I have a bunch of indexes, but one in particular I want to keep smaller. How do I do this? From the docs it looks like this could work?  Adding maxTotalDataSizeMB to the index config? Anyknow know for sure? /opt/splunk/etc/master-apps/_cluster/local/indexes.conf: [webapp1] maxTotalDataSizeMB = <nonnegative integer> * The maximum size of an index (in MB). * If an index grows larger than the maximum size, the oldest data is frozen. * This parameter only applies to hot, warm, and cold buckets. It does not apply to thawed buckets. * CAUTION: This setting takes precedence over other settings like 'frozenTimePeriodInSecs' with regard.....

Hi All, I have a search with a subsearch that references a lookup file test.csv with a single field. "Account_Name". I want to remove names from the lookup table that meet a certain criteria.  The search below currently gives the results that I want removed from the lookup file test.csv, but I cannot seem to figure out how to get the inverse of these results from the lookup file. I want everything in the lookup that does not match the result of the below query. Any advice? For example, if the below search outputs Bob and the lookup contains Bob, Alice, and Dave, I would want my final results to be Alice and Dave to overwrite back into test.csv. That's my line of thinking at least, I could be approaching this in a bad way.   index=exampleindex EventCode=4722 | stats by Target_Account_Name | rename Target_Account_Name as Account_Name | search [inputlookup test.csv | table Account_Name] | table Account_Name    

I am trying to find few strings in my search query and count occurrences of them and I want to put them in a two column table. I am able to do it with stat command, but it's coming like string as column name and count in the row bwlow. Below is what I am using and what I ma getting.       index=<index> <search String > "Failed" | stats count AS Failed count(eval(searchmatch("Failed Acknowledged"))) AS "Failed Acknowledged" count(eval(searchmatch("UnexpectedException Caught"))) AS "UnexpectedException Caught" count(eval(searchmatch("NonRetryableException Caught"))) AS "NonRetryableException Caught"       However I want a result like below. Can anyone help? Thanks in advance.

I'm trying to identify all the dashboards broken from lookup files being deleted. But since there's way too many dashboards, is there any not-so-manual way to find out all the inconsistencies regarding lookup files without running the dashboards one by one?

Hello everyone, I have the following results when running my search: _time                                        user             connection 1 2023-01-09 20:36:04   john        Transport closing 2 2023-01-09 20:32:45   brian      DPD failure 3 2023-01-09 19:44:26   tom         assigned to session Please, I want to configure an alert to send the _raw field by email to the specific user (by adding @Anonymous.com), every time it returns results from that user, (ex. john@gmail.com, brian@gmail.com, tom@gmail.com) Thank you in advance.

When I place event.code into an if statement, it will not evaluate as true   Currently I have this code: index = windows-security event.code IN (4624) | eval Success=if(event.code = "4624", 1, 0) | stats count by Success   Success always evaluates to 0. I have tried using match(event.code, "4624") match(event.code, '4624') match(event.code, ".+") like(event.code, "4624") like(event.code, '4624') I even tried event.code = event.code   Always 0.

was using this below Search,  ***| rex field=_raw "<measResults>\d+\s\d+\s\d+\s\d+\s\d+\s\d+\s\d+\s\d+\s(?<active_state>\d{0,3})\s\d+\s(?<idle_state>\d{0,3})" | eval date_month=upper(date_month) | eventstats avg(active_state) as Active_UEs avg(idle_state) as Idle_UEs by date_month | eval Active_UEs=round(Active_UEs,0), Idle_UEs=round(Idle_UEs,0) | stats count by date_month,Active_UEs,Idle_UEs | table date_month,Active_UEs,Idle_UEs but now  i was trying to sort month in chronological order i used the below Search ***| eventstats avg(active_state) as Active_UEs avg(idle_state) as Idle_UEs by date_month | eval Active_UEs=round(Active_UEs,0), Idle_UEs=round(Idle_UEs,0) | eval Month=date_month | eval orden = if(Month="january",1,if(Month="february",2,if(Month="march",3,if(Month="april",4,if(Month="may",5,if(Month="june",6,if(Month="july",7,if(Month="august",8,if(Month="september",9,if(Month="october",10,if(Month="november",11,12))))))))))) | sort num(Month) | stats count by Month,Active_UEs,Idle_UEs | table Month,Active_UEs,Idle_UEs here also month are sorted in alphabetically order not in chronilogical order.        

Hello Splunkers, For a specific index I configured repFactor = auto and I suppose that the logs are exactly the same on my two indexers for this specific index. How could I verify that all buckets and data has been correctly replicated ?  When I launch a search on that index, should I see the splunk_server field showing 50% of indexer1 and 50% of indexer2 ? Thanks for the help, GaetanVP