Okay, I did some quick checking - I've ran across this before. Those messages are are benign, and will be addressed in a later update. It means that our tsidx buffer has been shrunk a bit too small. The message also means that we’ve increased that size to a reasonable level. There are no known adverse effects stemming from this message ... View more

It all depends on what you would want to do - if you're looking for data redundancy in the same data center (for example), I would use clustering. A cluster is a group of indexers configured to replicate each others' data, so that the system keeps multiple copies of all data. This process is known as index replication. By maintaining multiple, identical copies of data, clusters prevent data loss while promoting data availability for searching. The clustering requires additional hardware in the way of a Clustering master plus additional indexers to keep copy the indexes on. Now, if you're looking for something along the lines of cold storage / dr (having an indexer in another datacenter for example) then sending duplicate data is the best way to handle that. I don't know if they still offer it, but you may want to talk to your sales person about the HA license. Brian ... View more

I'm assuming you have an enterprise license. That being said, make sure that the $SPLUNK_HOME/etc/passwd is readable by the user running Splunk. ... View more

A212830, You will need to install the hadoop CLI first - http://docs.splunk.com/Documentation/HadoopConnect/latest/DeployHadoopConnect/HadoopCLI. You can test to make sure it's working by signing in as the Splunk user and attempting to run the hadoop command. ... View more

I'm setting this up under the power role. Substitute whatever role you want to use for this. Create $SPLUNK_HOME/etc/apps/search/metadata/local.meta with the following: [manager/admin_license] access = read : [ power, admin ], write : [ admin ] [manager/licensing_stacks] access = read : [ power, admin ], write : [ admin ] Modify the role and add the following capabilities: license_edit license_tab Please be aware that this gives the user the ability to manipulate and edit the licensing information! ... View more

With this handy dandy query, you can find out why! index=_internal sourcetype=splunkd component=BucketMover "Will attempt to freeze" | rex field=_raw "/logs/splunk_logs/(?P<index_name>[^\/]+)/(db|colddb)/db_(?P<earliest_epoch>[\d]+)_(?P<latest_epoch>[\d]+)_(?P<bucket_number>[\d]+)\' (?P<reason>.*)" | convert ctime(earliest_epoch) as Earliest_Data | convert ctime(latest_epoch) as Latest_Data | convert ctime(_time) as Log_TimeStamp | table Log_TimeStamp,index_name,bucket_number,Earliest_Data,Latest_Data,reason | sort - Log_TimeStamp Breakdown of the fields: Log_TimeStamp = _time of the log entry index_name = index that's being frozen bucket_number = bucket that's being frozen Earliest_Data = Earliest date of events that was in that bucket Latest_Data = Latest date of events that was in that bucket Reason = the reason it was rolled to frozen. Edit: Addition query for windows! Just an updated version for windows (since there's wackiness around escaping \'s): index=_internal sourcetype=splunkd component=BucketMover "Will attempt to freeze" | rex field=_raw "(?P<index_name>[^\\\\]+)\\\\(db|colddb)\\\\db_(?P<earliest_epoch>[\d]+)_(?P<latest_epoch>[\d]+)_(?P<bucket_number>[\d]+)' (?P<reason>.*)" | convert ctime(earliest_epoch) as Earliest_Data | convert ctime(latest_epoch) as Latest_Data | convert ctime(_time) as Log_TimeStamp | table Log_TimeStamp,index_name,bucket_number,Earliest_Data,Latest_Data,reason | sort - Log_TimeStamp ... View more