Have you read the docs https://splunk.github.io/splunk-connect-for-syslog/main/ ? Perhaps getting started in particular https://splunk.github.io/splunk-connect-for-syslog/main/gettingstarted/ ? ... View more

If you instead interested in a selective export you could use Export Everything from SplunkBase ... View more

You could add an idea for this https://ideas.splunk.com/ideas Very old versions of Splunk used to allow you to query the fishbucket, I don't believe any modern version does. However the data may be of limited use, it's mostly checksum's in there so that may limit the use of any output... I am unaware of a way to show the contents of the fishbucket ... View more

As per the initial question you can lower the size of the fishbucket but I have not heard of a way to look at the contents. The btprobe command can work with the fishbucket on a per file basis. I don't think removing the backup files is a good idea, I believe they are part of  the function of the forwarder  ... View more

I also logged this as a case and confirmed it's a bug, in my case it will be fixed in the next minor/major release and not a maintenance release. As an alternative for my userbase I'm going to install the number viz addon from SplunkBase, as we won't be upgrading for a while... ... View more

Did support happen to provide a jira for this? I have the exact same issue and may need to also log a ticket 😞 Also version 8.2.5, single value scaling is the issue... ... View more

Also hit the same issue in 8.2.5, logged a new case Note that adding the option  include_reduced_buckets=t works in most cases, I've found it doesn't work when combined with PREFIX ... View more

I've used nearly identical settings and it works.   If you hit same endpoint using the actual curl CLI tool do you see the same issue? ... View more

I tried: | tstats values(sourcetype) where index=_internal by index That works and | tstats count where index=_internal by sourcetype Also works on 8.2.0   Did you have the time range set correctly to find data? ... View more

Try datafield=data   | curl method=post uri="https://api.something/v2" headerfield=header datafield=data debug=t verifyssl=false   ... View more

Just to confirm that there is no '5 server' limit for the HF to send data to. Did you test running splunk btool outputs list on the HF in question to ensure it does list all indexers in the outputs stanza that is in use? Splunk inputs.conf can also be used to set _TCP_ROUTING, along with props/transforms.conf...assuming you have multiple stanzas in outputs.conf. ... View more

There is no documentation I know of that documents the difference beyond the spec file ( https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf ) tsidxWritingLevel = [1|2|3|4] * Enables various performance and space-saving improvements for tsidx files. It is set to  1 by default in case you have older Splunk versions in the cluster, I use the highest version available (4). ... View more

While I used: "For the requirement to add "multiple TB of the legacy standalone bucket to Smarstore cluster deployment", we should use migration and not bulk_register. In this case, you can remove $SPLUNK_HOME/var/lib/splunk//db/.buckets_synced_to_remote_storage and restart the indexer and the bucket will be re-uploaded."   My only recommendation is that if you migrate the buckets from a single-site indexer cluster to a multi-site indexer cluster you consider changing the (old) cluster to multi-site pre-migration. I hit a strange issue months later where as the buckets froze the cluster manager/master node kept querying smartstore for the buckets triggering 404 errors. The issue disappeared on restart of the cluster master but it happened for any buckets that were migrated from the single site cluster using the above method, so I'm wondering if the fact that the buckets were not multi-site were part of the issue... Another alternative to a restart would be (as mentioned in the support case): curl -k -u admin:<password> -X POST "https://<cm>:<mgmt_port>/services/cluster/master/buckets/<bucket_id>/remove_all" ... View more

Also refer to https://www.aplura.com/assets/pdf/where_to_put_props.pdf ... View more

Would this cron app work?  https://splunkbase.splunk.com/app/4027/#/overview you can pass it a start epoch and a cron schedule  ... View more

An update just appeared today. Does that fix any of the issues? ... View more