Thanks MuS. I though the "search" was a special term, and realized it was pertaining to the "search app". Kudos! ... View more

Sure. And do not forget to click "Accept the Answer" if this resolves your issue. Thanks ... View more

Check the Splunk status or Restart Splunk. Since you are using Windows, you can follow the steps below: Open a Command Prompt and run it as Administrator Change the directory and navigate to Splunk bin folder: Command: cd "C:\Program Files\Splunk\bin" Check Splunk Status Command: splunk status Restart Splunk splunk restart ... View more

Hi, Here is a good reference for your deployment architecture. http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F ... View more

Hi xpax, Please see below: [xxxxxxxxxxxxxxxxxx@xxxxxxx.com@xxx-sesh-vm01 ~]$ df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 32G 30G 1.7G 95% / devtmpfs 6.9G 0 6.9G 0% /dev tmpfs 6.9G 0 6.9G 0% /dev/shm tmpfs 6.9G 106M 6.8G 2% /run tmpfs 6.9G 0 6.9G 0% /sys/fs/cgroup /dev/sda1 497M 114M 384M 23% /boot tmpfs 1.4G 0 1.4G 0% /run/user/565601233 /dev/loop0 1.3M 1.3M 0 100% /mnt tmpfs 1.4G 0 1.4G 0% /run/user/565601149 [xxxxxxxxxxxxxxxxxx@xxxxxxx.com@xxx-sesh-vm01 ~]$ df -h /opt/splunk Filesystem Size Used Avail Use% Mounted on /dev/sda2 32G 30G 1.7G 95% / [xxxxxxxxxxxxxxxxxx@xxxxxxx.com@xxx-sesh-vm01 ~]$ df -h /opt/splunk/var/ Filesystem Size Used Avail Use% Mounted on /dev/sda2 32G 30G 1.7G 95% / ... View more

Sharing some best practices in building dashboards. Hope this helps you optimize your dashboard. Global Searches Reduce number of searches in dashboards where possible, use global searches with post processing to avoid the same data being requested multiple times. Reference: http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/Savedsearches#Post-process_searches Saved searches. It always offer the best performance as Splunk will check to see if the same search is already being executed or if it has any saved results and use those. If you just put an inline search then every time the dashboard is loaded it will execute the search, that means that if 4 users access the same dashboard it will fire 4 times. If it was a saved search then all 4 users would load the 1 set of search results. Reference: http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/Savedsearches Reports Acceleration If your report has a large number of events and is slow to complete when you run it, you may be able to accelerate it so it completes faster when you run it in the future. Reference: http://docs.splunk.com/Documentation/Splunk/6.2.5/Report/Acceleratereports Scheduled Search and Summary Indexing You use summary indexing when you need to perform analysis/reports on large amounts of data over long timespans, which typically can be quite time consuming, and a drain on performance if several users are running similar reports on a regular basis. Reference: http://docs.splunk.com/Documentation/Splunk/6.2.5/Report/Schedulereports#Enable_summary_indexing Search Macros Use macro commands to reduce the length of search queries, improve readability and consistency between searches.Reference: http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Usesearchmacros Lookups For static set of types, labels, values or thresholds setup lookup definitions linked to static lookup files. Use these fast lookups in dropdowns or to enrich existing data.Reference: http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/Useexternalfieldlookups Accelerate Data Model Data model acceleration is a tool that you can use to speed up data models that represent extremely large datasets. After acceleration, pivots based on accelerated data model datasets complete quicker than they did before, as do reports and dashboard panels that are based on those pivots. Reference: http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Acceleratedatamodels Dashboard Visualizations Keep it simple, stick to Simple XML dashboards where possible and Advanced for specific requirements. Install Splunk’s Dashboard example apps and learn to use them effectively. Reference: https://splunkbase.splunk.com/app/1603/ ... View more

You may want to check this reference. http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing And other similar question before. https://answers.splunk.com/answers/512861/what-is-a-summary-index-and-how-can-one-check-whet.html https://answers.splunk.com/answers/435921/how-to-use-summary-indexing-in-dashboards.html ... View more

Hi p_gurav, The search capability is disabled. Also, can you specify which parameter/attribute in limits.conf should I adjust? ... View more

Put the props.conf in Search Head since you are using the EXTRACT parameter. EXTRACT- = [| in ] * Used to create extracted fields (search-time field extractions) that do not reference transforms.conf stanzas. Reference: https://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf ... View more

Because the field "prop" is not existing anymore. You can add the "as" on your command to name it as prop again. Something like this. | geostats values(prop) as prop by StateName globallimit=0 ... View more

https://www.splunk.com/blog/2014/04/29/integrate-splunk-and-servicenow.html ... View more

Hi @mikesaia, were you able to make your customized MIB work? If yes, could you share with me the steps you had take to map your data to the MIB. Thank you. ... View more

Hi Yasinmoha, Syncsort Apps are now available in latest versions of Splunk. You may visit the Splunkbase. Syncsort Ironstream - SYSLOG (https://splunkbase.splunk.com/app/2792/) Syncsort Ironstream Module for Splunk IT Service Intelligence (https://splunkbase.splunk.com/app/3329/) Syncsort Ironstream (https://splunkbase.splunk.com/app/1868/) Syncsort Ironstream - z/OS System Performance (https://splunkbase.splunk.com/app/3046/) Syncsort Ironstream - MQ (https://splunkbase.splunk.com/app/2933/) Syncsort Ironstream - Dataset Analyzer (https://splunkbase.splunk.com/app/2886/) Syncsort Ironstream - CICS (https://splunkbase.splunk.com/app/2799/) ... View more

You can download this app below named ".conf Archive Search". Hope this helps. https://splunkbase.splunk.com/app/3330/ ... View more

Hi @magnew, The status indicator works before when we still have little data, but when it started to capture a lot of data, this error "Failed to load source" happens quite a lot. Seems like it is related to the number of data or searches running concurrently. ... View more