Yes, tried stop-all and start-all command many times. Also, server reboot done and start-all command ran. Still facing same problem. ... View more

can you try splunk_server=local in both the places... ... View more

When you put a search macro in a search string, place a back tick character (`) before and after the macro name. On most English-language keyboards, this character is located on the same key as the tilde (~). dmc_exclude_indexes ... View more

Are you looking for this: Alert: | rest splunk_server=### /services/data/indexes datatype=all | join title type=outer [| rest splunk_server=### /services/data/indexes-extended datatype=all | fields title, total_bucket_count] | `dmc_exclude_indexes` | fields title maxTotalDataSizeMB currentDBSizeMB | eval currentDBSizeGB = if(isnotnull(currentDBSizeMB), round(currentDBSizeMB / 1024, 2), 0) | eval maxTotalDataSizeGB = if((maxTotalDataSizeMB == 0) OR isnull(maxTotalDataSizeMB), "unlimited", round(maxTotalDataSizeMB / 1024, 2)) | eval percused = round((currentDBSizeMB / maxTotalDataSizeMB) *100,2) | fields - maxTotalDataSizeMB currentDBSizeMB Result: title currentDBSizeGB maxTotalDataSizeGB percused _audit 15.89 488.28 3.25 _internal 487.35 488.28 99.81 _introspection 3.53 488.28 0.72 If percused > threshold, then trigger alert... Note: Replace ### with your hostname. ... View more

Are you talking about index size, per day, which is 150-200 GB or indexing rate which will be KB/s? ... View more

Use below smart app - Meta Woot! https://splunkbase.splunk.com/app/2949/ The Meta Woot! Splunk app from Discovered Intelligence provides superior levels of insight and intelligence from your Splunk metadata and now your Splunk license data too! The app maintains a near real-time state table of host, sourcetype and index metadata. Meta Woot! is accurate at scale and allows users to instantly report on host, sourcetype and/or index together. The app includes summary based event count trending, correlation of event volumes against license and includes compliance reporting on both data latency and indexing. ... View more

What is average indexing rate in your case? We can make a threshold for this one and if that threshold get touched we can create a alert. Please provide more details... I can help you with that. ... View more

Are you looking for something like below scenario: Test - XXX <input type="text" token="user_input_tok"> <label>User Input</label> </input> <panel> <table> <title>Testing</title> <search> <query>index="_internal"| top limit=$user_input_tok$ date_hour</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> Put any value in a textbox and enter. Modify user search query as per your requirement. ... View more

My Bad... Thanks... ... View more

Sorry I don't have any now. As per answer from - https://answers.splunk.com/answers/403320/how-do-i-suppress-alerts-until-the-next-day-at-12.html Original Alert - | rest /services/licenser/usage | eval "% used"=round(slaves_usage_bytes/quota*100,2) | where '% used' > 75 | fields "% used", "updated" Updated Alert - | rest /services/licenser/usage | eval "% used"=round(slaves_usage_bytes/quota*100,2) | appendcols [search index=_internal sourcetype=scheduler thread_id=AlertNotifier* savedsearch_name="PUTYOURALERTSEARCHNAMEHERE" earliest=@d | head 1 | table _time] | where '% used' > 75 AND isnull(_time)| fields "% used", "updated" Paste your query here, I will try... ... View more

See below answer: https://answers.splunk.com/answers/403320/how-do-i-suppress-alerts-until-the-next-day-at-12.html ... View more

Hi, Try below: Test - XXX <input type="dropdown" token="field1"> <label>field1</label> <choice value="111">111</choice> <choice value="123">123</choice> <search> <query>index="_internal"| stats count by date_hour</query> <earliest>-15m</earliest> <latest>now</latest> </search> <fieldForLabel>count</fieldForLabel> <fieldForValue>count</fieldForValue> </input> You can choose any value instead of 111 or 123. So that you can get values in dropdown, from dynamic search as well as hard coded. In my case I am getting below values in dropdown: 111 123 + values from dynamic search... ... View more

Thanks Team. However, I am getting below error: :prodlaa@XXXXXX:/opt/splunk/bin $ | rest /services/apps/local | search disabled=0 core=0 | dedup lable | table lable version -ksh: syntax error: `|' unexpected ... View more

What if GUI of my Splunk HF is disabled and I want to search a list of all enabled apps and their versions on my Splunk HF? ... View more

I am aware of the command splunk display app... However, not able to find version of all, at once via CLI. ... View more

On CM if I see there are more than 10 indexes having this issue, then I have to run below command for all indexes ? curl -k -u admin:changeme https://HOST:PORT/services/data/indexes/YOUR_INDEX/roll-hot-buckets -X POST ... View more

On CM if I see there are more than 10 indexes having this issue, then I have to run below command for all indexes ? curl -k -u admin:changeme https://HOST:PORT/services/data/indexes/YOUR_INDEX/roll-hot-buckets -X POST ... View more

Worked for me also. ... View more