Like I said, these look like default index that will exist on all Splunk Enterprise installations, and will be used at minimum by Splunk itself. So, no, it is not unusual to have these indexes on indexers that are not targets of the forwarders. Can you confirm that the indexer with the 10GB size is the 10.200.2.30:9997 system? ... View more

Well then, if you're collecting basic logs on that system then this search might work (it worked for me): index=main sourcetype="wineventlog:application" | rex field=_raw "(Splunk\sEnterprise\.\sProduct\sVersion:\s)(?<Splunk_Version>\d+\.\d+\.\d+\.\d+)" |dedup Splunk_Version,_time | table Splunk_Version,_time ... View more

Is this a windows system? ... View more

Have you tried the config on the forwarder? The data may already be parsed by the time it hits the indexer. ... View more

Are you running the search in Verbose mode? ... View more

It is complex, but necessarily so because while you may want old data, you probably most certainly want current data. What may not be evident in the wiki post is the indexing very old logs and logs 'in the future'. Let's say for example you have logs that are older than the MAX_DAYS_AGO parameter from props.conf (default 2000 days) - all events older than the MAX_DAYS_AGO will have the _time value of the last acceptable timestamp in that log file, and if all events are older than MAX_DAYS_AGO, then all events will have the current (index time) timestamp for _time. So, in addition to knowing that Freezing data is based on _time, you must also understand that it is based on the most recent time in the buckets (restart Splunkd = new buckets), and that indexing very old logs may give you event times (_time) that are not what you expected (MAX_DAYS_AGO defaults to 2000 days). ... View more

FYI, Splunk Enterprise includes all of the above as part of the installation. However, the only features enabled by default are search and index. To turn on the other features you need to configure them as desired on each server (and forwarders where applicable). ... View more

Provided your network and indexers have the bandwidth and processing power to handle the throughput, it basically all comes down to searching. 1) It takes longer to search one large index, but you don't have to specify a particular index in the search. 2) If you use separate indexes for different sourcetypes, then you have to specify them in each search, but the searches are faster. I prefer option 2 because it allows the flexibility to search everything, or specific indexes/sourcetypes as required. However, it does add the user overhead of specifying particular indexes in some searches. Examples: index=mycustomindex_* Will search all of my custom indexes. index=mycustomindex_sourcetype1 OR index=mycustomindex_sourcetype2 OR index=mycustomindex_sourcetype10 Will search only indexes for sourcetypes 1, 2 and 10. ... View more

Yes, see this answer: https://answers.splunk.com/answers/419132/is-it-safe-to-delete-bundle-files.html And this post for the var\run version: https://answers.splunk.com/answers/1397/how-long-should-bundle-tar-files-persist-in-the-search-head-can-the-space-used-be-limited.html ... View more

Probably 'REPORT' in props.conf and 'DELIMS' in transforms.conf. More information would be nice. ... View more

embed.enabled = 0 means it is off. Set it to 1 to turn it on. To do it with the UI see the workflow in this post: http://blogs.splunk.com/2014/05/08/17682/ ... View more

I tested this log file content: date,time,rundate 02/09/2016,00:00.0,2/07/2016 02/09/2016,00:00.1,2/07/2016 02/09/2016,00:00.2,2/07/2016 02/09/2016,00:00.3,2/07/2016 02/09/2016,00:00.4,2/07/2016 02/09/2016,00:00.5,2/07/2016 02/09/2016,00:00.6,2/07/2016 02/09/2016,00:00.7,2/07/2016 With these config files: inputs.conf [monitor://C:\temp\Splunk\test\csv-test\csv-test3.csv] disabled = false index = test sourcetype = csvtest3 props.conf [csvtest3] NO_BINARY_CHECK = true category = Custom disabled = false pulldown_type = true REPORT-csvtest3 = REPORT-csvtest3 transforms.conf [REPORT-csvtest3] DELIMS = "," FIELDS = "Date","Time","runDate" Everything works fine, with the exception of the fractional minutes - strptime cannot compute HH:MM.M so you will get HH:MM:SS.SSS truncated to MM as _time for each event, i.e. log time 12:00.9 will equal event time 12:00:00.000. If seconds are important, then you should ask another question on how to convert the Time field (string value extracted above) in a search to a time value that includes accurate seconds for sorting purposes. ... View more

Is the time really HH:MM.M? There is no strptime variable for MM.M, so the best you're going to get is HH:MM ex: strptime cannot compute 00:00.5 = 00:00:30, you can get 00:00.5 to represent as 00:00:05 but that is not accurate. ... View more

Well, it looks like it was set up at one point to do load balancing. At that time I would expect to see two IP's on the server line for the default-autolb-group, but since there is only one load balancing must have stopped sometime in the past. Or, it was never configured correctly. Do all of the Universal Forwarders have the same outputs.conf? On each server, look in server.conf for the [clustering] stanza, and check the value for mode = If it is a search head, then it should point to a master_uri. If it is a search head, then the server with server.conf mode=searchhead probably has a different IP than the one in outputs.conf, and the master_uri for that one will match the IP in outputs.conf. Keep in mind that an Enterprise Splunk installation (search head or indexer) will have indexes, and it looks like the indexes you have are all defaults, so the indexes will match between the two, but the larger one is probably the one with the IP found in outputs.conf. ... View more

You can check Splunk_Home\var\lib\splunk for folders that match your index names. You can check your index names from the Splunk UI by going to Settings > Indexes. You can also check your deployed outputs.conf files to see where the data is being sent. ... View more

I think you might have made a mistake.... I created some events, and tested this and it works. |rex field=_raw "O_name%\d{3}[A-Za-z](?P< TheName>[^\%]+)" |table TheName Don't forget to remove the space in the regex in the brackets before TheName If it is not working for you then perhaps you should post some actual events. ... View more

I don't have the answer, but the problem with your first search is that it is looking for single events that contain both categories at the same time, which is not possible with single value fields. Fear not, I'm sure someone will show you how to use your search and sort them out by user so that only users that did both in different events are listed. ... View more

Is 'THIS' always after % 3 digits and a letter, and does 'THIS' always end with a %? ... View more

Ha. Your question moved an outstanding requirement of mine up in the queue so to speak. Thanks for validating the results! ... View more

Did you upgrade all members of the cluster? Here is the procedure for upgrading from 6.4 to 6.5 http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/UpgradeaSHC ... View more

I don't have a system to test this, but from the load balancing admin doc, it says "The overall traffic sent to each indexer is based this ratio: indexer_disk_capacity/total_disk_capacity_of_indexers_combined" If this is math being done by Splunk, then somewhere in the internal logs you should be able to find the values of these parameters, and the result. The value of "indexer_disk_capacity" should answer your question. If you can find it. ... View more

I've tested Splunk Enterprise version 6.5.0-59c8927def0f-x64 on Windows 10 and it works. The URL http://localhost:8000 also works with IE11. Which browser are you using? ... View more

Also, this is Splunk Answers, not a chat line. You ask a question, get an answer, accept the answer, ask a new question, etc.... Let's try to keep Splunk Answers in focus and on point. It makes it more valuable in the long run for everyone. ... View more