I built a version control app for allowing backup and restore of what users created but there are many approaches to this issue. The app is linked in my signature. Other options for backup or config management include those from community slack. Pasted below  Helpful links for configuration management and deployment automation: - https://pypi.org/project/kintyre-splunk-conf/ - https://github.com/Bre77/splunk-config-editor - https://github.com/paychex/Splunk.Conf19 - https://github.com/paychex/splunk-python/tree/main/Splunk2Git - https://splunkbase.splunk.com/app/4355/ and https://splunkbase.splunk.com/app/5061/ - https://github.com/atkouki/splunk-cloud-cicd - https://github.com/splunk/acs-privateapps-demo - https://splunkbase.splunk.com/app/6368/ (btool output, even for indexers) - https://github.com/gjanders/Splunk many scripts for managing KOs via REST API - Export custom apps (including local) and local config from splunkbase apps: https://splunkbase.splunk.com/app/6686   ... View more

Alerts for splunk admins has an example for historical searches using the introspection data. Refer to my signature for a link                                ... View more

So repeating what @isoutamo and @PickleRick have mentioned, don't mix volumes and non-volumes on a path, that will not end well. Additionally, when you size your volume, maxVolumeDataSizeMB , keep in mind that this is for the buckets. The DMA objects do *not count* towards this size, so if you have DMA you need to change the volume:_splunk_summaries as well or you may fill that disk with summaries. Another tip is that if you use dbinspect or similar to measure the size, I found in previous versions (7.x or prior) I saw a difference of around 25% between what Splunk measured and what I saw on the actual disk of a Linux server. Finally, this game changes completely for smartstore , in that case you just configure cache padding instead...(and/or you can use maxGlobalRawDataSizeMB per-index which is for the whole index, not per-indexer server). Since you are not using smartstore, maxTotalDataSizeMB is per index (which you could override in [default], but also *per* indexer, so you need to do the maths carefully. ... View more

While I'm not completely sure what the new endpoints might be, one thing you might try doing is doing an update on the UI and watching the splunkd_access.log file in $SPLUNK_HOME/var/log/splunk to see if you can tell which endpoints are used You might be able to determine the endpoint required to update the config from there... ... View more

@guilmxmFYI ... View more

The transferknowledgeobjects script I wrote may help https://github.com/gjanders/Splunk/ or https://github.com/gjanders/Splunk/blob/master/bin/transfersplunkknowledgeobjects.py for a direct link ... View more

Have you read the docs https://splunk.github.io/splunk-connect-for-syslog/main/ ? Perhaps getting started in particular https://splunk.github.io/splunk-connect-for-syslog/main/gettingstarted/ ? ... View more

If you instead interested in a selective export you could use Export Everything from SplunkBase ... View more

You could add an idea for this https://ideas.splunk.com/ideas Very old versions of Splunk used to allow you to query the fishbucket, I don't believe any modern version does. However the data may be of limited use, it's mostly checksum's in there so that may limit the use of any output... I am unaware of a way to show the contents of the fishbucket ... View more

Also refer to previous answers https://community.splunk.com/t5/Dashboards-Visualizations/Version-control-management-for-Splunk-Dashboards-Reports-and/td-p/437788   Version control for splunk also does this among other options...the knowledge object overview app on SplunkBase has some queries for this too. https://splunkbase.splunk.com/app/5399/ ... View more

As per the initial question you can lower the size of the fishbucket but I have not heard of a way to look at the contents. The btprobe command can work with the fishbucket on a per file basis. I don't think removing the backup files is a good idea, I believe they are part of  the function of the forwarder  ... View more

I also logged this as a case and confirmed it's a bug, in my case it will be fixed in the next minor/major release and not a maintenance release. As an alternative for my userbase I'm going to install the number viz addon from SplunkBase, as we won't be upgrading for a while... ... View more

Did support happen to provide a jira for this? I have the exact same issue and may need to also log a ticket 😞 Also version 8.2.5, single value scaling is the issue... ... View more

Also hit the same issue in 8.2.5, logged a new case Note that adding the option  include_reduced_buckets=t works in most cases, I've found it doesn't work when combined with PREFIX ... View more

There might be a log relating to the migration in $SPLUNK_HOME/var/log/splunk However this is potentially support case territory now, and you may wish to log a case ... View more

I've used nearly identical settings and it works.   If you hit same endpoint using the actual curl CLI tool do you see the same issue? ... View more

I tried: | tstats values(sourcetype) where index=_internal by index That works and | tstats count where index=_internal by sourcetype Also works on 8.2.0   Did you have the time range set correctly to find data? ... View more