Hi I thought that the bucket command would split events into two bins that cover half the search span if i use 2 bins on _time: index=_internal | bucket _time bins=2 | stats count by _time Depending on the selected time range bucket will only create 1 bin. This search yields the results I expect: index=_internal | addinfo | eval half_span=(info_max_time-info_min_time)/2 | eval cur=if(_time>info_max_time-half_span,1,0) | stats count by cur | sort -cur Can someone explain how bucket is used properly? Thanks Chris ... View more

If I have a Splunk environment/installation that consists of at least one search head and multiple indexer installations is there an easy way to determine which commands perform well (and which commands do not)? From the following technical paper I found out, that there is a map and a reduce part for every search: http://www.splunk.com/web_assets/pdfs/secure/Splunk_and_MapReduce.pdf I am assuming that streaming commands are the ones that can be run in parallel during the map part of the search: http://docs.splunk.com/Splexicon:Streamingcommand I am also assuming that in the Job inspector the "remoteSearch" part is the part of the search that can be run in parallel which is efficient: http://docs.splunk.com/Documentation/Splunk/6.1.2/Knowledge/ViewsearchjobpropertieswiththeJobInspector From experience I know, that the "stats" command can be a much better option (from performance perspective) than "transaction". Is there any documentation with information about performance/internals about how the commands distribute? Thanks Chris ... View more

I would like to set up a real time alert that triggers once per hour if no events occur for a search but not on week ends. What is the best way to implement this? Thanks Chris --- Update --- Sorry I was not very clear on the actual requirement behind the question. I want to monitor an application that logs successful data transactions. Every 30 minutes a keepalive "transaction" is logged. It is ok if one keepalive event is somehow lost (not logged, not executed, ...). So Splunk should get at least one message per hour if not there is an SLA violation, if this happens on a business week day. I initially thought that the realtime search was a good idea because of the sliding window it looks at. -> This is not necessary/the wrong approach. I can have a historical alert that runs at a certain intervall and checks the time delta between the last received event and now() and alert if it is bigger than 3600s. ... View more

Is it possible to configure the dropdown input to take the first row returned by the populating Search as its default? If I configure the dropdown as follows it just has an empty field as its default. <input type="dropdown" token="source" searchWhenChanged="true"> <label>Select a Sourcetype:</label> <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype" earliest="-24h" latest="now"> <![CDATA[index=_internal | stats count by sourcetype]]> </populatingSearch> </input> Thanks, Chris ... View more