Note that these settings need to be set on the Cluster Master, and a restart. Does not require a push or restart of indexing peers to have new settings take affect. ... View more

When troubleshooting performance problems in windows, the MC is incredibly useful, specifically looking at the Resource Usage: Machine and digging down into the Disk subsystem metrics. Sometimes the problem is really obvious (service times in the 00s of milliseconds, or the wait time higher than 20-30ms). Sometimes it isn't. Unfortunately, we don't yet collect disk queue length for reads/writes (SPL-147262 has been filed to do this in _introspection data and present in Monitoring Console). Windows Performance Monitor application can display this info, if you know where to look. In this case, Performance -> Monitoring Tools -> Performance Monitor, and select PhysicalDisk as the object under System. Avg Disk Queue Length, Avg Disks Read Queue Length, and Avg Disk Write Queue Length are the three items we looked at for each of the drives (C: and E: in this example). It became very obvious that seeing disks queues for reads and writes on a system that was not very busy and had SSD for C: and effectively no IO going to E:, we had a problem that wasn't specifically Splunk related, but OS/storage related. ... View more

Nope. Concurrent users aren't a metric Splunk really cares about. Recall that if a user is logged in and sitting on a Splunk dashboard or the S&R app and not doing anything other than looking at the results of a search or of a view that has already completed loading, there is no "load" on Splunk for that user. It is only when the user is executing searches or loading dashboards that they are generating search load. Note that with recent versions of Splunk, as a user types in SPL, there is a small amount of "typeahead" load that is generated as Splunk tries to help out the user with Splunk command syntax and search through the users history attempting to match previous searches. ... View more

This was mistakenly added to the docs, and was removed when it was discovered that QA had not completed tested Splunk on top of ZFS. ... View more

Delivered! As of 6.5: http://docs.splunk.com/Documentation/Splunk/6.5.5/Indexer/Rebalancethecluster Happy rebalancing. ... View more

Check to see if $SPLUNK_HOME/etc/splunk-launch.conf has https_proxy or http_proxy settings enabled. May need to disable these if the proxy server they point to is not available. ... View more

Greetings, Splunk's CLI calls do not work with SSO. If you want to use your SSO-enabled splunk instance with ./splunk calls, you will need to add a local user to the splunk instance and authenticate via that user ID. ... View more

Greetings, The addon doesn't have this functionality today. ADDON-14427 has been filed for it. ... View more

As of 6.5, the UI allows for entry of all parts of the cert chain (root, intermediates, leaf), so no more filesystem soft links to get this to work. ... View more

You must have indexing disabled on that server (maybe a forwarder)? Either re-enable indexing on that instance, or try to create the data input on a Splunk instance that has indexing enabled. ... View more

1) Not sure. I never figured out how to change the default. 2) Oops, I was wrong. it's ui-prefs.conf. Create a file: $SPLUNK_HOME/etc/apps/search/local/ui-prefs.conf Create a search stanza like this: [search] dispatch.earliest_time = -7d@d dispatch.latest_time = now Restart Splunk and you're good to go! ... View more

Check into modifying times.conf to change the default. No idea on why the hack above no longer works. What version are you running that it stopped working? ... View more

I downvoted this post because testing! ... View more

With the stock version of the above method, probably not. You may be able to create some customer javascript that could do it. ... View more

Hi, I 6.x and above, you can alter the max number of data points in a series for a timechart in a dashboard and stay w/in the HTML5 realm and not need to invoke Flash. < option name="charting.data.count" >9999 </ option > to get around the 1000 point limitation in timechart. ... View more