About rickymckenzie10

rickymckenzie10 · ‎09-19-2025

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by h fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

rickymckenzie10 · ‎12-10-2024

I want to create a Splunk dashboard that breaks down a splunk dashboard: What app does it belong too. what index or indexes feed it. what sourcetype or sourcetypes feed it. Users accessing it Any other detail you might find useful, this can be a very powerful tool for anyone, and I see to find bits and pieces of this around the community so it must mean someone either already did it, or is planning to. Something kinda this <form version="1.6" theme="dark"> <label>Custom Dashboard Usage</label>  <search id="base_search"> <query> index="_internal" "data/ui/views/" NOT "servicesNS/-" sourcetype=splunkd_ui_access | rex "(?<app>[^\/]+)\/data\/ui\/views\/(?<dashboard>[^? ]+)" | rex "servicesNS\/(?<user2>[^\/]+)" | rex mode=sed field=user2 "s/%40/@/" | eval user=if(user="-",user2,user) | search app=* host="$Host$" user="$User$" app="$App$" dashboard="$Dashboard$" | fields _time host user app dashboard </query> </search> <fieldset submitButton="false"> <input type="time"> <label>Max is 30 days back</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="Host"> <label>Host</label> <search base="base_search"> <query> | eval data=host | stats count by data | eval info=data." (".count.")" | sort -count </query> </search> <choice value="*">Any</choice> <fieldForLabel>info</fieldForLabel> <fieldForValue>data</fieldForValue> <default>*</default> </input> <input type="dropdown" token="User"> <label>User</label> <search base="base_search"> <query> | eval data=user | stats count by data | eval info=data." (".count.")" | sort -count </query> </search> <choice value="*">Any</choice> <fieldForLabel>info</fieldForLabel> <fieldForValue>data</fieldForValue> <default>*</default> </input> <input type="dropdown" token="App"> <label>Application</label> <search base="base_search"> <query> | eval data=app | stats count by data | eval info=data." (".count.")" | sort -count </query> </search> <choice value="*">Any</choice> <fieldForLabel>info</fieldForLabel> <fieldForValue>data</fieldForValue> <default>*</default> </input> <input type="dropdown" token="Dashboard"> <label>Dashboard</label> <search base="base_search"> <query> | eval data=dashboard | stats count by data | eval info=data." (".count.")" | sort -count </query> </search> <choice value="*">Any</choice> <fieldForLabel>info</fieldForLabel> <fieldForValue>data</fieldForValue> <default>*</default> </input> <input type="dropdown" token="Sort"> <label>Graph by</label> <choice value="dashboard">Dashboard</choice> <choice value="app">Application</choice> <choice value="user">User</choice> <choice value="host">Host</choice> <default>dashboard</default> </input> </fieldset> <row> <panel> <chart> <title>Dashboards usage frequency by count</title> <search base="base_search"> <query> | timechart limit=25 useother=f count by $Sort$ </query> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.fieldColors">{"m-cluster-01":#55C169,"m-cluster-02":#55C169,"m-cluster-03":#55C169,"m-cluster-04":#55C169,"m-test":#D41F1F,"m-master-deploy":#FFFF00,"m-monitor":#1182F3,"m-search-tphp":#E3723A,"m-search-helsemn":#D94E17,"m-deploy":#88527D,"m-collector-01":#65778A,"p-collector-01":#65778A,"h-collector-01":#65778A}</option> <option name="height">400</option> </chart> </panel> <panel> <chart> <title>Dashboards usage frequency by percent</title> <search base="base_search"> <query> | stats count by $Sort$ </query> </search> <option name="charting.chart">pie</option> <option name="charting.fieldColors">{"m-cluster-01":#55C169,"m-cluster-02":#55C169,"m-cluster-03":#55C169,"m-cluster-04":#55C169,"m-test":#D41F1F,"m-master-deploy":#FFFF00,"m-monitor":#1182F3,"m-search-tphp":#E3723A,"m-search-helsemn":#D94E17,"m-deploy":#88527D,"m-collector-01":#65778A,"p-collector-01":#65778A,"h-collector-01":#65778A}</option> <option name="height">385</option> </chart> </panel> </row> <row> <panel> <table> <title>Dashboards usage frequency by time, sh-server, user & application</title> <search base="base_search"> <query> | sort 0 - _time | table _time host user app dashboard </query> </search> <option name="count">50</option> <format type="color" field="host"> <colorPalette type="map">{"m-cluster-01":#55C169,"m-cluster-02":#55C169,"m-cluster-03":#55C169,"m-cluster-04":#55C169,"m-test":#D41F1F,"m-master-deploy":#FFFF00,"m-monitor":#1182F3,"m-search-tphp":#E3723A,"m-search-helsemn":#D94E17,"m-deploy":#88527D,"m-collector-01":#65778A,"p-collector-01":#65778A,"h-collector-01":#65778A}</colorPalette> </format> <format type="color" field="user"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> <format type="color" field="app"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> <format type="color" field="dashboard"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> </table> </panel> </row> </form>

rickymckenzie10 · ‎12-03-2024

Sure: https://community.splunk.com/t5/Getting-Data-In/Rolling-upgrade-vs-Maintenance-mode-commands-on-cluster-manager/td-p/705861 🙂

rickymckenzie10 · ‎12-03-2024

I’ve read the documentation on these commands, executed both in a dev environment and observed the behavior. My interpretation of the commands is that they are the same. Does someone want to take a stab, and try to better explain them from your own perspective 🙂 Please don't point me or reference to any Splunk docs, I've read them already and still can't see when is the best use case to use these. I want to read you're opinion! What is the main difference between these two commands? splunk enable maintenance-mode splunk upgrade-init cluster-peers Here is the scene: I will be upgrading a cluster of splunk cluster manager and their peers. Cluster manager Indexers I don't want to initiate a bucket fixup on each indexer (10 peers * 10TB on each peer). Which one best fits/servers my use case above?

rickymckenzie10 · ‎08-22-2024

I want to block the audit.log file from a particular instance sending logs to splunk, is the stanza sufficient to accomplish that? Per matching a file: blacklist = <regular expression> * If set, files from this input are NOT monitored if their path matches the specified regex. * Takes precedence over the deprecated '_blacklist' setting, which functions the same way. * If a file matches the regexes in both the deny list and allow list settings, the file is NOT monitored. Deny lists take precedence over allow lists. * No default. [monitor:///logs/incoming/file.com/all-messages.log] sourcetype = something index = something_platform disabled = 0 blacklist = audit.log

rickymckenzie10 · ‎03-19-2024

Here is the index stanza: [new_dex] homePath = volume:hotwarm/new_dex/db coldPath = volume:cold/new_dex/colddb thawedPath = $SPLUNK_DB/new_dex/thaweddb maxTotalDataSizeMB = 2355200 homePath.maxDataSizeMB = 2944000 maxWarmDBCount = 4294967295 // I know this is wrong, but need help setting it frozenTimePeriodInSecs = 15552000 maxDataSize = auto_high_volume repFactor=auto Also, any other key = pair should be added. There are 18 indexers deployed each with a 16T of size. frozenTimePeriodInSecs has been met, but data is not being moved/deleted. what configuration/details am I missing here? I needed data gone!

rickymckenzie10 · ‎03-12-2024

Hello, how can I ensure the data being sent to cool_index is rolled to cold when the data is 120 days old? The config I'll use [cool_index] homePath = volume:hotwarm/cool_index/db coldPath = volume:cold/cool_index/colddb thawedPath = $SPLUNK_DB/cool_index/thaweddb frozenTimePeriodInSecs = 10368000 #120 day retention maxTotalDataSizeMB = 60000 maxDataSize=auto repFactor=auto am I missing something?

rickymckenzie10 · ‎02-28-2024

@victor_menezes can you expand a little more on this: AFAIK maxWarmDBCount doesn't affect the rollover of data (but it can be storage hungry so be careful with that), it is something the frozenTimePeriodInSecs do instead Yes, I am using maxTotalDataSizeMB in each of the indexes. They all have their specific size.

rickymckenzie10 · ‎02-27-2024

Currently, each of my indexes is set to a specific and own frozenTimePeriodInSecs, but I am noticing they are not rolling over to cold when the frozenTimePeriodInSecs value is set. Data Age (keeps growing) vs Frozen Age (stays as what it is set in frozenTimePeriodInSecs) maxWarmDBCount is set to: maxWarmDBCount = 4294967295 Does this effect? If the value is changed, would data roll to cold?

Posts	9
Solutions	0
Karma Given	4
Karma Received	0
Member Since	‎02-27-2024

Online Status	Offline
Date Last Visited	‎10-14-2025 09:26 AM

Is there away to find the exact hostname from the ...

Splunk dashboard that breaks down what index/sourc...

Rolling upgrade vs Maintenance mode commands on cl...

Blacklist audit.log from inputs.conf

Right number and size of hot/warm/cold buckets

Roll hotwarm data to cold when frozenTimePeriodInS...

How does frozenTimePeriodInSecs and maxWarmDBCount...