sounds good 😄 Please accept my answer if it helped in any way ... View more

Hi Koushik_Katta, You can run the diag by executing this from the command line $SPLUNK_HOME\bin\splunk diag If you wish to leave out certain components, you can add a --disable= flag such as: $SPLUNK_HOME/bin/splunk diag --disable=dispatch --disable=pool This documentation you linked to has more options. Please let me know if this answers your question! ... View more

Hi ICAP_RND, if this lookup is csv based, the only option is to use inputlookup to pull in the table, use search commands such as eval to adjust the fields as needed, and then outputlookup to rewrite the modified table to disk. If it is kvstore based, there are rest commands that can be used for pinpoint modification of specific table entries. More information is available here : http://dev.splunk.com/view/SP-CAAAEZG Please let me know if this answers your question! ... View more

Is this lookup kvstore of csv based? ... View more

You can stagger out the inputs with a non-overlapping cron schedule, that is, one batch runs at 5 mins past the hour, then next at 10 etc. I would expect with that kind of hardware and that amount of data, you should be fine. A cautious approach would be to gradually add the inputs, spaced out as described above. Monitor the resource utilization of the involved databases as well as the splunk infrastructure. If you see any spike in resource utilization, you'll be able to easily track it down to a recent added input. If you have found this answer helpful, please accept it, and otherwise let me know if I could clarify anything 😄 ... View more

Hi splunkrocks2014, I don't think you can configure dbx 2.x to have a host value given in the data, but I expect you could use props and transforms to do this. i.e. something like: [mySourcetype] TRANSFORMS-setHost=host_override [host_override] REGEX = (regex to extract host value from event) DEST_KEY = MetaData:Host FORMAT = host::$1 Please let me know if this answers your question! 😄 ... View more

Hi Hemnaath, you can get a report on license utilization as described more here : http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/AboutSplunksLicenseUsageReportView In particular, you can split by the various meta fields (index / host / source / sourcetype) in order to get a better idea what is blowing up your license. In particular, the search used to drive this report is: index=_internal host=yourLicenseServer source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by s fixedrange=false | join type=outer _time [search index=_internal host=yourLicenseServer source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] you'd have to have access to the _internal index of course, and adjust the host= line to be what the host value is for you license server. Additionally, you can see the span here is set as span=1d at a couple points. Feel free to adjust that along with the overall search time frame to suit your needs. Please let me know if this answers your question! 😄 ... View more

Hi TiagoTLD1, in addition to the links somesoni2 posted, check out the diagrams here : https://wiki.splunk.com/Community:HowIndexingWorks INDEXED_EXTRACTIONS is a somewhat special processor that is usually done on universal forwarders to ingest structured data. This is done in the parsing queue. The slides for the 2015 conf session are here https://conf.splunk.com/session/2015/conf2015_ABath_JKerai_Splunk_SplunkClassics_HowSplunkdWorks.pdf Very instructive as well. The route configuration would be on the receiving end, and is usually needed if you want to "recook" or reparse the data. As for a specific set of key and queue names, I don't believe they are currently available. The set of use cases involved usually just swaps the default route config to all parsingQueue in order to achieve the reparsing on the indexer as mentioned earlier. Please let me know if this helps! ... View more

Hi marcokrueger, as lguinn mentioned, I don't believe there is any mechanism to adjust the warning symbols. Nothing at least that I'd expect to be supported. However, to address the initial concern, I expect for most cases the searches are fine, and you shouldn't be concerned about incomplete searches. As limits.conf describes, searches that exceed this limit are spilled to disk. This might have a negative impact on search performance, but the searches should still be complete. The exception to this is if you are making heavy use of the mvexpand command, which can lead to truncated searches. Please let me know if this answers your question! 😄 ... View more

gotcha. well in that case somesoni2's comment is probably the best bet ... View more

Hi gpradeepkumarreddy, I don't believe there is a way of preventing such a search from being issued, so perhaps the most efficient method would be to setup reporting or alerting for users who perform such searches. My guess is that certain users would get into the habit of running these kinds of searches more often than others, and you could remediate it by training. Please let me know if this helps! ... View more

awesome. ty ... View more

awesome 😄 ... View more

Hi certifsan, In lieu of going through a stats course to understand the underlying principles, the next best bet is probably to find somebody nearby (coworker/colleague, or maybe a local stats/data science focused meetup) to have a dialog with to better understand whats going on here. Along with this, I'd recommend toying around with the stats functions. If you have access to Splunk Enterprise Security, then George Starcher's series on utilizing Extreme Search is a good starting point for a practical application of stats Please let me know if this helps! ... View more

Thanks for the answer, but I'm looking for something out-of-the-box to a greater degree. Additionally, indexing passwd doesn't seem ideal. ... View more

I'm really interested in an out of the box search that will turn up the admin password status of some particular splunk instance, leveraging any of the internal-type indexes (internal, audit, introspection) or otherwise something through REST. It seems that Splunk has this data available to itself at least, and uses it to warn users at the login page, but from reading the documentation, I'm not finding this available otherwise. ... View more

Hi colinmchugo, the basic process of updating a CSV based lookup is to '| inputlookup' the CSV in question, modify the values as desired with eval and other searchtime field manipulating commands, and then '| outputlookup' back to the same CSV to commit the changes. If you'd like to have more featureful datastore, you can utilize KVStore collections http://dev.splunk.com/view/webframework-developapps/SP-CAAAEZK This allows for direct update of specific fields, without rewriting the whole lookup. Please let me know if this answers your question! ... View more

Hi David, The timezone database used by Splunk is usually taken from the OS it's running on, as described here : http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Applytimezoneoffsetstotimestamps GMT should usually be the same as UTC, unless you are dealing with British Summer Time. For my instance of Splunk I am finding a GMT timezone option for my user, and also a GMT : London. I'm presuming the simple "GMT" designation is UTC. Please let me know if this helps! ... View more

thanks Martin! That fieldsummary bit is a good point. ... View more