try this: index=_audit action=search is_realtime=1 | eval search_type=case( search_id LIKE "scheduler%", "Scheduled Search", search_id LIKE "rt_scheduler%", "Real-Time Scheduled Search", search_id LIKE "dashboard%", "Dashboard", search_id LIKE "adhoc%", "Ad-hoc Search", 1=1, "Ad-hoc Search" ) | eval human_readable_time = strftime(_time, "%Y-%m-%d %H:%M:%S") | stats count by user, search_type, _time | rename human_readable_time AS "Time", user AS "User", search_type AS "Search Type", count AS "Search Count" | sort - "Time" ... View more

Here <source>means have you typed exact path of the file or just <source> as is? ... View more

I tried editing from UI, increased the maxresults to 1000000 ,post that I am able to see only 50k results, but not all the results What other configurations needs to be changed in order to get all the results?  ... View more

No, I am using 9.1 and 9.3. However, I am experiencing the same problem on Red Hat 8. I will start a new thread as per your advice.  ... View more

As already stated, splitting inputs into separate apps and associating them with different serverclasses is the way to go. An input is a relatively "simple" idea. It might have features letting you filter _what_ you're ingesting (like particular files or windows event ids) but not _where_ they run or not.   ... View more

This is a thread from so long ago and is about a long forgotten version. Nowadays collect is much more flexible, especially if you're using output_format=hec ... View more

260 get me ? Yeah it can be a real headache, I tried LongPath Tool Program which helped a lot. ... View more

Hi @Naa_Win , try this, even if I did it more than five years ago, but it should still run! | rest splunk_server=local /services/deployment/server/clients\ | table hostname ip utsname *.restartSplunkd\ Ciao. Giuseppe ... View more

I have the same question, which capabilities are needed for the "Add Data" button? ... View more

@sudosplunk the setting is expected to be in inputs.conf ( not in custom inputs.conf). All modinputs honor meta setting starting 6.4 https://community.splunk.com/t5/Getting-Data-In/UF-Route-inputs-to-specific-indexers-based-on-the-data-s-input/m-p/147597 ... View more

Was getting similar errors too. Adding the /raw in my curl statement resolved the issue. ... View more

Responding to this bc we recently received the same question at Community Office Hours. In case anyone else is looking to do this, here's the expert guidance:  Option 1: Workload Management is your friend here. A very easy implementation without messing with all the roles  Workload Management examples (see scenarios 1 and 2) Configuring workload rules Option 2: Use Role Limitations to dictate the rule Follow guidance in: How to restrict usage of real-time search ... View more

Close. You don't need to restart the DS. Just reload the deployment classes. (if you're doing it via CLI, if I remember correctly, the GUI takes care of that automatically) ... View more

@inventsekar Thank you for your response. There is not just one Dashboard. We need to list out all the Dashboards that have autorefresh enabled. For which we don’t want to go one by one looking into the dashboards to find out because there are more than 1000 dashboards. Thank you in advance. ... View more

Thank you Emily Can you talk more about your services? Im interesting in this. ... View more

Hi to getting REST queries to work, all those servers must be defined as search peer to this instance. Usually you define only indexers as a peer for SH so that's reason you are not founding other SHs with it except on MC where you already have added those to be a peer to get REST API and MC working correctly. Scheduler is running on full splunk instances where are some search activities. This means at least SH and IDX and CM. Maybe also some HF could match to this and LM, DS and Deployer (cannot check it now). Easy way to drop IDXs away from that list (if you have only one IDX cluster/indexer where you send your internal logs) is | tstats count where index=_internal sourcetype=scheduler NOT [| tstats count where index=_internal sourcetype=scheduler by splunk_server | fields splunk_server | rename splunk_server as host | format] by host | table host | rename host as "Instances which can use as SH" If you have serveral IDXc + indexers connected to this SH then you need add some other indexes here to get full list of splunk_servers where events are stored. r. Ism  ... View more

One nice feature is shell completion. You could start it by  will be packaged with future (after 6.x) releases of Splunk; it will be found in SPLUNK_HOME/bin/ directory; further, the SPLUNK_HOME/bin/setSplunkEnv util will run this script, and confirm success with the message   Tab-completion of "splunk <verb> <object>" is available. More on https://community.splunk.com/t5/Deployment-Architecture/CLI-command-completion-Yes-and-here-s-how-For-bash-4-0-and/m-p/82552 and somewhere in docs, but I can’t found it now. Sourcing above to shell also se $SPLUNK_HOME r. Ismo ... View more

I don't understand the point of this link, it literally just takes us to the online Managing Indexers and Clusters of Indexers manual Use maintenance mode section    ... View more

did you manage to clear the exam? ... View more

can you please provide solution on this. We have same plan to integrate with splunk and HPOM and servicenow. ... View more

Hi there， i'm a new splunker I'd like to know what's means of these search result, such as "management", "default-autolb-group:xxx.xxx.xxx.xxx:9997:3:1" i can understand there is my HF ip and port, but what's means of :3:1, I have seen :0:0, :0:1.... thanks in advance. @woodcock  ... View more

As in my answer to main question, maybe the problem in your case continues with queue resizing, and, moreover, you will have other issues with your instance. The best practice is not move the queues size, do it only in case of an emergency meanwhile you request a support checking to determine where is the real problem. In your case, maybe the problem is disk IOPS, maybe a networking problem (check if you are using the same network device for input and output, the network speed, and if there is not any blockage at network level), or the number of events incoming in your instance from other forwarders, the number of other forwarders sending data through this router forwarder. Check that the server is not having any other problems related with CPU or RAM, if is Linux, that the server is correctly setted up, disabling Transparent Hugepages, modifying ulimits, filesystems used are consistent with Splunk's recommendations (System requirements for use of Splunk Enterprise on-premises - Splunk Documentation), etc Hope you can get the real issue and solve it. ... View more

We need to clean the dispatch directory in a SH clustered environment. We didnt found any best practices for the clean-dispatch command and the Splunk documentation doesnt help either. https://docs.splunk.com/Documentation/Splunk/9.0.3/Search/Dispatchdirectoryandsearchartifacts Should we run the clean-dispatch command node per node? Stop node, clean-dispatch, start node? Or should we stop the whole SH cluster, then clean-dispatch each node, and then start the nodes? ... View more

Yes and no. As described in https://docs.splunk.com/Documentation/Splunk/9.0.3/Indexer/indexerdiscovery  If the manager node goes down, the forwarders will rely on their most recent list of available peer nodes. However, the list does not persist through a forwarder restart. Therefore, if a forwarder restarts while the manager is down, it will not have a list of peer nodes and will not be able to forward data, resulting in potential data loss. Similarly, if a forwarder starts up for the first time, it must wait for the manager to return before it can get a list of peers. Also, when using indexer discovery, each peer node can have only a single configured receiving port. The port can be configured for either [splunktcp] or [splunktcp-ssl], but not for both. You must use the same method for all peer nodes in the cluster: [splunktcp] or [splunktcp-ssl]. ... View more

[setnull] Do not use stansa name like this.  What happens if you have two app with samme stansa name, it may give you problem Use f.eks.  [remove_firewall_sensor_abcd]  ... View more