Okay, I'll give it a shot...I didn't see any way of doing this with either metadata or dbinspect...but here's what I did: 1) I splunked Splunk...basically, I started monitoring my /splunk/etc directory and ingesting all my splunk config files 2) I determined that the parameter I was looking for in the indexes.conf file is: maxTotalDataSizeMB 3) I defined a field extraction to extract the "header" of each section of a splunk conf file...my regex is: (?im)^(?P [.+]$) ...this helps when I perform my search 4) The search I used after doing all this was: source="/splunk/etc/system/local/indexes.conf" | table Header maxTotalDataSizeMB | rename Header to Index Index maxTotalDataSizeMB [_thefishbucket] 600000 (this is what the results looked like...well, it looked better in Splunk, but hopefully you get the picture)...by the way, this matched up exactly to what I saw in manager. Not at all sure if this solves your problem the way you wanted it solved, but I had fun trying to figure it out! ... View more

You might try checking out this thread...I haven't had the chance to validate the searches, but there are a few things in here that seem to map to your use case: http://splunk-base.splunk.com/answers/2602/can-splunk-filtermatch-events-and-bring-back-neighbouring-events-like-gnu-grep ... View more

My strong suspicion is that this isn't supported. The description for the Radial guage is: The radialGauge, like the other gauge chart types, enables the visualization of a single numerical value mapped against a range of colors that may have particular business meaning or logic. The radial gauge is similar in appearance to a speedometer in appearance; it has an arced range scale and a rotating needle. Also, referencing the chart legend in the developers manual: http://www.splunk.com/base/Documentation/latest/Developer/CustomChartingConfig-ChartLegend#radialgauge Please note that the "valueStyle" property appears to be the only one that allows for modification of the value at the bottom of the gauge...but the description specifically references that you can't use this parameter to permit setting of a text string. "valueStyle style Provides the style properties for the value at the bottom of the gauge. Note that valueStyle can be used to change the way the value displays (font, bolding, italicization, and so on.), but it can't be used to actually change the text itself. For example, you can't use valueStyle to replace the value with a specific text string. See the textBlock table for specific defaults." If I locate anything that indicates that your use-case is supported, I'll definitely update this answer...but as of now, I don't believe it is. ... View more

I believe that your DEST_KEY value isn't valid....keys are case-sensitive and MetaData:Sourcetype is the correct value, not MetaData:SourceType From: $SPLUNK_HOME/etc/system/README/transforms.conf.spec ******* KEYS: ******* NOTE: Keys are case-sensitive. Use the following keys exactly as they appear. queue : Specify which queue to send the event to (can be parsingQueue, nullQueue, indexQueue). _raw : The raw text of the event. _done : If set to any string, this represents the last event in a stream. _meta : A space-separated list of metadata for an event. _time : The timestamp of the event, in seconds since 1/1/1970 UTC. MetaData:FinalType : The event type of the event. MetaData:Host : The host associated with the event. The value must be prefixed by "host::" _MetaData:Index : The index where the event should be stored. MetaData:Source : The source associated with the event. The value must be prefixed by "source::" MetaData:Sourcetype : The sourcetype of the event. The value must be prefixed by "sourcetype::" ... View more

You could run the './splunk enable boot-start' command on the first instance of splunk, then just rename your /etc/init.d script to something like "splunk1" or "splunk2" or something like that, then run chkconfig -add (e.g. chkconfig -add splunk1...that will create all the symbolic links in the rcx.d folders and perform all the other magic. Then, you can move to the next instance and run ./splunk enable boot-start on this instance and rename it again...etc. Basically, every instance will edit/overwrite the script /etc/init.d/splunk...so plan accordingly. You could also edit the /etc/init.d/splunk script, I suppose...but that seems more error-prone. ... View more