Hi @MuS  Sorry for the direct contact, I hope it's ok to ask you a question about "Add-on Debug Refresh". I have used it for years and it's brilliant, however, I have just moved to a cluster(Christmas 2020) 1 SH, 1MN, and 3 INDEXERS but I have your app installed on the search head, but I keep getting this when running it. " External search command 'refresh' returned error code 1. . " I have the permissions set to read and write form ADMIN and I am logged in as ADMIN. Any ideas, what I might need to do as I really love this tool. Robbie ... View more

Hi We are seeing a long lag for our forwarders to send in data to Splunk - up to 4 hours!!!   When we run this command we can see the output with a high max_lag in seconds. We are monitoring a file directory with lots and lots of files (100,000+) we are wondering if this could be the issue and is there some way to know from the forwarder it cant keep up? Or is there another solution? We are testing this prop now, but we are unsure if it will help, as we are unsure if it is the issue? ignoreOlderThan = 1d           index=* host = TEST_CLUSTER1 sourcetype!=G1 | eval lag_sec=_indextime-_time | stats max(lag_sec) as max_lag max(_indextime) as max_index_time max(_time) as max_event_time by sourcetype host source | addinfo | eval index_lag_for_search = info_search_time - max_index_time | eval event_lag_for_search = info_search_time - max_event_time | sort - max_lag | table sourcetype host source max_lag info_search_time info_min_time info_max_time, max_event_time, max_index_time, , index_lag_for_search, event_lag_for_search           The image below shows the slowness of some of the files.   ... View more

Hi We have a forwarder that is sending partial data. We can identify the files that it is not sending (Image below). However, when we copy the forwarder and change only the host name, it sends the reminding files that were missing, we don’t delete fish buckets we just restart it and give it a new host name…any ideas?         [monitor:///net/dell552srv.fr.murex.com/dell552srv1/apps/AMBER_PSC47_SEC1.../*.log] disabled = false host = TEST_CLUSTER1 index = mxtiming_live whitelist=mxtiming.*\.log$ blacklist=logs_|fixing_|tps-archives|mxtiming_crv_nr.*|mxtiming_437_dell552srv.fr.murex.com_215699.log crcSalt = <SOURCE> sourcetype = MX_TIMING2           props         [MX_TIMING2] FIELD_DELIMITER = | DATETIME_CONFIG = NO_BINARY_CHECK = true category = Custom description = MX_TIMING disabled = false pulldown_type = true REPORT-MX-TIMING = REPORT-MX-TIMING2 EXTRACT-MX-TIMING = ^(?:[^\|\n]*\|){6} *-*(?P<Elapsed>\d+\.\d+)\w+\| *-*(?P<CPU>\d+\.\d+)s\| *-*(?P<CPU_PER>\d+)%\| EXTRACT-MX-TIMING2 = ^(?:[^\|\n]*\|){11} *-*(?P<Elapsed_C>\d+\.\d+)\w+\| EXTRACT-MX-TIMING3 = ^(?:[^\|\n]*\|){9} *-*(?P<RDB_COM1>\d+\.\d+)s\| *-*(?P<RDB_COM_PER1>\d+)%\s+\| EXTRACT-MX-TIMING-Memory = \| *(?P<Memory>\d+\.\d+)Mb(\|\s?(?P<VmHWM>\d+\.\d+)Mb)?(\|\s?(?P<Malloc>\d+\.\d+)Mb)?$ TRANSFORMS-set = setnull, setparsing_mxtiming           Transform         [setparsing_mxtiming] REGEX = (Deal insertion|contract insertion|Realtime Shutdown|SessionCreate|SessionKill|Read SHM|Read_SHM|Updated keys|Portfolio_Load|Viewer|Publishing Config|simulation|BOS|MPC|MXWAREHOUSE|RequestDocument|LOGIN|event|Bulkportfoliomodification|Bulkunwind|unwind|Event_insertion|Deal_input) DEST_KEY = queue FORMAT = indexQueue             ... View more

Hi I am moving from one machine to a 5 machine cluster. 1 SH 1 Master Node 3 Indexer What are the steps I need to migrate all my users? And to what machine do I need to copy the new files to? Thanks in Advance Rob ... View more

Hi I have an environment that is increasing in files each day, this I think is causing high CPU on the forwarders as the number of files is increasing. I am looking to prove this, so is there a command I can run on the forwarder that will tell me the number of files it is monitoring, etc... or something that will give me data on this topic? Regards Robert Lynch ... View more

Hi We are upgrading from 1 standalone machine to 5 machines. I am looking to get a cluster up and running. Originally we were only going to use 4 and have 1 SH and 3 indexers, however, it looks like we have to have a "Master Node". So is the best way forward 1MN, 1SH, 3 indexers?  Will The MN be used as a SH or will the machine be sitting ideal most of the time? So basically I will have 2 SH and 3 indexers? Regards Robert ... View more