About brentrmc

PickleRick · ‎02-24-2023

Without knowing your data we can't really offer any reasonable advice but I suspect that it could just be resolved by proper data onboarding. (unless your events are really _completely_ unstructured).

codebuilder · ‎03-16-2020

This generally indicates that load balancing on your forwarders is not optimal. You can set the forwarders to use time or data based load balancing, and when you see this type of unbalanced behavior you should adjust. Forwarders will switch indexers based on time or data. In a busy cluster, it is good practice to use time vs data (seconds vs MB's e.g.). This way, the forwarders will pick a new indexer every 30 seconds, or whatever you pick, rather than getting "stuck" on one indexer based on MB's/data. https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Setuploadbalancingd

brentrmc · ‎09-02-2019

Awesome, thank you!

brentrmc · ‎08-05-2019

Awesome info, thanks!

brentrmc · ‎04-29-2019

This answered my question. Thank you!

Posts	13
Solutions	0
Karma Given	4
Karma Received	1
Member Since	‎04-26-2019

Online Status	Offline
Date Last Visited	‎10-27-2023 11:20 AM

How to use a field value to search _raw?

Why are my processing queues full on some indexers...

How can I use btool to find where a specific index...

How to log in to Splunk free for the first time?

Having trouble opening Splunk after install on mac...

Re: How to use a field value to search _raw?

Re: Why are my processing queues full on some inde...

Re: How can I use btool to find where a specific i...

Re: How to log in to Splunk free for the first tim...

Re: Having trouble opening Splunk after install on...