedsearches.conf
@@ -8721,4 +8721,6 @@ search = index=_internal sourcetype=splunkd source=*splunkd.log* `heavyforwarder
 | eval queue_size_in_mb = round(queue_size_in_bytes/1024/1024)\
 | lookup dnslookup clientip AS ip\
 | stats count, max(Warningcount) AS maxWarningcount, earliest(_time) AS first_seen, latest(_time) AS last_seen, values(clienthost) AS destinations by host, queue_size_in_mb\
-| eval first_seen=strftime(first_seen, "%+"), last_seen=strftime(last_seen, "%+")
+| eval first_seen=strftime(first_seen, "%+"), last_seen=strftime(last_seen, "%+") \
+``` this count may need tweaking in reliable environments but a single entry is likely nothing to panic about ``` \
+| where count>1