The "power" role does much of what you're looking to accomplish. http://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Aboutusersandroles#About_roles ... View more

Did you get a resolution on this issue? ... View more

I've been pushing 10s of millions of rows into KV Store on Splunk 6.3.3 (on Windows). When I do large data inputs we occasionally run into issues with the data not completing. I worked with Splunk support to modify one setting to resolve the issue. [kvstore] max_documents_per_batch_save = 500 This has the impact of slowing down the data input, but it completed. Splunk 6.4.x has improvements to the KV Store and Splunk support reported (but not tested by me). The output I received from support was: Used search: index=kvcheck1 | outputlookup kvstorecoll 6.3.3 result (failure) Job inspector This search did not successfully execute. Any results returned from this job are not consistent and should not be used. And our favorite entry: search.log 06-13-2016 10:04:59.730 ERROR KVStorageProvider - An error occurred during the last operation ('saveBatchData', domain: '2', code: '4'): Failed to read 4 bytes from socket within 300000 milliseconds. 06-13-2016 10:04:59.748 ERROR KVStoreLookup - KV Store output failed with code -1 and message '[ "{ \"ErrorMessage\" : \"Failed to read 4 bytes from socket within 300000 milliseconds.\" }" ]' 6.4.1 result (success) Job inspector This search has completed and has returned 1,999,744 results by scanning 1,999,744 events in 534.54 seconds. Duration (seconds) Component Invocations Input count Output count 325.37 command.outputlookup 1 8,000,000 8,009,664 As stated the socket timeout problem (this is Windows only issue!) should be fixed in 6.4.x releases. So for most purposes, up to 70,000,000+ rows, the defaults work well from my experience. ... View more

My largest KV Store is 70,000,000 rows and 40 columns. Since KV Store is based on MongoDB you could use that for the very high end of limits. see here. ... View more

Those are great questions also. I'll certainly add them to my list of things to keep in mind. ... View more

that works. please promote it to an answer. ... View more

I suspect that Splunk does not know that "METRIC_DATE" is a time parameter. Try it this way: | inputlookup foo.csv | rename METRIC_DATE as _time | timechart span=1d max(USEDPCT) by DATACENTER ... View more

You can also use the xmlkv command to extract the fields from xml. http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Xmlkv ... View more

Scheduling reports and having the report emailed is well documented in the Reporting Manual. Please reference it here: http://docs.splunk.com/Documentation/Splunk/6.2.3/Report/Schedulereports I am not aware of a simple method to save the PDF to a specific location. I'm sure it is possible, but I've not come across that need yet. ... View more

Do you have any other navigation menus set to Global that might be overriding the display? ... View more

I done similar things in the past based on post-process searches. The user would start by selecting the index they want to search from a list (your "field3"). Then a search is executed for the values that can be "field1". Essentially, you are going from broadest category (the index) to more specific values (such as source type). If your indexes and source type (or whatever "field1" represents) is static, then you should be able to do something similar with a lookup table. ... View more

Which field do you want to be used for the sparkline? BTW, the docs describe how to do this pretty well. http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/AddSparklinestoSearchResults ... View more

You can run the search to be only the previous day and append the results to your CSV. The following search does that by limiting the time range from the previous day starting at midnight (earliest=-1d@d) to midnight last night (latest=@d). The bucket command puts everything into a 1 day time bucket. I'm using chart instead of timechart because this search is only pulling information for 1 day. And finally, the outputcsv is updating the file named test. sourcetype=xxxxxx action=allowed earliest=-1d@d latest=@d| bucket span=1d _time | chart count by src_ip limit=0 | outputcsv append=true test ... View more

You need to add the sparkline function to the chart command. See below. index=techmon sourcetype="techmon_hpom_messages_history" | chart sparkline count by NODE_NAME,SEVERITY | addTOTALS labelfield=SEVERITY label=Total| sort -Total| head 20 ... View more

What version of the UF was released on or after that date? ... View more

What version of UF are you running? ... View more

forward those events to your indexers just like you'd configure any forwarder. ... View more

Using the example above, you do not see the event on April 26, 2015 (a future time from today) -- but whatever the relevant timestamp is from your environment? How do you know it's not being indexed? ... View more

Is Splunk locating that timestamp and using it as the event time? You can check the raw data that Splunk is ingesting with index= sourcetype= | table _raw ... View more