Hi the_wolverine, the default interval is 5 minutes, where Splunk runs a search to update existing data model summaries. It runs a maintenance process every 30 minutes to remove old, outdated summaries. See the docs http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Acceleratedatamodels#After_you_enable_acceleration_for_a_data_model Before decreasing the interval; I would check if the data model acceleration summary search runs without error and on time, see the docs on this http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Acceleratedatamodels#How_Splunk_Enterprise_builds_data_model_acceleration_summaries Hope this helps ... cheers, MuS ... View more

Hi sarnagar, at some of my costumers in use a lookup table which holds all host names and another field called alert_status which either shows enabled or disabled . Using this lookup table on host=* as automated lookup will provide for each host a field which shows the alert_status . The costumers can edit the lookup table either by using the lookup editor https://splunkbase.splunk.com/app/1724/ or by using the outputlookup command. Finally you have to use the field alert_status in your alert searches, so you only search on: this is your alert search alert_status=enabled | ... This will only search for hosts with alerts enabled in the lookup file. Hope this helps to get you started ... cheers, MuS ... View more

The only way to restrict the views listed is to use the match option like this: <view source="unclassified" match="dashboard"/> This will only show dashboards which contains the name dashboard but still shows them if they are shared globally in another app. ... View more

no, the user cannot change its LDAP password from within Splunk, this is only related to the Splunk user password. ... View more

simply but the COLDDB on a different volume, disk, file system and Splunk will move it for you. ... View more

There is no need to do this manually, Splunk can to this for you 😉 In indexes.conf set the COLDDB path and also the warmToColdScript after that, Splunk will move the buckets ( after the frozenTimePeriodInSecs ) from WARMDB to COLDDB and your data is still searchable. ... View more

Just a small side note: looks like you can move them away without Splunk throwing errors, but still they are afterwards no longer searchable and I would not relay on that it is safe at all to do so in a production environment. ... View more

If you want to have all the hosts listed, even those without any events, then this is the way to go to make sure you get all hosts. ... View more

Hi itrust, remove the ._* files form your package and it should work. cheers, MuS ... View more

Hi oilmouse, you can set the permission of the dashboard to all apps and it will be visible in all apps, see the docs http://docs.splunk.com/Documentation/Splunk/6.2.4/Viz/CreateandeditdashboardsviatheUI#Specify_dashboard_permissions cheers, MuS ... View more

update ping, see the updated answer ... View more

okay, twice my bad.... just learned this answer won't work for the first one using subsearch!! Why? Because Splunk runs the inner search using the same info from the timerange picker as the outer search. And the map is also wrong, because the NOT will not work 😞 ... I'll work on a updated version.... ... View more

do it like this: | inputlookup one | inputlookup append=t two | ... ... View more

Hi cmahan, take a look at this run everywhere command: index=_internal sourcetype=splunkd series=splunkd earliest=-11min@min | bucket _time span=10min | search NOT [ search index=_audit action=search ] | timechart span=1min count it searches for events in the _internal index over the last 11 minutes, creates buckets of 10 minutes span and searches within this time span if there was no match for action=search in index=_audit . Yes this is a non-sense use case but it will help you understand your alert 😉 Based on this and your comments, try something like: sourcetype="WMI:Service" Name=slinksc State=Stopped earliest=-11min@min | bucket _time span=10min | search NOT [ search EventCode=1074 ] I removed the map command, because it is just too messy. cheers, MuS ... View more

In my first example the key to get the colours is the SPLITCOL gb option in the search ... View more

Hi ben_leung, maybe this can help, since you're only counting the events from two different searches try to create an eventtype http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Defineeventtypes for each search and tag them for example: index=main "string" field1 will be eventtype one with tag=one index=main sourcetype=certain_logs action=certain_action field2 will be eventtype two with tag=two Once created, run a search like this: tag=one OR tag=two | timechart count by tag Hope this helps ... cheers, MuS ... View more

So my run everywhere example from above works for you - right? And your Dashboard does not - right ? Did you delete it and create it from scratch again? There must be something wrong.... ... View more

make sure you have <option name="charting.drilldown">all</option> set, that's all ... View more