I have been reading this doc on how to configure forwarders to use indexer discovery in a multisite cluster. http://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/indexerdiscovery#Use_indexer_discovery_in_a_multisite_cluster The doc talks about setting the following in server.conf for site awareness. [general] site = site-id How do I configure site awareness if I want my forwarder to talk to site1 in multisite-cluster1 and to site2 in multisite-cluster2? Thanks in advance. ... View more

I have a savedsearch defined in my savedsearches.conf like the following [my_saved_search] search = "index=........" earliest = "-30d@d" ....... Hence the savedsearch view and the mysplunk.com/myapp/reports/ shows this saved search as "my_saved_search". Is there an attribute that I can set to override the name of the saved search (because I don't want the display to have underscore). As mentioned in the savedsearches.conf I tried setting displayview = My Saved Search but doesn't seem to work. Any help is appreciated. ... View more

I'm trying to migrate the custom settings in the default search app in a standalone SH to the cluster members in a Search Head Custer and I'm following this documentation. http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/Migratefromstandalonesearchheads I created an app called search_migration_app and copied the contents of the local directory (from the search app) to the this app. I also created the local.meta file under the metadata directory in search_migration_app and added the configs to export the settings globally. Once I push this app from the deployer, the search heads contains the search_migration_app directory with only an app.conf file under the default folder and a default.meta inside the metadata folder. I can't find any objects that I'm trying to migrate. Any idea what is happening here? May be I'm missing something simple here. Any help is appreciated. ... View more

I was trying to accelerate a search with join command(trying to accelerate two searches). When I look at the job inspector, it says the search is using summaries for the search. But I think only the first search is accelerated and the second search is executes normally because the job inspector doesn't show the subsearch using any summaries. I also tried accelerating the searches separately, with the expectation that each search in the combined search (search with JOIN) would match with the individual accelerated search and use the summary for searching. However the combined search only uses the summary created by the first search. Lets say if this is the structure of the search index=myindex sourcetype=sourcetype1 | eval something =1| stats count(something) as count by somethingelse |JOIN somethingelse [search index=myindex sourcetype=sourcetype2|stats max(splunk_is_awesome) as max by somethingelse] | table somethingelse max count In the above search index=myindex sourcetype=sourcetype1 | eval something =1| stats count(something) as count by somethingelse gets accelerated but the subsearch doesn't get accelerated index=myindex sourcetype=sourcetype2|stats max(splunk_is_awesome) as max by somethingelse Any thoughts ?? ... View more