Sorry, I'm not sure to get it: "Splunk doesn't index fields as indexed fields, unless they are explicitly extracted as indexed fields" How is it possible with splunk cloud? if I understand well, with kv_mode=json, event if our logs are json formatted, I will have to extract one by one all fields I need, using the field extractions feature. The fields will be then extracted at search time, and not indexed. Right? Then, wouldn't be there a risk on the search performance, if all fields are extracted at search time? Also, the usage of tstat will need to be reviewed for all our saved searches/dashboards...etc. Am I right? Thanks BR Nordine ... View more

Hello PickleRick, for the point 3, you mean by using kv_mode=json, unlike using indexed extractions, I will be able to "selectively not index some fields". Would you mind to give me some more details, or examples how I can do? On my side, I've checked the source type which is used, and indeed: indexed extractions = json and in advanced tab: kv_mode = none So, you recommend to set: indexed extractions = none and in advanced tab: kv_mode = json Can you confirm this is the right way? Then, how can I exclude some specific fields from automatic extraction? Thanks a lot Regards Nordine ... View more

Hello, Indeed, my concern is about performance for both indexation and search. Because I can see from time to time, that _indextime values is getting far from the event timestamp: with a gap from 5 to 100 seconds, when the average is 30ms(200ms at the worst) Actually, we are indexing json formatted logs, and yes, using indexed extraction = json (set in the source Type) So, I guess all fields are indexed automatically. Then, checking with walklex: | walklex index="my_index" type=field | search NOT field=" *" | stats list(distinct_values) by field It shows, for last 60min: events:10272 Number of fields: 403 And some of them with uniq values, like field list(distinct_values) sessionid 193249 220320 204598 201715 214656 183875 195165 196683 221079 204274 215453 186199 181808 198200 178018 192400 184038 176133 205139 205432 186822 174164 196244 185719 179251 197758 203770 190584 178399 "avoiding indexed fields is sound as a general rule of thumb" If I understand well, the best should be to avoid fields with large number of uniq values to be indexed, and index only fields with low number of possible values(success/failed, green/yellow/red...,) Then, in my case, what could be a better configuration to reduce number of indexed fields, and to index only the fields with low cardinality, as you mentioned? Again, thank you all for your time/support Regards ... View more

Thanks for you replies, indeed, I was using dbinspect to check buckets size. But I need to have tsidx vs raw data files size. Do you know if somehow splunk support, as they should have access to file system, could answer to this need? Thanks   Regards ... View more

Hello, better way to reduce the size of index is to reduce retention period, or some other parameter of index configuration. You need splunk admin rights. Some info from the documentation: Use these indexes.conf settings to configure data retention policies for a SmartStore index: maxGlobalDataSizeMB maxGlobalRawDataSizeMB frozenTimePeriodInSecs I hope it helps you Regards ... View more

Hi danielbb, You can try | tstats count where index=wineventlog* TERM(EventID=*) by _time span=1m But in the _raw event, you must have something which corresponds, like ...EventID=4624... Then, if you want to use this EventID in the group by, you can try (be carefull The text you provide for the PREFIX() directive must be in lower case) | tstats count where index=wineventlog* TERM(EventID=*) by PREFIX(eventid=) _time span=1m Regards ... View more

Hello, not sure this was solved. However, I had the same problem, and managed to remove the link by checking Type "plain text" in the Edit PDF Schedule window. The link desappeared... Hope it helps. BR Nordine ... View more

Hello, I have the same issue, since one month now. All my scheduled pdf delivery, which were fine before, are showing now empty graphs. Only tables are visible in the pdf export. Does any one know what would be the issue? Thanks in advance Best resgards ... View more

Hello, depending on number of slices you are showing and their value, in your graph, what will help is to use  following options <option name="charting.chart.sliceCollapsingThreshold">0</option> or minimum size in the UI and increase the height of the graph itself, using <option name="height">1000</option> option. before with height=500   After with <option name="height">1000</option> and  <option name="charting.chart.sliceCollapsingThreshold">0</option>   Regards Nordine   ... View more

Hello Chris, in the same way, I would like to know if it is possible to color the node(from or to), when using the link rows? Thank you BR Nordine ... View more

Hello, Thanks a lot! It worked for me with Pie Chart label   Regards ... View more