If you do not want to mess around with xml, you could enforce span size for timechart.
http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/timechart
For example:
... | timechart span=1h ...
... View more
I am also looking for a way to do this.
Depends on what you need and what you want to do, but a way to access them would be using Entity and Collections classes.
DATAMODEL_ENDPOINT = 'datamodel/model'
datamodels = Collection(self.service_wrapper.service, DATAMODEL_ENDPOINT)
for datamodel in datamodels:
// do stuff
... View more
You should be able to find README and INSTALL files in the package to get you started.
It contains introduction, requirements, and instructions on how to run SplunkIT.
... View more
From the error it seems like there was something wrong with indexing test; either the indexing test result was not generated correctly/not there, or corrupted?
Check if bin/indexRecord.log is correctly written.
... View more
The script is basically running a Splunk search command to check if what we have in Splunk is matching expected count (number of lines in the generated log file).
It seems weird that the percentage does down though. It seems like events are getting deleted somehow? Since the test script only check the expected event count once when it got started.
A couple of things you could check:
Before you start another run of indexing test, make sure that previous events are cleaned up within Splunk. Such as the test index that is used (splunkit_idxtest) and the monitored directory (/data/static)
If you got into the state where it is hung again, check your Splunk instance to see event counts currently indexed (index=splunkit_idxtest)
... View more
Splunk does have issue where if mongod process did not shutdown correctly and try to start again, since Splunk does not try to kill off running mongod instance. You could manually kill them off and restart Splunk.
KV Store is not a necessary component to run Splunk, however, some app might use it to keep track of states.
Also to reiterate, the way to disable KV store is by editing server.conf:
[kvstore]
disabled = true
... View more
I believe the best way would be to use calculated fields - http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/definecalcfields
In props.conf, you could set up a calculated field such as:
[<stanza>]
EVAL-<field_name> = <eval statement>
which in your case:
[<your_stanza>]
EVAL-someResult = token1 * token2 * <someConstant>
... View more
Perhaps the most apparent benefit from using KV store vs. CSV is that the ability to insert/update. CSV's append only allows you to attach to the end, which does not update existing entries.
... View more