@ankitarath2011 ,  Agreed, generally it is recommended to instead blacklist items in your search head apps that don't need to be sent to the indexers, as this will keep your bundle sizes down. A few additional suggestions: The Admins Little Helper for Splunk app can help identify bundle contents (and computed/expected contents) For more information about bundle size, refer to https://docs.splunk.com/Documentation/Splunk/latest/Admin/Distsearchconf   maxBundleSize = <int> * The maximum size (in MB) of the bundle for which replication can occur. If the bundle is larger than this bundle replication will not occur and an error message will be logged. * Defaults to: 2048 (2GB)​   and: Large lookup caused the bundle replication to fail. What are my options Alternatively, you may find large lookups and configure limits.conf accordingly: To find large lookup files check bundles on the indexer in $SPLUNK_HOME/var/run/searchpeers/. Copy one of the bundles from $SPLUNK_HOME/var/run/searchpeers/ over to a tmp dir and run:   tar xvf <file>.bundle find -type f -exec du -h {} \; | grep .csv   Set max_memtable_bytes larger than the largest lookup in limits.conf:   [lookup] max_memtable_bytes = 2*<size of the largest lookup> example: On all indexers in limits.conf set: (for unclustered indexers: $SPLUNK_HOME/etc/system/local/limits.conf; for clustered indexers, use the _cluster app on the Cluster Manager or if you distribute indexes.conf and other indexer settings in a custom app, place it in there) [lookup] max_memtable_bytes = 135000000 #equals to 135MB, where the largest lookup file was 120MB   ... View more

@ankitarath2011 , Apologies for the delay, as I have been out of the office. The issue you are reporting is very different than what is discussed on the current post, and needs a new thread. Could you rephrase your full question in a new post, and tag me in it? I tried to start a new one for you that we could continue on but I'm not certain the full context of your issue and question. Regarding increasing maxBundleSize, it is normally a better practice to manage bundle sizes using the [replicationWhitelist] or [replicationBlacklist] stanzas in distsearch.conf.  Raising bundle size limits or raising bundle replication timeouts can cause bundles to take longer to reach your indexers. By default, Search Heads use knowledge bundles to send nearly the entire contents of all of their apps to the indexers. If an app contains large binaries that do not need to be shared with the indexers, reduce the size of the bundle by whitelisting or blacklisting particular files or types of files. See: Splunk Documentation: Limit the knowledge bundle size    Also as an aside... in the event this might be helpful, Admins Little Helper for Splunk can be used to view bundle contents (and computed/expected contents). I will be out this coming week also but will check periodically for your new post. I will not respond on this thread. Thank you, ... View more

@santhoshi  Is your issue fixed. Can you please share solution if it is fixed. Thanks. ... View more

i also have the problem,so have you solve it ？ ... View more

Assuming it was upgraded using storageEngineMigration=true in its server.conf file, here are the backout steps I've used to roll back to the mmapv1 MongoDB on a standalone Splunk instance.  It uses the backup of the old mmapv1 MongoDB taken at upgrade time. NOTE: this could potentially cause data loss, if new data has gone into the migrated WiredTiger storage engine.  It really only makes sense if done soon after upgrade. 1. Stop Splunk Enterprise. Do not use the -f option. 2. Open server.conf in the $SPLUNK_HOME/etc/system/local/ directory 3. Edit the kvstore stanza and remove the following entries: storageEngine = wiredTiger storageEngineMigration=true 4. Save the server.conf file. 5. Change to the $SPLUNK_DB/kvstore directory 6. Rename the new mongo directory mv mongo mongo_wiredtiger 7. Restore the previous mmpapv1 MongoDB under old_db directory a) List the date stamped directory name ls -ld old_db/* b) Move and rename the old_db date stamped directory to mongo mv old_db/<date stamped directory> mongo && ls -ld $SPLUNK_DB/kvstore/mongo 8. Restart splunk splunk start 9. In the CLI, run the splunk show kvstore-status command splunk show kvstore-status 10. This listed storage engine should be as follows storageEngine : mmapv1 NOTE: this back out will not work after a SHC migration to use the Wired Tiger storage engine, as it does not take a snapshot (old_db) of the mmapv1 database at upgrade time.  It's not clear in the docs, but by the looks of it there is no easy way to revert a SHC back to the using mmapv1 after an upgrade.  If it all works then there is no good reason to revert to mmapv1.   Sadly, change control requirements usually require a documented backout plan. Another possibility (I've not tried this) for a SHC restore to mmapv1 MongoDB could be: Stop all SHC members and take your own backup (could be compressed) of the $SPLUNK_DB/kvstore/mongo directory on all instances (ensure enough disk space) Restart SHC members and migrate to Wired Tiger, as per Splunk documentation, including a new backup of the current storage engine before starting RESTORE TO old mmav1 storage engine Stop all SHC members Rename mongoDB mv $SPLUNK_DB/kvstore/mongo $SPLUNK_DB/kvstore/mongo_wiredTiger Remove storageEngine = wiredTiger entry from server.conf in the $SPLUNK_HOME/etc/system/local/ directory Move the backed up mmapv1 back into place, e.g. mv $SPLUNK_DB/kvstore/mongo_mmapv1 $SPLUNK_DB/kvstore/mongo Restart SHC members one at a time and verify storage engine using CLI   splunk show kvstore-status If Splunk SHC recovers OK, then you may also try this with the CLI (one SHC member only) to get to the latest backup   splunk restore kvstore -archiveName <archive> NOTE: understandably, the method listed above has no guaranteed consistency and would only ever be required in a disaster recovery scenario. FINALLY:  As noted, I've not tried this on an SHC in my own environment (I was to late and had upgraded already) so validate it in your own test environments, if using.  ... View more

thanks @codebuilder  ... View more

I have already checked scheduled searches around that time. One of the savedsearch taking more time around that time. But Had checked cron as well. Looks fine as nothing is scheduled around that time.it is running fine other time of the day wit similar number of events.  ... View more

for reference,     I put the props in UF and it is working fine now. Thanks    Does this mean the directory of $SPLUNK_HOME/SplunkUniversalForwarder/default  or something else?    ... View more

Correct. In the Web, it's considered a Calculated Field (Settings -> Fields -> Calculated Fields) as is typically applied to a sourcetype. And on the backend that is just written to props.conf [your_sourcetype] EVAL-my_val = case(match(_raw,"aaa\s+:\d\d:"),2,match(_raw,"aaa\s+:\d:"),1,true(),"n/a") Not sure what your environment looks like, but just note that this is considered a knowledge object and as such has permissions (who can read/write it) and scope (private/app/global) associated with it. ... View more

Hey getting below error Error in 'eval' command: The expression is malformed. An unexpected character is reached at ')'. ... View more

You can do this with a carefully constructed SEDCMD setting but this may not work if you are using INDEXED_EXTRACTIONS=csv (then again, it may very well work). I know that it definitely will work if you are not using INDEXED_EXTRACTIONS . ... View more

Here you go: | makeresults | eval _raw="<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <perform col=\"test\"> <group name=\"A\"> <group name=\"B\"> <new type=\"T1\" time=\"155928841656\"> <counter val=\"11\" name=\"test_name1\"/> <counter val=\"22\" name=\"test_name2\"/> </new> <new type=\"T2\" time=\"155928841656\"> <counter val=\"33\" name=\"test_name1\"/> <counter val=\"44\" name=\"test_name2\"/> </new> </group> </group> </perform>" | spath | fields - *@val* *@time* *@type* *new*@name* | rex max_match=0 "(?ms)(?<event>\<new type.*?\<\/new\>)" | rex field=event mode=sed "s/\n\s*/\n/g" | fields - _raw | mvexpand event | rename event AS _raw | rex mode=sed max_match=0 "s/val=(\"[^\"]+\")\s+name=\"([^\"]+)\"/\2=\1/" | rename COMMENT AS "On my v7.4.2, the 'max_match=0' is not working so I hve to duplicate this line == # of counters in array" | rex mode=sed max_match=0 "s/val=(\"[^\"]+\")\s+name=\"([^\"]+)\"/\2=\1/" | kv | eval _time = time/100 | fields - _raw time ... View more