How do we identify which splunk search is consuming more memory on the splunk indexers ? ... View more

Hi , We had list of servers a,b,c,d,e,f. How can we check how long splunk uf agents are down on the servers a,b,c,d,e,f? At present we restarted uf agents. I am looking for a query. Any help would be great. Thanks in advance 🙂 ... View more

Hi Splunk members, How Can I get some metrics to indicate things like search concurrency, search queue depth, cancelled/timed out searches, etc by search head and by indexer? ... View more

Hi all we have list of 10 Solaris servers and they are us servers we installed ufs on those servers and are pointing us deployment servers .In deployment client.conf file .Since we have search when I ran that search it is showing that it is phoning home with Uk Deployment server any Help with query ? I believe there is something wrong with Query .Please correct query if any changes need ?Help highly appreciated ? Query - | `get_coverage(baseline="isac_systems", feed="kpci_8100_solaris")` | eval Coverage = if('Full Coverage'=="Yes" OR 'Partial Coverage'=="Yes","Yes","No")|search "Full Coverage"="*" "Partial Coverage"="*" "Calculated Region"="*" "Phoning Home"="Yes" "Whitelisted"="*" Coverage=No "Operational Environment (Sys)"="PROD" OR "Operational Environment (Sys)"="DISASTERREC" | table "System Name" "Application" "Solution" "Calculated Asset Group" "Calculated Asset Type" "Calculated Lifecycle Status" "Lifecycle Phase" "OS Type" "OS" "Calculated Region" "Operational Environment (Sys)" "Server Zone" Component Function "Data Source Count" "Data Sources" "Full Coverage" "Partial Coverage" "Whitelisted" "Phoning Home" "Last Phone Home Time" "IMD" deployment_server |rename deployment_server as "Phoning Home Deployment Server" | fields - "." | lookup imd_splunkds_mapping IMD Country_Code AS "Calculated Region" | rename Calculated_DS as "IMD Calculated Deployment Server" ... View more