Thank you @woodcock for the reply. Where should the argument be passed? We usually just unzip the tar file to install the forwarder. Regards ... View more

I can see a couple of warnings. Does changing these help in the performance improvement 1) One or more Splunk instances are running on a host that has one or more resource limits set below official recommendations. ulimits.open_files (current / recommended) ulimits.user_processes (current / recommended) 4096 / 8192 1024 / 8192 2) One or more Splunk instances are running on a host that has kernel transparent huge pages enabled. This can significantly reduce performance and is against best practice. transparent_hugepages.enabled transparent_hugepages.defrag state always always bad ... View more

Here are the server specifications CPU cores - 4(I know this should be at least 12 but unfortunately in our case, it is not possible) Memory - 200 GB daily Splunk logging less than 10GB When the reports are running CPU usage is around 90%, otherwise less than 10%. From the documentation, I see that 1 search head can manage up to 100GB/day. So I don't think the indexer is underperforming. ... View more

@nickhillscpl Thank you for the reply. In that case won't we have 2 search heads? And we don't want our URL to change as it is pretty standard across the organization. Is there a way we can use the old URL? ... View more

Yes, The current deployment server is also our search head. Hardware configuration - Linux RHEL 2.6.32-754.9.1.el6.x86_64 Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0-3 Thread(s) per core: 1 Core(s) per socket: 1 Socket(s): 4 NUMA node(s): 1 Vendor ID: GenuineIntel CPU family: 6 Model: 26 Model name: Intel(R) Xeon(R) CPU E5-2680 v4 @ 2.40GHz Stepping: 4 CPU MHz: 2399.998 BogoMIPS: 4799.99 Hypervisor vendor: VMware Virtualization type: full L1d cache: 32K L1i cache: 32K L2 cache: 256K L3 cache: 35840K NUMA node0 CPU(s): 0-3 ... View more

Thank you for your reply. Do you know why the concurrency limit is 5 From the documentation, isnt it supposed to be 10. 6 + (4*1) base_max_searches + #cpus*max_searches_per_cpu The base number of concurrent searches. base_max_searches = 6 Max real-time searches = max_rt_search_multiplier x max historical searches. max_rt_search_multiplier = 1 The maximum number of concurrent searches per CPU. max_searches_per_cpu = 1 ... View more

@Vijeta, appreciate the quick response. As I mentioned in my question, the only option I have is to add a field(eg - \s+(?P[^ ]+)\s) in the sourcetype from console. So the answer you provided doesnt work for me. I cannot add rejex. ... View more

This is the configuration I have for this particular source type. This is from props.conf DATETIME_CONFIG = NO_BINARY_CHECK = true category = Custom pulldown_type = true SHOULD_LINEMERGE = false disabled = false ... View more

The issue is there is no time stamp in the log file for the entries. I counted back hours to check on what date the entries started to log. Now if I use oneshot, how will splunk know the date of the entries? I assume this will not work. Please let me know if there is a work around? Thank you ... View more

The issue is there is no time stamp in the log file for the entries. I counted back hours to check on what date the entries started to log. Now if I use oneshot, how will splunk know the date of the entries? I assume this will not work. Please let me know if there is a work around? Thank you ... View more

@somesoni2, Is was reading about manually injecting these missing logs using splunk oneshot but the problem is we have one log file with logs from dates 01/05 - 01/14. If I use onshot, I am suspecting there will be multiple entries and will mess up the report that will be generated using this data. ... View more

Hi @woodcock, That is what I thought was going to happen. Strangely it only retrieved the logs for the last few hours before it restarted(Restarted at 9 AM 01/14, only got logs from 12 AM 01/13) Is was reading about manually injecting these missing logs using splunk oneshot but the problem is we have one log file with logs from dates 01/05 - 01/14. If I use onshot, I am suspecting there will be multiple entries and will mess up the report that will be generated using this data. Please Advice ... View more

Thank for the reply Rob. I am sorry to confuse you with the lack of detail in the post. I have a log file where 8 lines in the middle are getting truncated. I want to set my source type configuration so they donot get truncated. Here is the original log file "AppData" : { "user_info" : { "USERID" : "", "USER_CHICAGO_ID" : "", "USER_PASSWORD" : "*****", "USER_LAST_NAME" : "", "USER_FIRST_NAME" : "", "DEPT_ID" : "", "USER_STAR_BADGE" : "", "USER_TYPE_CD" : "", "USER_EMAIL" : "", "SECUR_ROLE_ID" : "", "USER_STATUS_CD" : "", "USER_STATUS_DATE" : "", "CREATE_TIMESTAMP" : "", "CREATE_USERID" : "", "UPDATE_TIMESTAMP" : "2018-06-27 09:39:13.0", "UPDATE_USERID" : "" }, "image_info" : { "image_key" : "359764084248580-img15_jpg-1539965048401", "image_len" : 903988, "create_time" : 1539965048401, "location" : { Here is what splunk is extracting }, "AppData" : { "user_info" : { "USERID" : "607", "USER_CHICAGO_ID" : "", "USER_PASSWORD" : "", "USER_LAST_NAME" : "", "USER_FIRST_NAME" : "", "DEPT_ID" : "13", "USER_STAR_BADGE" : "", "USER_TYPE_CD" : "", "USER_EMAIL" : "", "SECUR_ROLE_ID" : "", "USER_STATUS_CD" : "", "create_time" : , "location" : { If you see the lines between "USER_STATUS_CD" : "", and "create_time" : , are missing. I don't want those lines are missing. I want Splunk to extract those lines too. ... View more

It is breaking at "USER_STATUS_DATE" : "2012-12-27 11:23:20.0". I get logs before that line. I was suggested to change the event break value in the source type option. I am not sure what to change it to. ... View more

I do not want to break it at all. Is that possible? I want the whole event to be logged. ... View more