Hi For a given index with retention of 91 days configured, we find some hosts having events for the full 91 days. Some other hosts only retain 78 days and some other host even less than that. This is a indexer-cluster-environment having 4 peers and a distributed indexer.conf. Index: [ix_windows_security_logs] coldPath = $SPLUNK_DB/ix_windows_security_logs/colddb enableTsidxReduction = 0 rtRouterThreads = suspendHotRollByDeleteQuery = 0 enableOnlineBucketRepair = 1 frozenTimePeriodInSecs = 7862400 archiver.enableDataArchive = 0 bucketRebuildMemoryHint = 0 minHotIdleSecsBeforeForceRoll = 0 syncMeta = 1 maxTotalDataSizeMB = 716800 compressRawdata = 1 selfStorageThreads = homePath = $SPLUNK_DB/ix_windows_security_logs/db rtRouterQueueSize = thawedPath = $SPLUNK_DB/ix_windows_security_logs/thaweddb tsidxWritingLevel = The index is not full at all: ix_windows_security_logs Curent Size: 1 MB Max Size: 700 GB Nor is the device: /dev/mapper/vgappl-lvsplunk 3.1T 51G 2.9T 2% /opt/splunk What could be the issue here? Thank you ... View more

In 4.3 SPLUNK we had a niche drop-down menue with our saved searches properly grouped. Therefore we would define collections in default.xml like: <collection label="Searches &amp; Reports"> <collection label="FIX"> <saved source="unclassified" match="FIX" /> </collection> It appears that in 6.2.0 all of this has gone. The default.xml is basically empty. What is the concept now of grouping searches and displaying them in a drop-down menue as opposed to having to switch to the reports-page? Thanks ... View more

The 6.2.0 heavy-forwarder is configured to send everything to the indexer xyz. Now I want it to send specific events to a localhost:tcp-port in raw-format. These events are identified by a reg-ex e.g. "/relevant-Message/". The 'relevant-message'-event is duplicated i.e. it is sent to the indexer & to the local tcp-port. Can this be done? Can you please give a config example for props, inputs and transforms on the heavy-forwarder? inputs.conf [monitor:///var/log/.../logsink*.log] disabled = false index = otex sourcetype = otex [monitor:///var/log/.../audit*.log] disabled = false index = otex_audit sourcetype = otex_audit [monitor:///var/log/.../*.log] disabled = false index = main _blacklist = /(logsink|audit).* sourcetype = main props.conf [default] TRUNCATE = 250000 [main] LINE_BREAKER = (\\n+|[\r\n]) BREAK_ONLY_BEFORE_DATE = false SHOULD_LINEMERGE = false [otex] SEGMENTATION = full SEGMENTATION-all = full TRANSFORMS-otex-fields-1 = otex_fields_1 #split at "\n", \r or \n LINE_BREAKER = (\\n+|[\r\n]) #merge lines that do not start with a Date SHOULD_LINEMERGE = true MAX_EVENTS = 1024 BREAK_ONLY_BEFORE_DATE = true CHECK_METHOD = modtime #date parsing MAX_TIMESTAMP_LOOKAHEAD = 50 TIME_PREFIX = \[ TIME_FORMAT = %Y-%m-%d %H:%M:%S,%Q outputs.conf [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = ch123.net:9960 [tcpout-server://ch123.net:9960] transforms.conf [otex_fields_1] REGEX = ^\[.*?\] \[(.*?)\] \[(.*?)\] \[(.*?)\] \[(.*?)\] \[(.*?)\] \[(.*?)\] \[(.*?)\] FORMAT = tid::"$1" hostname::"$2" component::"$3" instance::"$4" thread::"$5" level::"$6" logger::"$7" WRITE_META=true Thanks! ... View more