We have a summary index where we collect daily license usage. We have a chart that can show me the daily usage for the last few months. I would like to have a trendline that shows the usage over the past few months. I would like to only include Monday-Friday (or only exclude weekends). I chart the following (summary_admin is our summary index): index=summary_admin earliest=-4mon@mon latest=@d | timechart useother="f" span=1d max(GB) by orig_sourcetype | addtotals fieldname=GBTotal | timechart span=1w avg(GBTotal) as "Average", max(GBTotal) as "Max", min(GBTotal) as "Min" Does ok but would be better by eliminating weekends. (I also need to tweak the span options.) Thanks. ... View more

We are running a standalone deployment server version 4.3.5. Using the search "index=_* hostname=SplunkInfrastructureHost* fwdType=uf OR fwdType=lwf |stats count by fwdType, hostname " our deployment server is being reported as being a "lwf". Don't remember seeing this when running an earlier version of Splunk. How does Splunk determine the fwdType? Thanks. ... View more

I have a script that runs when certain events occur. This script cleans the dispatch directory. I would like to log the output of this command so that I can track when the script runs and what it did. I am not a linux guru and have tried: /opt/splunk/bin/splunk cmd splunkd clean-dispatch /temp -1d -1d | tee -a /opt/splunk/var/log/splunk/internalscripts.log and /opt/splunk/bin/splunk cmd splunkd clean-dispatch /temp -1d -1d >> tee -a /opt/splunk/var/log/splunk/internalscripts.log Neither writes to the logfile. Is there another way of writing the output to the logfile? Thanks. ... View more

I am trying to create a line chart showing results from today compared to a week ago. I searched answers but still haven't got it to work. We are running Splunk 4.2.5. I also looked at the blog at: Blog Here is my query: index=_audit earliest=-0d@d latest=now savedsearch_name=* | eval searchStartTime=strptime(apiStartTime, "'%a %B %d %H:%M:%S %Y'") | eval searchEndTime=strptime(apiEndTime, "'%a %B %d %H:%M:%S %Y'") | eval searchExecuteTime=_time | eval deltaFromEnd=searchExecuteTime - searchStartTime | eval ReportKey="Today" | append [search index=_audit earliest=-7d@d latest=-6d@d savedsearch_name=* | eval searchStartTime2=strptime(apiStartTime, "'%a %B %d %H:%M:%S %Y'") | eval searchEndTime2=strptime(apiEndTime, "'%a %B %d %H:%M:%S %Y'") | eval searchExecuteTime2=_time | eval deltaFromEnd=searchExecuteTime2 - searchStartTime2 | eval ReportKey="Last Week" | eval new_time=_time+604800 ] | eval _time=if(isnotnull(new_time), new_time, _time) | timechart span=15m median(deltaFromEnd) by ReportKey ... View more

We have defined a role: [role_rest_role] importRoles = can_delete;user rtSrchJobsQuota = 0 srchDiskQuota = 0 srchIndexesAllowed = indexA srchIndexesDefault = indexA srchJobsQuota = 0 We have created a local user that has this role. The problem is that doing a search using REST the user has access to index=main. Since this user "can_delete" we really want to restrict their access to a specific index. Any ideas? ... View more

We are running pooling. We have a separate jobs server that is only running scheduled searches. This jobs server is NOT pooled because of the load it puts on the pooling environment. We have dashboards that pull up the cached results of a scheduled search because the search takes too long to run. The problem we are seeing is that since the jobs server is not pooled apparently those results are not accessible by the dashboard. In what directory are the cached results stored so that we can do a rsync of that information? Is there a better way of doing this? ... View more