Hello, Is there a way to check the internal logs that a frozen index has been thawed on version 4.1.8? I check the docs and I used the command they give to thaw an index: ./bin/splunk _internal call /data/indexes/main/rebuild-metadata-and-manifests But it doesn't look like anything's imported. I am doing this on the 2 indexers and not the forwarder, will that make a difference? Thanks. ... View more

Hello, I want to create a saved search that will send an email with a report on daily index volumes to know when I'm close to a license violation. I've looked at the documentation but the search given no longer works in 4.2 (and can't track the new fields yet. I'm aware of the deployment app, but I need something that will send out an email alert to a distribution list to send early warnings. Do you have a search query available? Or know which fields in the _internal index I can use? Thanks ... View more

Hello, Is there a way to create an index alert based on when the last event was received? I see the values I want to check in the Manager > Indexes, but I don't know of an effective way to create a similar search that doesn't have a noticeable performance impact (index=* based searches has a performance impact) Thanks ... View more

I'm getting similar messages that was posted in this question for a blocked AQ Is there a way to track down the source of the backlog also? ... View more

Hello, When I stream UDP data to Splunk using a script to pipe Apache access logs via scripts. The splunk server combines all of the session log data into one entry instead of separate entries, example entry: 4/20/11 11:42:06.000 AM access_log[25674]: IP="172.168.5.4" HH="www.someweb.com" US=97947 RQ="GET / HTTP/1.1" ST=200 SZ=9102 CON="-" REF="-" UA="ELinks/0.11.1 (textmode; Linux; 237x50-2)" PHP_TIME=90289 access_log[25675]: IP="172.168.5.4" HH="www.someweb.com" US=46385 RQ="GET /home/ HTTP/1.1" ST=200 SZ=9563 CON="-" REF="http://www.someweb.com/" UA="ELinks/0.11.1 (textmode; Linux; 237x50-2)" PHP_TIME=39386 access_log[25673]: IP="172.168.5.4" HH="www.someweb.com" US=44823 RQ="GET /family/ HTTP/1.1" ST=200 SZ=9335 CON="-" REF="http://www.someweb.com/someweb-home/" UA="ELinks/0.11.1 (textmode; Linux; 237x50-2)" PHP_TIME=36921 access_log[25679]: IP="172.168.5.4" HH="www.someweb.com" US=60747 RQ="GET /how_3391681_handle-unruly-children.html HTTP/1.1" ST=200 SZ=12685 CON="-" REF="http://www.someweb.com/someweb-family/" UA="ELinks/0.11.1 (textmode; Linux; 237x50-2)" PHP_TIME=53606 This is a simple perl script I'm using to stream Apache access logs via named pipe: #!/usr/bin/perl use IO::Socket; my $server = $ARGV[0]; my $protocol = $ARGV[1]; my $port = $ARGV[2]; my $socket = IO::Socket::INET->new(PeerAddr => $server, PeerPort => $port, Proto => "$protocol", Type => SOCK_DGRAM); $| = 1; while ( <STDIN> ) { chomp $_; print $socket "$_\n"; } In the apache config: CustomLog "| /usr/local/bin/apache_pipe.pl 172.16.5.55 udp 4444" combine When streaming UDP data, do the splunk servers need a special char or signal to indicate the line is finished and to add a new entry? ... View more

... and can I change the character length or is it hard-coded? Thanks ... View more

Hello, I'm trying to use collect and the subsequent stash file to save time on a large search query. The documentation on collect, http://www.splunk.com/base/Documentation/4.2/SearchReference/Collect, doesn't mention how to then use the stash file. For example, this is the search query I'm using: index=some_index | regex NAME="(values|that|are|needed)" | regex LV = "(errors|warning|critical)" | collect index="saved_results" It will then notify that it's saved to the stash file. How can I run a search on the stash? ... View more