My coldtofrozen has stopped working. Might be related to python3, but I'm not 100% sure. I've done some tweaking to the coldtofrozen.py #! /opt/splunk/bin python and I've checked other settings, b...
The purpose of this topic is to create a home for legacy diagrams on howindexingworks in Splunk, created by the legendary Splunk Support Engineer, Masa! Keep in mind the information and diagrams i...
Im just now learning about summary indexing and have set up a search to run every hour, putting the results in a specific summary index. When I run the saved search in the splunk search bar, I get t...
How come this doesn't work given indexers.csv is a list of Splunk servers with role Indexer?
| inputlookup indexers.csv| rename splunk_server as Indxr| foreach Indxr [search index=_introspection s...
I have the search to get max number of hours without events for feeds. It works just for one index. It wouldn't work with more than one index. How can I get it work for multiple indexes? index=f...
....29_to_aggregate_or_group_by_raw_tokens_in_indexed_data). In the docs, it says that it can work with data that does not contain major breakers such as spaces. My data contains spaces so I decided to try to change the major breakers this w...
How exactly does Report, Data acceleration and Summary indexingwork? Could someone explain to me in layman terms please? I understand it helps maximize efficiency in searches by searching on a s...
I need to understand in detail howindexer acknowledgement works when it comes to cluster replication, specifically when the chain of acknowledgement is terminated and the forwarder is able to r...
We had to shut down one of the machines and create a new one. The cluster replication between the new and old ones does not work after a reboot.
The error message that was found in the splunkd.log...
...et I cannot perform tstats searches on fields inside the event, even though they are json fields that are extracted in index time.
How can I make sure a search like
| tstats count where h...