Hi @TheJagoff  If you do not want your main index buckets to be frozen then you should set both coldToFrozenDir and coldToFrozenScript to blank values (which is the default unless specified elsehwere). coldToFrozenDir = coldToFrozenScript = By not setting coldToFrozenDir and not having a coldToFrozenScript, you effectively cause the data to be deleted when frozen. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Found the issue: We built a standalone SH and copied the $SPLUNK_HOME/etc/apps directory from the SHC to it.  Started removing apps on the test server, one at a time, and when we removed one of the Apps and restarted., the searches started to work again. One of our crew found the following in the app the was just removed: [source::stream:Gigamon] EVAL-_time = strptime('timestamp', "%Y-%m-%dT%H:%M:%S,%N") This seems to be the issue. We went back to the SHC and specified a source without removing anything and it pulled data. Not really clear on why that would make a difference, but it does. The main takeaway from this is that a configuration change that had an effect on _time caused this issue. ... View more

Again, I'll answer my own question - since I had Split on Entities as "Host" - that needs to be in the search statement. To correct this, I did the following: index=demo sourcetype=access_combined action=purchase|bucket _time span=5m|stats count by _time host It now works... ... View more

You need to put the span argument directly in the timechart command. Otherwise, it recalculates a span based on your search period. New search to try: index=wineventlog user="*.ad" TaskCategory="Security Group Management" | timechart span=10m count AS EventCount ... View more

Sorry for the answer above, did not fully understood you. I think its not ideal to search by "object" as each object has more then one counter and each counter has values that match the counter so you can see for example under object="Processor" you have counters that represents percent (value between 0-100) and other that represents Interrupts/sec for example with values in range of 0-100000. that has large impact on the avg. regardless, you can just split by whichever field you find valuable and splunk will obey: index=perfmon host=(serverA OR host=serverB) (object="Processor" OR object="Memory" OR object="Network Interface") | stats avg(Value) by object cpu_percent field3 field4 fieldn here are 2 screenshots, first is based on split by object, second is split by counter ... View more

I will answer my own question... The following will actually work as a search for a KPI... |inputlookup lookup_assets.csv |stats dc(public_table) AS CriticalApps| eval _time = now() But - after getting some more information from the client; this is not an efficient method for a KPI that will be executed every 5 minutes. This input lookup table is used for further calculations for a KPI that gathers more information so the best way to display this information is as an adhoc widget in a glass table. So yes, it can be done - no it's not the best way of doing things if it is only going to be used for visual information via Glass Table in ITSI. ... View more

Found that I would need to ingest the cron log on any server that this condition is required. ... View more

I'll answer my own question. I had to isolate which one of the lookup csv files was complaining. After that, there were indeed 11 occurrences where there were commas in the second field thus causing this error. There were well over 1000 lines in this file, so it was a little tedious. ... View more