![]() When span is not specified, information about the buckets in the index is returned. When you invoke the dbinspect command with a bucket span, a table of the spans of each bucket is returned. If not, this is an absolute bucket "length". If using a timescale unit (second, minute, hour, day, month, or subseconds), this is used as a time range. Syntax: span= | span= Description: Specifies the span length of the bucket. Default: The default index, which is typically main. For all internal and non-internal indexes, you can specify an asterisk ( * ) in the index name. Description: Specifies the name of an index to inspect. These directories are called buckets.įor more information, see Indexes, indexers, and clusters and How the indexer stores indexes in Managing Indexers and Clusters of Indexers. The files reside in sets of directories organized by age. As incoming data is indexed and transformed into events, Splunk software creates files of rawdata and metadata ( index files). The Splunk index is the repository for data ingested by Splunk software. ![]() Searches on an indexer cluster return results from the primary buckets and replicated copies on other peer nodes. If you are using Splunk Enterprise, this command helps you understand where your data resides so you can optimize disk usage as required. If you haven’t downloaded the free Phantom Community edition yet, you can get it now from the Phantom Community.Returns information about the buckets in the specified index. If you would like to learn more or want to try the capability out for yourself, visit the Phantom Community site and reference the Phantom documentation on datastore_* API calls. This is just one example detailing how you can implement threshold-based alerts with the Phantom platform. Finally, you can also see the magnitude of a potential outbreak, which might affect the response that is chosen. You might also build in logic that uses these fields to age out old IP address alerts from the list. Using the count and the timestamp, you can understand the rate of the IP alerts over a period of time. There are three columns in this Custom List: IP address, observation count, and a timestamp indicating the last occurrence. The example Custom List tracks IP addresses with a count. Screenshot of the Phantom platform web-based interface, showing an example Custom List. If you see 500 alerts of this alert type in 5 minutes, however, then you might take an alternate workflow and escalate the incident to a human analyst with the highest priority. Perhaps if you see one alert of this type in a day, then you might follow a workflow to investigate why it is happening. Within a Phantom playbook, you can create, reference, modify, or delete any Custom List.Īs an example, we will implement decision logic that uses the number of events over a certain time period. In this section you can manually create and edit Custom Lists in a spreadsheet layout. To access Custom Lists in Phantom’s web-based UI, select Playbooks from the Main Menu, and then Custom Lists. In this blog entry, we will explore the use of Custom Lists to enable threshold-based decision making with the Phantom platform. Custom Lists are available on-platform to playbooks and externally to third-party systems. The function also commonly serves a caching mechanism to reduce overburdening a service. ![]() Customers typically use Custom Lists to maintain a dynamic list of items that persists on the platform. Custom Lists are a powerful capability of the Phantom platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |