Hi, nope. We do copy the buckets to SmartStore after rolling from hot to warm and mark them for eviction on the secondary Indexers. The cacheman is pretty much avare of almost every bucket.   BR, Holger ... View more

(Old question with an answer still valuable) In a SHC the SH resources are not shared among searches, but for scheduled searches. Ad-hoc searches running on a SHC member will consider the cpu cores and memory resources as if it was unique.  For the scheduler, the captain will mitigate starvation by distributing scheduled jobs to available members. Each member not being supposed to consume more than its capacity. So you give more resources to scheduled jobs automatically in a SHC,  while for adhoc searches it depends on where the users are logged in. A load balancer for users connections can help, for high availability: users don't need to know each member fqdn nor ipod address to get in.  ... View more

One thing which could help you with bad searches is Splunk Workload Management https://www.splunk.com/en_us/blog/tips-and-tricks/best-practices-for-using-splunk-workload-management.html You could define different classes for users and admins etc.  r. Ismo ... View more

how can you fix this issue when you have thousands of buckets in pending? I have around 4800 buckets and i cannot go and execute roll command on each and every Index right? Can you give me any solution for this please? Thanks for the answer.   @jbarlow_splunk  ... View more

For indexer cluster, the summary is created on the peer node that is primary for the associated bucket or buckets. The peer then uploads the summary to remote storage. When a peer needs the summary, its cache manager fetches the summary from remote storage. Summary replication between peers is not needed and the uploaded summary is available to all peer nodes. Here is an example from my env that shows Report Acceleration bucket on remote store. [root@centos65-64sup02 rbal]#$SPLUNK_HOME/bin/splunk cmd splunkd rfs -- ls --starts-with index:main | grep -v '/db/'   #for full paths run: splunkd rfs -- ls --starts-with volume:my_s3_vol/main/ size,name 1080,main/ra/38/01/16~3D41EF74-A16D-421D-9FD7-83B3849101B2/3F3F537C-7DAD-4CF8-B062-168D17BC15C7_search_admin_NS16c348adc086860d/guidSplunk-3D41EF74-A16D-421D-9FD7-83B3849101B2/metadata.csv 75,main/ra/38/01/16~3D41EF74-A16D-421D-9FD7-83B3849101B2/3F3F537C-7DAD-4CF8-B062-168D17BC15C7_search_admin_NS16c348adc086860d/guidSplunk-3D41EF74-A16D-421D-9FD7-83B3849101B2/metadata_checksum   NOTE: In this example, the "guidSplunk-3D41EF74-A16D-421D-9FD7" is the GUID of the search head where data is accelerated. so in my case based on the report Accelerated search and time range only the relevant buckets were accelerated. Splunk has an open bug where SPL-186425:S2: Rebuilding an evicted DMA summary causes us to re-upload the old tsidx file with the newly rebuilt one. This means that we would see upload/download of the bucket when buckets are being accelerated. As per this JIRA: When rebuilding an evicted DMA summary, for some reason we localize the remote copy first and in parallel, we begin to rebuild the summary on disk. For the graph posted the upload activity was due to report acceleration   03A227A6-442C-4EC2-96BA-EDB3AEBCB2DF_XXXX_commerce_products_emmett_NSab5a2628876cea87 03A227A6-442C-4EC2-96BA-EDB3AEBCB2DF_XXXX_partnerships_jamesw_NS9c8a6f5149bf222c To get the name of the corresponding Splunk report uses the REST endpoint on the search head.   | rest servicesNS/-/-/admin/summarization |table saved_searches.admin;search;test_support_ra.name,summary.hash,summary.earliest_time,summary.complete,summary.id, summary.complete,summary.id   ... View more

- The coldpath is needed during migration when pre-existing data is migrated to SmartStore. - As discussed in our documentation “Cold buckets can, in fact, exist in a SmartStore-enabled index, but only under limited circumstances. Specifically, if you migrate an index from non-SmartStore to SmartStore, any migrated cold buckets use the existing cold path as their cache location, post-migration. In all respects, cold buckets are functionally equivalent to warm buckets. The cache manager manages the migrated cold buckets in the same way that it manages warm buckets. The only difference is that the cold buckets will be fetched into the cold path location, rather than the home path location” coldPath and homePath can point to the same volume, but different directories like. homePath = volume:hot/$_index_name/db coldPath = volume:hot/$_index_name/colddb So in your case, if you have already migrated to Smart store, so now you can point the coldPath to use the  volume same as homepath. ... View more

1) Running the following search: host=rbal* OR host=test index=winevent_s earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0 | stats values(_sourcetype) values(sourcetype) values(host) values(source) 2) Produces the following values for the given fields (field: value): values(_sourcetype): WinEventLog:Security values(sourcetype):wineventlog values(host): EBRIAN values(source): WinEventLog:Security Note: The _sourcetype value of WinEventLog:Security is the original value of the sourcetype before it is renamed to wineventlog. 3) Given the above information, when we run the following search we see a count of 73 results: host= rbal index=winevent_s earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0 sourcetype=WinEventLog OR sourcetype=XmlWinEventLog | stats count 73 results note: normally, field values are case in-sensitive so searching sourcetype=WinEventLog / sourcetype=wineventlog should be equivalent. However when we are dealing with sourcetype rename’s the target name is case sensitive, unless you “OR” in another sourcetype, then the renamed sourcetype is not case sensitive. 4) To illustrate this: a) we take a sourcetype that has been renamed (ie: WinEventLog:Security has been renamed to wineventlog) >>> etc/apps/Splunk_TA_windows/default/props.conf [WinEventLog:Security] rename = wineventlog and run a search using a different case (camel case) for the sourcetype value and we get 0 results where we should expect to see 73 results. host=rbal index=winevent_s earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0 sourcetype=WinEventLog | stats count ** 0 results** b) if we OR another sourcetype to the SPL we get results now and the value of the sourcetype is reported in the interesting fields as the target sourcetype name “wineventlo” host=rbal index=winevent_s earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0 sourcetype=WinEventLog OR sourcetype=XmlWinEventLog | stats count 73 results c) What is odd is that running the same search with either one of the sourcetypes by themselves or removing the host produces no results: host=rbal index=winevent_s earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0 sourcetype=WinEventLog | stats count 0 results host=rbal index=winevent_s earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0 sourcetype=XmlWinEventLog | stats count 0 results without host index=winevent_s earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0 sourcetype=WinEventLog OR sourcetype=XmlWinEventLog | stats count ** 0 results** d)Even stranger, if we add an asterisks to the end of the host value, it produces 0 results. host=rbal* index=winevent_s earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0 sourcetype=WinEventLog OR sourcetype=XmlWinEventLog | stats count 0 results e) using the asterisks with the correct matching case for the sourcetype value (lowercase) produces the expected values host=rbal* index=winevent_s earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0 sourcetype=wineventlog | stats count 73 results This behavior is similar to old JIRA SPL-122984 “Searching renamed sourcetype is case-sensitive” which was documented as a known issue in 7.0 and 7.1 (https://docs.splunk.com/Documentation/Splunk/7.1.0/ReleaseNotes/KnownIssues). Also a new JIRA # however it doesn’t look like the 7.2+ known issues an example of a sourcetype rename: etc/apps/Splunk_TA_windows/default/props.conf [WinEventLog:Security] rename = wineventlog props.conf spec: rename = * Renames [] as at search time * With renaming, you can search for the [] with sourcetype= * To search for the original source type without renaming it, use the field _sourcetype. * Data from a renamed sourcetype only uses the search-time configuration for the target sourcetype. Field extractions (REPORTS/EXTRACT) for this stanza sourcetype are ignored. * Default: empty string ... View more

VolumeManger trim operations are not compatible with S2 and can lead to unpredictable behavior.We should not be mixing S2 indexes and non-S2 indexes on the same volume with maxVolumeDataSizeMB. After separate the indexes to a different volume, the volume manager begins to trimming the exceeding data. [volume:s3] storageType = remote path = s3:/...... #separate s3 indexes and non-s3 indexes for maxVolumeDataSizeMB to work on non-s3 indexes [volume:s3_indexes] path=$SPLUNK_DB maxVolumeDataSizeMB = 7000 [volume:test_indexes] path = $SPLUNK_DB maxVolumeDataSizeMB = 700000 [DA-ESS-AccessProtection] coldPath = volume:test_indexes/AccessProtection/colddb homePath = volume:test_indexes/AccessProtection/db thawedPath = $SPLUNK_DB/AccessProtection/thaweddb repFactor = auto frozenTimePeriodInSecs = 3456000 enableDataIntegrityControl = true maxDataSize = 200 ... [floating-point-index] remote.s3.encryption = sse-kms remotePath = volume:s3/floating-point coldPath = volume:s3_indexes/floating-point/colddb datatype = metric homePath = volume:s3_indexes/floating-point/db maxTotalDataSizeMB = 512000 repFactor = auto thawedPath = $SPLUNK_DB/floating-point/thaweddb maxDataSize = 200 ... View more

Bobby. that is not feasible just out of the Box. My suggestion will be to contact your Sales engineer. ... View more

Starting ing splunk 7.3.1 splunk ensures that bucket copies are not evicted on target indexers after the hot bucket rolls to warm and is uploaded by source. However for buckets that are already warm and that are being converted to s2 and are being uploaded by either the source or the targets, they would not be evicted on upload irrespective of the version. buckets would only be evicted eventually when there is cache pressure ( cache is full). ... View more

Splunk has attribute max_cache_size that set the limit for cacahemanager server.conf [cachemanager] eviction_padding = 10% of disk Space on Partition (in bytes) Refer: https://docs.splunk.com/Documentation/Splunk/7.1.4/Admin/Serverconf max_cache_size=0 Given that max_cache_size is not accounting for hot data, it is likely that space usage is going to be above max_cache_size.o limit the disk usage for both hot data + cached data, you can use minFreeSpace to restrict total disk usage. However, you need to have reasonable total space so hot buckets are not overcrowding the cache. Splunk component CacheManager when put in debug mode provides the stats for key attribute that contribute to the size of Cacahemanager. 02-05-2020 21:09:41.898 +0000 DEBUG CacheManager - The system has freebytes=75354976256 with minfreebytes=5242880000 cachereserve=5368709120 totalpadding=10611589120 buckets_size=313491456 maxSize=314572800 "The system has freebytes=" > freeBytes " with minfreebytes=" > minFreeBytes " cachereserve=" > evictionReservedBytes " totalpadding=" > minFreeBytes + evictionReservedBytes " buckets_size=" > buckets_size " maxSize=" > maxSize Now here is some information on each of this attribute. 1) " maxSize=" << _maxSize; Now this comes from *max_cache_size = * * Specifies the maximum space, in megabytes, per partition, that the cache can occupy on disk. If this value is exceeded, the cache manager starts evicting buckets. * A value of 0 means this feature is not used, and has no maximum size. * Default: 0 2) " buckets_size=" << buckets_size Now this is the total size of the buckets calculated. 3) " totalpadding=" << minFreeBytes + evictionReservedBytes we can see here that totalpadding=10611589120 = (minfreebytes+cachereserve) = (5242880000+5368709120) From the below, we can see that buckets_size can get bigger than maxSize for a temporary period but eventually we will slash it down to maxSize(max_cache_size) OR lesser. Here in this example, we have As you can see how buckets_size is varying with maxSize wrt time. Once we have buckets_size growing above maxSize, the CacheManager will ensure that we evict something and get back within maxSize. server.conf [cachemanager] max_cache_size = 300 ... View more

Yes. avoiding DMC(Monitor Console) on CM is an easy way to prevent this issue. Using some hacking is may also be possible to prevent the issue ieven if you have no other option but to have MC on CM. ... View more

How about the indexes that were migrated to SmartStore? The homePath remains the same after migration and it refers to a volume that had maxVolumeDataSizeMB. ... View more

Editing lookups now require role upload_lookup_files since Splunk Enterprise 7.3.x. This requirement has not been documented yet.When a user without role "upload_lookup_files" attempts to add or edit a lookup they are directed to the Splunk Pony - message Documentation JIRA s in works BUG SPL-176155:Editing lookups roles have changed Splunk 7.3.x and now require new roll upload_lookup_files (which is undocumented)" ... View more

The Indexing -> SmartStore -> SmartStore Cache Performance: Deployment dashboard has a panel at the bottom to show if any cache thrashing is occurring and on which indexes, it might be worth reviewing this to make sure you don't have buckets being evicted then downloaded again shortly. ... View more

Thank you. ... View more

1)ERROR message 06-17-2019 22:48:08.445 -0700 ERROR CacheManagerHandler - ReverseIndex cannot add cacheId="bid|ceg_notification_dispatcher_nsprod~560~74F09ED5-8892-471C-9E6C-CD3BC6EDAC9D|" to search sid="remote_searchhead01-3.prd.cmn.mntspl.us-west-2_subsearch_tmp_1560836883.1" as this search has already completed and closed all buckets S2 has some protection against lagging REST requests. There are times when a search process requests to open a bucket but then the search is stopped and cleaned up before the open request is handled. This used to cause us problems leaving buckets stuck with an invalid search reference which would prevent eviction (see "stale buckets" in jira). We have since noticed that some apps and sometimes search/subsearch will re-use the same SID causing these errors. Since we've recently changed the behavior for stale buckets we're in the process of relaxing this bit so we will let these requests through and avoid the error (for quake and then to be backported) 2)Error message 06-17-2019 22:13:08.380 -0700 WARN CacheManager - Attempting to decrement refcount of cacheId="bid|creditscore_prod_pod8~66~8D530702-839D-4679-BBAA-0E408F8EDAFD|" but sid=remote_searchhead01-1.prd.cmn.mntspl.us-west-2_tpargain_tpargainsearch_search34_1560834740.1903850_B8E7D0B9-BB6E-41DB-928B-411ABBA5AD90 is not an opener The above error means a search tried to close a bucket that it didn't have opened. Any particular context you're looking for? ... View more

Can I use "| inputintelligence" in the correlation search ? | eval TOR="danme_tor_node_list_with_ports" | lookup "danme_tor_node_list_with_ports" ip as All_Traffic.src_ip OUTPUT ip name | where isnotnull(ip) ??? still does not work ... View more

Splunk has a bug to guarantee searchability during rolling restart. The BUG#SPL-168132:Clustered indexes aren't fully searchable during an indexer cluster rolling upgrade This bug is fixed in 7.2.8 and 7.3.x ... View more

Although this question is answered in documentation , but this question comes up quite a bit. It's not easy to roll back changes, for this reason, Splunk has not fully implemented this workflow and never tested it with any significance. Hence officially and otherwise not recommending moving out of S2 once enabled. ... View more

Here is something that will work -To delete bucket both from remote and locally use curl -k -u admn:xxxxxxx https://:24711/services/data/indexes/_audit/freeze-buckets -d bucket_ids=_audit~100~33B81190-7EE1-4FCD-AC6D-DC4E3BEF7E1C -X POST Note: -Done on indexer -works on standalone also -In a cluster environment, the other indexer also would delete the bucket locally -Suitable for S2 environment taking care of deleting remote bucket ... View more

Excellent post, thankyou! ... View more

Here is a procedure that could be attempted to fix the old notable that got unassigned. - Check if the notable are unassigned on all SHC, if not maybe restore lookup incident_review_lookup - Check for backup and see if restoring may be an option. - The other option will be to re-build incident_review from audit data, which means we can only restore data for last 30days ( assuming audit retention is 30 days) Which means we can only rebuild for last 30 days. Look at the incident_review_look that is stored in KVstore to see what is there and how many: |inputlookup incident_review_lookup Back up the incident_review_lookup: |inputlookup incident_review_lookup |outputlookup support.csv Verify you back up the incident_review_lookup: |inputlookup support.csv Check audit for notable events set time picker to all time verify the data looks good: index=_audit sourcetype=incident_review | rex "@@\w+,(? [^,]+),(? [^,]),(? [^,] ),(? [^,]),(?.</em>),(?<user>[^,]+),(?<something>[^,]+)&quot; <br> | eval time=_time <br> | table comment owner rule_id rule_name status time urgency user </p></li> <li><p>Add the events found in Audit to the incident_review_lookup make sure time picker is set to all time: </p> <p>index=_audit sourcetype=incident_review <br> | rex &quot;@@\w+,(?<rule_name>[^,]+),(?<status>[^,]<em>),(?<owner>[^,]</em>),(?<urgency>[^,]<em>),(?<comment>.</em>),(?<user>[^,]+),(?<something>[^,]+)&quot; <br> | eval time=_time <br> | table comment owner rule_id rule_name status time urgency user <br> | outputlookup append=t incident_review_lookup </p></li> <li><p>Verify that your original events plus the audit event are now in inciden_review_lookup: </p></li> <li><p>|inputlookup incident_review_lookup</p></li> </ul> </ul> ... View more

Here is the configuration that eventually worked. 1)Check if their object store uses v2 and/or v4 signatures, and if v4, does it uses a region settings. It's possible they need to configure the following setting: remote.s3.auth_region = Optional The authentication region to use for signing requests when interacting with the remote storage system supporting the S3 API. Used with v4 signatures only. If unset and the endpoint (either automatically constructed or explicitly set with remote.s3.endpoint setting) uses an AWS URL (for example, https://s3-us-west-1.amazonaws.com), the instance attempts to extract the value from the endpoint URL (for example, "us-west-1"). See the description for the remote.s3.endpoint setting. If unset and an authentication region cannot be determined, the request will be signed with an empty region value. No default. 2) Managed to o execute splunk rfs command against his Netapp Storagegrid object store, and is able to successfully complete his SmartStore configuration, after adding: remote.s3.signature_version = v2 remote.s3.clientCert = Note: "remote.s3.clientCert = " would return null value, which in this case was fine, but same config might work for other Storagegrid env. indexes.conf stanza for future reference: indexes.conf stanza for future reference: storagegrid s3 tenant [volume:splunkdata] storageType = remote path = s3://splunkdataprod remote.s3.access_key = remote.s3.secret_key = remote.s3.endpoint = https://: remote.s3.signature_version = v2 remote.s3.clientCert = [test] repFactor=auto remotePath = volume:splunkdata homePath=$SPLUNK_DB/test/db coldPath=$SPLUNK_DB/test/colddb thawedPath=$SPLUNK_DB/test/thaweddb maxDataSize = auto ……. ... View more