I am working on setting up a third party evaluation of a new network management and security monitoring installation for an enterprise network that uses Splunk for various log aggregation purposes. The environment has 6 indexers with duplication across 3 sites, and hundreds of indexes set up and configured by the installers. The questions that I need to write a test for: "Is there sufficient storage available for compliance with data retention policies? (e.g. is there sufficient storage available to meet 5 year retention guidelines for audit logs?)" I would like to run simple search strings to produce the necessary data tables. I am no wizard at writing the appropriate queries, and I don't have access to an environment that is complicated enough to try these things out before I have limited time on the production environment to run my reports. After reading through the forums for hours, it seems like answering this storage question may be harder than originally anticipated, as Splunk does not seem to have any default awareness of how much on disk space it is actually consuming.   1. Research has shown that I need to make sure that the age off and size cap for each index is appropriately set with the FrozenTimePeriodInSecs and maxTotalDataSizeMB variables in each index.conf file. Is there a search I can run that will provide a simple table for all indexes across the environment with these two variables? e.g. index name, server, FrozenTimePeriodInSecs, maxTotalDataSizeMB 2. Is there any other configuration where allocated space is determined for an index that can be returned with a search?   3.  Is there a search string I can run to show the current storage consumption (size on disk) for all indexes on all servers? I have seen some options here on the forums and I think the answer for this one might be the following:    | dbinspect index=* | eval sizeOnDiskGB=sizeOnDiskMB/1024 | eval rawSizeGB=rawSize/1024 | stats sum(rawSizeGB) AS rawTotalGB, sum(sizeOnDiskGB) AS sizeOnDiskTotalGB BY index, splunk_server     4. What is the best search string to determine the average daily ingest "size on disk" by index and server/indexer to calculate required storage needed for retention policy purposes? So far, I have found something like this: index="_internal" source="*metrics.log" per_index_thruput source="/opt/splunk/var/log/splunk/metrics.log" | eval gb=kb/1024/1024 | timechart span=1d sum(gb) as "Total Per Day" by series useother=f | fields - VALUE_* I'm not sure quite what is happening above with the useother=f or the last line of the search. the thread I found it on is dead enough that I don't expect a reply.  I would need any/all results from these three searches in table format sorted by index, server to match up with the other searches for simple compilation. Any help that can be provided is greatly appreciated.

Hello All, I'm a relative newbie and hoping the community can help me out. I'm kind of stuck on a query and I can't figure out how to get the correct results.   I have an event that has a referer and a txn_id. Multiple events with the same referer field can have the same txn_id.     Referer Txn_id response_time google abcd1234 42 google abcd1234 43 google abcd1234 44 google 1234abcd 45 google 1234abcd 46 google 1234abcd 47 google 1234abcd 48 yahoo xyz123 110 yahoo 123xyx  120 yahoo 123xyz 130   What I am trying to do is get the average number of txn_ids per referer and the avg of response times for that. So something like this:     Referer avg(count txn_id) avg(response_time) google 3.5 44.5 yahoo 1.5 120   Any help would be appreciated. Thanks!

Hi, I am working on a query where i need to display the table based on the multiselect input. multi-select input options are : (nf, sf, etc) When i select "nf " then only columns starts with "nf" should display along with "user" and "role" and also display the columns in same order as it is mentioned, similarly to be applied  if i am selecting multiple options from the multi-select input as well but,  iam facing a issue while fetching the table in same order. i have tried using  |<search query> | stats list(*) as * by user, role but this one jumbles the column placement in alphabetical order, which i don't want to. also, tried using set tokens by giving the field_name starts with "nf" in one token and sf in another token. |< search query> | table user, role, $nf_fields$ $,sf_fields$ by trying this method also faced an issue example: if i am selecting only sf from the multi select input then the fields starts with nf also displayed with empty values   --> Is it possible to fix the placement of the columns. or, --> removing the empty columns based on the multi-select input both approaches works for me. Expected Output: please help me to solve this. Thanks in advance.

I can't seem to be able to set a variable or a token to the window parameter in the streamstats command.    | streamstats avg(count) as avg_count window=$window_token$ | eval c = 2 | streamstats avg(count) as avg_count window=c   I get the error saying the option value is not an integer. Seems it doesn't take the value of the variable/token. Is there any way to change the parameter dynamically? "Invalid option value. Expecting a 'non-negative integer' for option 'window'. Instead got 'c'."