Hi, We are using volume partitions for the indexes.conf and the hot volume is getting full around 90% on the disk. [volume:hotwarm] path = /mnt/hot [volume:cold] path = /mnt/cold [xxxxxx] homePath = volume:hotwarm/xxxxxxxx/db coldPath = volume:cold/xxxxxxx/colddb thawedPath = $SPLUNK_DB/xxxxxxx/thaweddb homePath.maxDataSizeMB = 2000000 coldPath.maxDataSizeMB = 15664000 frozenTimePeriodInSecs = 2160000 maxTotalDataSizeMB = 34664000 maxDataSize = auto_high_volume repFactor = auto This is the indexes.conf being used. Please suggest a method to reduce the hot volume size In general, how to reduce the hot volume for an index. ... View more

Hi, We are using JSON data and the field extractions are done already. So we no need to use the spath command. But when we click on raw data and add it to the search the spath command is automatically invoked. How can we correct that, the spath command takes a lot of time and is not needed in our case. Thanks, ... View more

Hi, I have configured inputs and props on a heavy forwarder and there is same stanza of sourcetype with no parameters under the sourcetype in the search head. Will the empty stanza in the search head cause a conflict ? I see that we are facing timestamp recognition issue while indexing. Splunk isn't taking the right values, even though the time prefix and the timestamp format have been checked fully with the data before on boarding. Isn't Splunk unable to keep up with data ? we are indexing lots of .gz files. at one time ... View more

Hi, A peer was down recently because of some server issues and the buckets re balanced among themselves with the other servers. I want to remove the peer from the indexer cluster as the the host cannot be used anymore. And, Splunk is not running and cannot be run as one of the drives that hold the hot data got erased. There was no loss in the cluster as we are using the replication and search factors. Could you please suggest a method or all the steps needed to remove the peer from a cluster safely. Thanks, N ... View more

I am using only the following props in the heavy forwarder and no other props any where for the data. Yet I am getting double field extractions for the data. How to solve this problem !! [xxxxx] SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%d %T TIME_PREFIX = date MAX_TIMESTAMP_LOOKAHEAD = 30 TRUNCATE = 0 TZ = UTC NO_BINARY_CHECK=true KV_MODE = none LINE_BREAKER = }([\r\n]+|){ INDEXED_EXTRACTIONS = json AUTO_KV_JSON = false TRANSFORMS-hostoverriede = hostoverride EXTRACT-KVPS = (?:args":")?(?<_KEY_1>[^"=]+)=(?:\")?(?<_VAL_1>(\d+|[^\"]+)) Why are search time field extractions happening even though there are no props for the same sourcetype in the search head ? Or the index field extractions happening at the heavy forwarder and again at indexer level ? .. but there are no props in the indexer !! The field extractions are normal if we are indexing and searching the data in a stand alone instance but not at a distributed environment. I am using the following props for another JSON data . That too only at the heavy forwarder level and the extraction is happening only once. [json_time] SHOULD_LINEMERGE = false TIME_FORMAT = %F %T.%3N TIME_PREFIX = "time" MAX_TIMESTAMP_LOOKAHEAD = 25 TRUNCATE = 0 TZ = UTC INDEXED_EXTRACTIONS = json NO_BINARY_CHECK=true KV_MODE = none LINE_BREAKER = ([\r\n]+){ AUTO_KV_JSON = false So how are the field extractions happening for this data ? without any extraction parameters set ? Thanks ... View more

Hi, If I just mention frozenTimePeriodInSecs as 30 days , how does Splunk roll the buckets exactly so that the data gets deleted in 30 days ? Will adding the parameters like homePath.maxDataSizeMB , coldPath.maxDataSizeMB effect the rolling of buckets ? ... View more

Hi, I see that DMC is unable to give the right volume usage for a particular partition. It is showing wrong partition value in every instance for that particular partition name. Any specific permission that needs to be checked or how can this be fixed ? Thanks ... View more

Hi, Can I please know the ideal configurations for indexes.conf ? Should we include parameters like homePath.maxDataSizeMB , coldPath.maxDataSizeMB etc. ? Or is it enough to specify only frozenTimePeriodInSecs ... View more

How do we encrypt SSL between forwarders and indexers, shouldn't we use the same certificates in both servers. How does encryption work if we are using different certificates in both the servers. ... View more

Is there a way to get the user search activity excluding the searches given the dashboards Thanks N ... View more