The strange thing is that the resource usage is quite equal all time from 09 to 17, with some "normal" CPU peak (i have to add some Indexers asap), also same number of searches, and quality of searches (none of them seems to create some loop or resources bottleneck!!!). I was also wondering if some Network Device makes some "refresh" (every 1 hour), maybe breaking the Indexers ACK responses 🤷‍♂️🤷‍♂️🤷‍♂️quite strange... ... View more

And what is you stats wants a _time group? index=* source=/my.log | bin span=5m _time | stats count by _time[,source] 00:00 5 00:05 (no records, skipped) 00:10 10 00:15 20 The result will be, 00:00 5 00:10 10 00:15 20 The only way in this case is to use a timechart 👍 index=* source=/my.log | timechart span=5m count by source 00:00 5 00:05 0 00:10 10 00:15 20 ... View more

CPU bottleneck. ... View more

Perfect 👍👍👍 That's what i wanted to know 👏👏👍 Many thanks 👍 ... View more

Final version... obviously inside a script or an interactive menu with parameters should work fine 👍   curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/-/-/saved/searches' --get -d 'output_mode=json' -d 'count=0' | jq -r ' .entry[] | select(.acl.app == "MYAPP" and .acl.owner == "MYUSER") | .name + " : " + .acl.app + " : " + .author + " : " + .acl.owner + " : " + .acl.sharing + " : " + (.content.disabled|tostring) '   Alternative,   curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/-/-/saved/searches' --get -d 'output_mode=json' -d 'count=0' | jq -r ' .entry[] | select(.acl.app == "MYAPP" and .acl.owner == "MYUSER") | [.name,.acl.app,.author,.acl.owner,.acl.sharing,.content.disabled] | @csv '   Thanks all 👍 ... View more

Great 👏👏👍 Effectively XML is quite obsolete 😴 Thanks again 👍 ... View more

Just a beginning for shell... with script parameters (user and app in variables), i'm close enough to what i'm seeking 😀   curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/admin/MYAPP/saved/searches?count=-1' | egrep '<title>|name="app">|name="sharing">|name="owner">|name="disabled">' | grep -v '<title>savedsearch</title>' | sed -n -e '/title/,+4p' | paste - - - - - | grep 'MYAPP' | grep 'title' | sed 's/ //g ; s/\t//g'   Perhaps not perfect, yet... but close 😀 Thanks. ... View more

Ahhhhhhhhhhh, here we go!!! It takes also the "sharing=global" objects 🙄i understand. Are there more parameters to filter directly from the GET? I can't read them in Documentation 🤷‍♀️ (also the "?count=x" is not documented 🤔) Thanks. ... View more

I neved had problems with Captain Election, both with [raft_statemachine] disabled = true disabled = false 🤷‍ ... View more

@sainag_splunk wrote: The disabled setting in SHC only impacts captain election and member roster management. Ok, so it's minimal, and has ne real impact of cluster operativity 👍 Thanks 👍 ... View more

Don't understand the question 🙄🙄🙄 I have a non clustered Indexing infrastructure (8 standalone indexers). @sainag_splunk wrote: I don't think that required.  I decide what's required 😉and i want the SHC to replicate distsearch.conf 😉😉 My question was another, leave replicate_search_peers away, What changes in a SHC by setting "disabled = true or false"? By default is true. ... View more

Great, thanks 👏👏👏 I took my way, doing so,   |eval earliest_epoch="$time.earliest$",latest_epoch="$time.latest$" |eval earliest_epoch=case(isnum(earliest_epoch),earliest_epoch,earliest_epoch=="now",time(),"earliest_epoch"="",0,true(),relative_time(time(),earliest_epoch)) |eval latest_epoch=case(isnum(latest_epoch),latest_epoch,latest_epoch=="now",time(),true(),relative_time(time(),latest_epoch))     ... View more

Great 👏👏👏👏👏👍 But maybe dashboard will not update variables/tokens until you manually change the picker. Let's say i choose "-5m" from picker and latest is "now" for default, it will remain fixed to relative_time(time(), $earliest$)  the UNIX-time value, also if my panels refreshes. So, letting dashboard has refreshing panels, the -5m will become -6 -7 -8 -9 -10 ......... untill you change the picker... Also for $latest$=="now", time() Same concept for earliest... it becomes fixed until you refresh entire dashboard/picker. ... View more

SHC is perfectly in sync!!! I have no errors at all when all nodes are running, until i restart the SHC. I will try a node at a time, and i'll monitor the logs. It's only for curiosity, since SHC works perfectly 🤷‍♀️🤷‍♀️🤷‍♀️ IMO it's some kind of "artifact" remained from previously versions, over which i did updgrades (6 to 7 to 8 [where we changed the Indexers to new nodes/servers]). Quite sure resetting the raft and rebuilding the SCH will delete the "issue". ... View more

    Anyway, a question to - why the need to delay the script's output in the first place? It seems a very unusual requirement.     ... originally the script used a "timeout [variable_secs]" launching a while loop to wait with a "test -f file" if "file" was generated during the STARTTIME untill the next "timeout [variable_secs]" (variable_secs is taken by a table, every file has it's own variable_secs). If timeout exits with exit_code 124, an stdout + log entry is written in a log file. If a new script is launched with same identical args, itsself check if a previous one is still running and exit suddenly, waiting the previous to do its job. So i have a single input entry for each file in table (file exists or file does not exists after start_time [the table also have its start_time variable for every file] + variable_secs. During the "variable_secs" if i had a new file in table to check, the script is blocked from the previously, so i can't check it. Let's say, having a table like this server1 /tmp/flow.log 07:00 07:30 server1 /tmp/flow2.log 07:10 07:15   Scheduled script run by splunkd is scheduled every 5m. Let's say now it's 06:55, 06:55 splunkd run script, it exits with no output/file log since check it's not 07:00 OR 07:10 (script does this) 07:00 splunkd run script, task starts for "/tmp/flow.log" and wait untill 07:30 for file generation 07:05 splunkd run script, aborted since the previous 07:00 is still in background and running 07:10 same as 07:05, "/tmp/flow2.log" is skipped 07:15 same as 07:10, "/tmp/flow2.log" is skipped 07:20 same as 06:55 ... So "/tmp/flow2.log" is totally skipped. Now, on some servers, as said, a cron was used. On other servers i rewrite the script without the timeout/sleep, and write an entry every 5m with a variable "FOUND=[0|1]", and then stating with SPL a "stats count sum(FOUND) as found by host,file" and with some dashboards/alerts who traces them, a sum of 0 in that timerange is a file not present. ... View more

I know it's a unusual question, for this reason i asked 😂😂😂 THAT is the way i'm using now, getting data from input monitor. For this reason i wanted to know if i could manage it by splunkd directly 😊 I also used on some servers the /etc/cron.hourly/ directly by splunkd, creating tasks dinamically on the fly by launching a root subshell to create task in cron.hourly and getting its inputs monitor output to file after the timeout/sleep does it's job and the script exits with its exit code. But the mission was to NOT TOUCH ANYTHING IN THE SYSTEM, so i asked if a monitor script could be forced to rerun also if the previous was still in background 🤷‍♀️thanks anyway everyone 👍👍👍 ... View more

Yes. That's so... and that was a really bad idea for App order UI in WebGUI 🤦‍♂️🤦‍♂️🤦‍♂️ Previously drag option with jquery was perfect... really do not know why they change drastically this section 🙄🙄🙄 Editing "user-prefs.conf" need a daemon restart. Annoying. ... View more