Simple XML example on Version 6.2.2
Create a real time saved search named "RT_SavedSearch". For this example: index=_internal | head 1000
<form>
<label>Post Process Saved Real-time Search</label>
<description></description>
<search id="BaseSearch" ref="RT_SavedSearch">
</search>
<row>
<chart>
<title>Events over Time(First)</title>
<search base="BaseSearch">
<query>timechart count</query>
</search>
<option name="charting.chart">column</option>
</chart>
<table>
<title>Top Sourcetypes(First)</title>
<search base="BaseSearch">
<query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
</search>
<option name="displayRowNumbers">true</option>
</table>
</row>
</form>
... View more
The Forwarder does keep track of the data it has already sent. To have the forwarder resend data for a specific file(s) you will need to use the btprobe command to reset the file(s).
On the Forwarder:
./splunk stop
./btprobe -d ~/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db --file /path/to/file.log --reset
./splunk start
Read more on btprobe here
... View more
Better late than never.
If your scheduled searches are executing at the time you load/refresh the dashboard, then the dashboard panel will pick up the current execution showing the "Loading xx%" bar at the bottom.
Check your searches and ensure they are not running longer than your desired refresh rate or if they are still running at the time the dashboard is loaded up typically.
... View more
Long time and no answer on this one. So, I will attempt to answer this. This is a problem with too many columns in a report and/or dashboard. This can be encountered when using a search with the "limit=0", or other large number.
"search" | timechart limit=0 span=1h sum(MB) by series
Try removing or reducing the "limit=0"
"search" | timechart span=1h sum(MB) by series
... View more
No need to do either choice.
Read this response in regards to "What do I need to do for the SoS data inputs to track Splunk resource usage?" here: http://answers.splunk.com/answers/38091/best-practices-to-deploy-the-sos-app-in-a-distributed-search-environment
Enabling these scripts should start the data flowing into your SOS index.
... View more