It is not working.  I did add/update workload_rules.conf on all our Splunk SH's in our cluster still no luck.  Does it need any Splunk restart or do I have to assign it to users / roles just thinking loud. This is what I have in workload_rules.conf under /opt/splunk/etc/apps/search/local   [search_filter_rule:WildcardSearch] action = filter predicate = index=* OR search_time_range=alltime user_message = Please provide index name ... View more

I tried creating a Admission rule for the condition "index=* OR search_time_range=alltime" but looks like the setting is not getting applied. Users are still able to search for index=*. Does this work on Clustered environment or is there any additional steps I need to follow for cluster env?  We have SH cluster. ... View more

😞 I will put some sample data here for better understanding of my usecase. Index A contains events like below.  Here I already did a field extraction for IP address Hostname FQDN and named it as Reporting host.  This is basically list of servers that are forwarding logs. 2023-02-21 00:14:43.6543016070 2.2.2.2 2023-02-21 00:14:43.6213010920 abc.domain.net 2023-02-21 00:14:43.6543016070 4.3.2.1 2023-02-21 00:14:43.6213010920 xyz.domain.net 2023-02-21 00:14:43.6543016070 1.1.1.1 2023-02-21 00:14:43.6213010920 pqr so when I index=A | stats count by Reporting_host, the result is below.  First of the query works.   Reporting_Host 2.2.2.2 abc.domain.net 4.3.2.1 xyz.domain.net 1.1.1.1 pqr Now I have second index which is from our CMDB which contains Server information like owner, BU, location etc. 2023-02-20 07:47:14.269, CI_Name="xyz.domain.net", Hostname="xyz", Domain="example.com", Environment="QA", IP_Address="3.5.4.6", Tier1="Hosting", Tier2="Processing unit", Tier3="Server", Operating_System="windows", OS_Version="Server 2016", Priority="Priority_5", Server_Owner="Owner3" 2023-02-20 07:47:14.269, CI_Name="pqr.domain.net", Hostname="pqr", Domain="example.com", Environment="QA", IP_Address="13.15.14.16", Tier1="Hosting", Tier2="Processing unit", Tier3="Server", Operating_System="windows", OS_Version="Server 2016", Priority="Priority_5", Server_Owner="owner2" 2023-02-20 07:47:14.269, CI_Name="Host1.domain.net", Hostname="Host1", Domain="example.com", Environment="QA", IP_Address="2.2.2.2", Tier1="Hosting", Tier2="Processing unit", Tier3="Server", Operating_System="windows", OS_Version="Server 2016", Priority="Priority_5", Server_Owner="owner1" My usecase is I need to map the Reporting_host from index A with index B data and get the server information.  Challenge I am facing here is, Reporting_host as shown above is list of IP address, FQDN, Hostnames ( all comes in separate events like some hosts are reporting with IP address, some are reporting with FQDN and rest with IP address so the results) so how can I compare REporting_host with CMDB data and get the Server information.  If the Reporting_host comes in one format like hostname or IP address the comparison could have been easy so I will just use join and the common field would be Reporting_host comparing it with Hostname in index B.  Since the Reporting_host is has 3 different formats how do I compare them ?  I hope I explained my usecase in detail now.  Sorry for too many post. For above ex: my output should be Reporting_Host Server_Owner 2.2.2.2 Owner1 xyz.domain.net Owner3 pqr Owner2   ... View more

Hi @yuanliu  Thank you for looking into it.  When I say mix of values (Reporting_host), I meant like below Reporting_Host (not a string that contains IP host and FQDN but its like below but list of individual values) abc@domain.com 100.10.10.10 abc xyz 44.16.23.01 xyz@domain.com and goes on..   ... View more

Query seems to be working but partially.  When I run the query I get results for splunk_server whose one of the  parsing queue pipeline is not greater than the threshold I set (which is >80). As per my requirement this server xyz should not showup as its parsing_queue.0 is not greater than thershold. (It should only report if all its 3 pipelines 4 Queues are greater than 80). title fifteen_min_fill_perc splunk_server aggQueue.0 87.79 xyz aggQueue.1 87.66 xyz aggQueue.2 86.22 xyz indexQueue.0 88.43 xyz indexQueue.1 87.96 xyz indexQueue.2 89.16 xyz parsingQueue.0 65.10 xyz parsingQueue.1 86.32 xyz typingQueue.0 88.28 xyz typingQueue.1 87.87 xyz typingQueue.2 89.13 xyz Appreciate if you could also help me understand more on why dc is used here and how does it work?   ... View more

@tscroggins  Thank you for looking into my query.  I tried the search query you posted and the results are same as my search query.  What I am looking for a consolidated report for example, in the output I pasted in my original post, instance "Y" has all the four queues full (parsingQueue* OR title=aggQueue* OR title=typingQueue* OR title=indexQueue) so my output should only be this instance name.  I will set up and alert for this host for further action.  Any suggestions pls ?   ... View more

Yes App is pulling logs and I did test is by enabling index and forward setting on HF.  No errors or Warning in app logs and index is created correctly.  I do see logs data transfer for this checkpoint on metrics.log also under  _internal index.  Unfortunately im unable to past metrics logs ... View more

I am running this on a Linux box 😞 ... View more

Hi inventsekar, I did read about this but not sure if it suits my requirement here or not. fschange will monitor for any modifications but my file doen't have any modifications once it gets created. Not sure why I can use this in my case. ... View more

Hi Emeelan, any update you have on this? is this feature request completed? Thank you ... View more