Provided the indexers in question are also peers of this particular search head, you can do this REST based query from any, not just the license master: (chart changed to timechart for ease of use) index=_internal source=*license_usage.log "type=Usage" | eval MB=b/1024/1024 | join type=outer i [ rest /services/search/distributed/peers | rename guid as i | rename peerName as indexer | table i indexer ] | timechart sum(MB) by indexer ... View more

I experienced the same thing happening with the search view. Linking this with a thread where a fix was found: https://answers.splunk.com/answers/219784/new-app-old-4350-style-search-view.html The search.xml view was exported globally from an app that was initially created for Splunk 5 and thus overrode the search.xml view exported from the search app. The app causing the trouble was sec_one_dns which takes precedence over the search app's search.xml file because of ASCII order. The reason the Search view in the Cisco IOS app works (I'm the author, by the way) is that is ships its own search.xml which is just a copy of the search.xml from the search app. ... View more

Is there a certain way to exclude multiple users using | where userid != "system" ... View more

Just a warning ... if your totaling these numbers (something like | addtotals row=f col=t column1 column2 column3 ) make sure you do the totals before you do the evals as changing the numbers to strings and formatting them with commas will exclude them from your total columns. Eval Column=tostring will also cause value to be left aligned as it's now a string and no longer a number in PDF exports. ... View more

clarification I have to extract proxy logs with the following fields(UrlDestHost,ClientIP,Protocol,rules...) for our partner users in France and Germany. ... View more

i guess you are right i already red that splunk is not very friendly to non english logs ... i 'll try your workaround ... View more

you can accept the answer, it will mark the question as resolved for other users. ... View more

Thank you Alterdego for your reply. There was problem with time zone. ... View more

Sure, read the docs about field extraction using conf files. This will extract the fields at search time once configured. If you prefer to have it extracted at index time, read the docs about indexed field extraction. cheers, MuS pls, mark this as answered by accepting the answer - thx ... View more

The replace command should let you get the results you want. http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/Replace Splunk Blogs has a walk through: http://blogs.splunk.com/2014/05/22/using-the-replace-command-granular-details-are-great-but-i-need-a-consolidated-view/ ... View more