are you trying to read and write to the same lookup file ? ... View more

assuming you are running latest splunk version with splunk admin permissions still your dashboard-2 hang ? limits.conf # This section contains settings for search concurrency limits. base_max_searches = <int> * A constant to add to the maximum number of searches, computed as a multiplier of the CPUs. * Default: 6 max_rt_search_multiplier = <decimal number> * A number by which the maximum number of historical searches is multiplied to determine the maximum number of concurrent real-time searches. * Note: The maximum number of real-time searches is computed as: max_rt_searches = max_rt_search_multiplier x max_hist_searches * Default: 1 max_searches_per_cpu = <int> * The maximum number of concurrent historical searches for each CPU. The system-wide limit of historical searches is computed as: max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches * NOTE: The maximum number of real-time searches is computed as: max_rt_searches = max_rt_search_multiplier x max_hist_searches * Default: 1 max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches = (1* 28) + 6 = 28 + 6 = 34 max_rt_searches = max_rt_search_multiplier x max_hist_searches = 1 * 34 = 34 Its not advised to modify default limits.conf without proper assessment/support. With the default limits.conf settings you can run the above number of concurrent searches - If your splunk is still loaded , and If your dashboard -2 should at least show "Queued job waiting to start" - you can conclude that your job is waiting for resources ... View more

Try if this works host=Electricity earliest=-4w@w1 latest=+w@w1 | timechart span=1d sum(live_day_kw) as Daily_Kw ... View more

wild cards are not supported in FIELDALIAS attribute. Try this REPORT method props.conf [yourSourceType] REPORT-extractrequestheaders = extract_req_headers transforms.conf [extract_req_headers] REGEX = <use regex group match your field and values> FORMAT = $1::$2 REPEAT_MATCH = true thanks ... View more

Check the value set for the MAX_ROWS in the .py file , try modify this param {SPLUNK_HOME}\etc\apps\splunk_app_db_connect\bin\dbxquery.py ... View more

try this, .+((?i)members\/).+ ... View more

If your UF is running on Windows the files might have chances to get locked by its associated processes. You may run procmon tool to determine to analyse this. Also Check the file system permissions to verify that the UF has rights to delete the files ... View more

Try this, I took _time and convert to epoch time from there I can able to eval my month Yoursearch| eval new_date_epoch=_time|eval month=strftime(new_date_epoch,"%b")|table _time,new_date_epoch,month,_raw ... View more

There is no Splunk CLI command to edit splunk server roles. The server role are set inside a csv file $SPLUNK_HOME/etc/apps/splunk_management_console/lookups/assets.csv you can edit this file using some editor and if you if you may wish have a backup - though its populated by script by default it doesn't somehow doesnt manage to set proper roles to you env,. you may need to change it manually ... View more

You may need this capability rest_apps_management to add apps Suggest better only admins install apps/addo-ons in prod. ... View more

Try if this helps, you will get the search_id, searches, datamodel names - from there you may do stats index=_audit NOT(user="splunk-system-user" OR user="admin") action=search info=granted search=*datamodel* NOT "search_id='scheduler" NOT "search='|history" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0"|rex field=_raw "datamodel=(?<datamodel>\S+)"|fields search_id, search,datamodel ... View more

To list all available apps in the splunk server : | REST /services/apps/local | search disabled=0 | table label version to list data models : |REST /services/data/models ... View more

No. You can still able to search internal logs. Try this query from your search application - it gives you how much amount of data indexed by host, source. index=_internal source=*license_usage* type=Usage | stats sum(b) as bytes by h s | sort - bytes ... View more

index=_internal source=*license_usage.log type="Usage" | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval sourcetypename = st | bin _time span=1d | stats sum(b) as b by _time, pool, indexname, sourcetypename | eval GB=round(b/1024/1024/1024, 3) | fields _time, indexname, sourcetypename, GB ... View more

Thanks . Yes, I am not interested in scheduled saved searches, I would need the users still can able to access the system and and do ad-hoc searches ... View more

I have 3 node SH cluster , I want to confirm if 2 of my nodes failed - does the cluster (with the remaining 1 node) can able to accept the new search requests ? ... View more

Try this query on license master, this gives correct license usage stats per host index=_internal source=*license_usage.log* type=Usage | bucket _time span=1d | stats sum(b) AS volume_bytes by _time host pool i | eval volume_GB=round(volume_bytes/1024/1024/1024,2) | rename i AS indexer_GUID | JOIN indexer_GUID [ | REST /services/licenser/slaves | table title label | rename title AS indexer_GUID| rename label AS indexer_name] ... View more

Example to monitor the apache web server access_log and error_log ., I create the below staza in the inputs.conf. Here you need not specify intervals like 5m/ 30 min ., whenever the file content changes the logs are monitored and sent for indexing. [monitor://<path>] This directs Splunk to watch all files in . can be an entire directory or just a single file. You must specify the input type and then the path, so put three slashes in your path if you are starting at the root (to include the slash that goes before the root directory). E.g. inputs.conf [monitor:///var/log/httpd] sourcetype = access_common index = httpd_logs sourcetype=access_combined ignoreOlderThan = 7d How the monitor processor works ? Specify a path to a file or directory and the monitor processor consumes any new data written to that file or directory. This is how you can monitor live application logs such as those coming from Web access logs, Java 2 Platform Enterprise Edition (J2EE) or .NET applications, and so on. Splunk software monitors and indexes the file or directory as new data appears. You can also specify a mounted or shared directory, including network file systems, as long as Splunk software can read from the directory. If the specified directory contains subdirectories, the monitor process recursively examines them for new files, as long as the directories can be read. You can include or exclude files or directories from being read by using whitelists and blacklists. If you disable or delete a monitor input, Splunk software does not stop indexing the files that the input references. It only stops checking those files again. To stop all in-process data indexing, the Splunk server must be stopped and restarted. Interval parameter e.g interval = 300 //Every 5 min once Use the interval parameter to schedule and monitor scripts. The interval parameter specifies how long a script waits before it restarts. The interval parameter is useful for a script that performs a task periodically. The script performs a specific task and then exits. The interval parameter specifies when the script restarts to perform the task again. The interval parameter is also useful to ensure that a script restarts, even if a previous instance of the script exits unexpectedly. Entering an empty value for interval results in a script only being executed on start and/or endpoint reload (on edit). ... View more

Does this also apply to server.pem certificate ? I ran the script provided., passing the argument -serverCert but still there is no change in the server.pem expiry date. Please advise. ... View more

Yes, I too have the same query. script execution says : At least one of -defaultCA, -liveCA, or -serverCert is required; order should be -defaultCA, -liveCA, -serverCert. after providing the "-serverCert" as argument ., no change in the server cert it still shows the older expiry date before I ran the script. Any idea? ... View more

No. I need an answer to list all types of endpoints available in splunk. I mean that /services/server/ - doesn't list /status endpoint. when I search explicitly /services/server/status it shows results. like this I there may be as many endpoints., Is there a way to list all ? ... View more

Its not a known issue ., verified from the docs. http://docs.splunk.com/Documentation/Splunk/6.0.3/ReleaseNotes/KnownIssues ... View more