For Splunk 7 & 8 at least: To get the daily ingestion per indexer with the hostname rather than the GUID following your time range picker selection.     index=_telemetry source=*license_usage_summary.log* type="RolloverSummary" | join type=inner slave [ | rest /servicesNS/-/-/search/distributed/peers splunk_server=local | table guid host | rename guid AS slave ] | search host=*PATTERN* | timechart span=1d eval(round(latest(b) / 1024 / 1024 / 1024, 3)) AS sizeGB BY host useother=f     Replace PATTERN by your indexers hostname convention. ... View more

That fixed it, thanks! Netstat revealed something else was using port 9997. Fixing that, then deleting my inputs and setting it up under "Recieving" fixed the problem. Thanks! ... View more

@Spelunke and @Draineh - Do you guys have exact reproduction steps? Also, please provide the one app that seems to always act like this for you. We'll try to repro it inhouse and create a bug if it indeed is one. Cheerio! ... View more

Using Splunk version 5.0 If I do this: source="/home/IP_Addresses.txt" | geoip ip | top ip_country_name limit=100 I see Denmark has a count of 4,032. If I do this: source="/home/IP_Addresses.txt" | geoip ip | search ip_country_name="Denmark" I see "1,026 matching events". But this: source="/home/IP_Addresses.txt" | geoip ip | search ip_country_name="Denmark" | stats count returns 4,032. Is "max_matches" the right parameter to change in limits.conf to get the full list of 4,032 events? ... View more

nfdump supports NetFlow v5, v7, and v9. ... View more

It is Linux only, see the system requirements in the documentation. ... View more

Should never change a file in a default directory, as that will be overwritten the next time you update. ... View more