Noted yannK. Thanks for your help ... View more

Thanks for the explanation, yannK. One more, is there any recommendation for the ratio between max index size and max size for hot bucket? ... View more

Noted. Thank you for the documentation. ... View more

Is there any way we can configure the amount data removed to the freeze bucket? In my case, sometimes the data removed is too much and sometimes it is too little (from the oldest event I can see using search). ... View more

So this means there's a risk of data loss, is that correct? I'm quite confused as sometimes the forwarders will only send data to one indexer and ignore the rest even though in load-balance mode. ... View more

I guess this is the best which I can do. Thanks muebel for the answer ... View more

Hi xabidh, If you want to implement existing configurations from old forwarder to the new one, I suggest you copy the entirety of $SPLUNK_HOME/etc folder. Copying this folders means you copy all installed apps of old forwarder, inputs.conf, outputs.conf, authentication, and other configurations which has previously been defined on the old one. ... View more

Hi vineetc, Try this regex pattern: \[error\].+?:\strans\(\d+\)\[(?:request|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]:\s(?<error_msg>.+) ... View more

hmm...that's weird. I'd created a sample log file with your data and applied the rex command along with the stats command and I could see the graph just fine. ... View more

Hi manmayee, I'm trying to complement swbodie's answer. Your search input should be like this: <your base search> | rex field=_raw "\*RESPONSETIME:(?<ResponseTime>\d+)\*" | stats count by ResponseTime The search command will show you a table by default. You may then choose visualization tab to get your chart. Hope it helps. ... View more

Does the value have fixed format (in your example it's 7 digits format)? ... View more

This "logs" you're talking about, are they the one to check the state and errors in your Splunk instance? Or are they something else? ... View more

Are you using a heavy forwarder? Where do you put this configuration? Is it your indexer? ... View more

Does your dbx.log report anything related to an error? You may want to check that log instead of splunkd.log to start the troubleshoot process. ... View more

If you're not sure on what to do in creating deployment apps, I suggest you create a dummy app from your Splunk enterprise instance and then copy the apps's skeleton to $SPLUNK_HOME/etc/deployment-apps directory. The skeleton should provide you with all of the necessary .conf files. ... View more

Hi shariin, What jeffland said about double backslashes and naming your capturing group was correct. Instead of using the full path as regex pattern, why don't you focus on the file name instead? Something like this: Fun_(?<DateLog>\d{8})_.* I've tested it and you can get what you wanted. ... View more

Right, missed that one. Thank for the notice ... View more

Hi Hattrick, To achieve this, you can use either "rex" or "substr" function. For example: You have a field called "name" and the value is "Mario" Using rex: ... | rex field=name "(?P<subname>\w{3}).*" Using substr: ... | eval subname=substr(name,1,3) Both should produce "Mar" Reference: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonEvalFunctions ... View more

No problem. Glad to be of any help 🙂 ... View more

Hi zbumpers, From my experience, it is possible to achieve this. You just need to set the proper indexer destination in outputs.conf of the forwarder. Create tcpout groups and then specify the groups to the proper monitoring stanza in inputs.conf. For example, something like this: Your indexers: 192.168.56.101:8089 and 192.168.56.102:8089 In your forwarder: outputs.conf: [tcpout:IndexerA] server=192.168.56.101:8089 .... .... [tcpout:IndexerB] server=192.168.56.102:8089 .... .... inputs.conf: [monitor:///path/to/log/A/logA.log] # Add attributes to your monitor like sourcetype, index, etc .... .... # In the end, specify to which indexer this log should be sent using _TCP_ROUTING = <group name> _TCP_ROUTING = IndexerA # Do the same for log B [monitor:///path/to/log/B/logB.log] .... .... _TCP_ROUTING = IndexerB Restart the forwarder and see the result. Hope this helps. References: http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/inputsconf http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/Outputsconf http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Configureforwarderswithoutputs.confd ... View more