With the 4.2 upgrade it brought along with it the real-time updating of the metadata on the main screen/dashboard for the global summary, hosts/source/sourcetypes. Is there any way to disable this and go back to how it polls once on navigating to the front page the first time and not continuously updating? Thanks, Scott ... View more

So originally I thought the way cloning would work between two indexers was that data from a forwarder setup to clone would send identical events to each indexer - this part does work fine. However, when I bring down one indexer for a few minutes on a restart or whatnot, I thought the forwarders would send to the indexer that was up, while keeping track of what needed to be sent to the second indexer when it came back online. It appears the indexer that was down never gets the data that it missed while it was down once it comes back online. Does cloning work in that as long as one of the indexers is online that is good enough for those events? Doesn't seem right as I would think cloned should be identical, but it appears that's what I'm seeing. Is the only way around this to clone to two sets of autolb'ed indexers (ie. using four total indexers)? Or what I'm seeing I shouldn't be seeing? Thanks, Scott ... View more

Trying to get a search working where instead of the whole result set passing to the next command as one, they would pass over one at a time as a sort of a loop fashion. Then also use that value as a parameter value in a next command. Here is a simple example. Let's say I have this search: "blah" | top host | fields + host | throttle name=mytest period=300 | sendemail to=somebody sendresults=true Let's say this returns two hostnames which pass through the AlertThrottle app throttle command, that then sets the suppression state and fires an email. The email contains the two hostnames from the result set. I'd like to have each hostname pass through to the throttle command individually and also use the hostname to populate the "name=" value in the throttle portion. So that after the single search it is equivalent to: hostname1 -> | throttle name=$host period 300 | sendemail to=somebody sendresults=true hostname2 -> | throttle name=$host period 300 | sendemail to=somebody sendresults=true So each result (two hostnames) generates a separate email and also using that hostname as a parameter value. Are both of those two conditions even possible? Thanks, Scott ... View more

Is there a way to have only certain indexes searchable when peer'ed with a particular search head? Example: Indexer1: Index A and Index B Indexer2: Index C and Index D If I have a search head that has both Indexer1 and Indexer2 as distributed search peers, can I have it so that on Indexer2 only Index C is searchable by this search head (essentially keeping this search head from searching Index D)? Thanks, Scott ... View more

Couldn't find exact clarification on a couple things regarding reducing an index size but assuming how I think it will work, hoping someone has the definitive answer out there. If say I have an index that has a max size setting of 50g. Let's say this index is currently using 45g of it. I now want to reduce the max size for that index to 30g. After restarting splunk will it: 1) Purge data to get under the 30g limit? (assuming also it would then remove older buckets as necessary to stay under that limit as new data comes in moving forward - much as my current indexes that have hit limits do). 2) Start purging the oldest buckets first? I assume on both it "does the right thing", but wanted to make sure there weren't any hidden caveats before doing this. Thanks, Scott ... View more

I'm trying to rex out a chunk of events, then remove that field from the events prior to piping to the cluster command. So something similar to: blah | rex "resolving '(?<some_fqdn>[\w\d\.]+)' " | fields - some_fqdn | cluster So that the chunk extracted in the some_fqdn field doesn't contribute to making the event seem more unique. I know that cluster by default analyzes the _raw field and am assuming that the 'fields - some_fqdn' is not removing from the _raw field. So I guess my question is how do you remove a field from _raw prior to sending to another piped command, or how do you create a new field that is the equivalent of _raw minus some_fqdn (to then tell cluster to work off that new field)? Thanks, Scott ... View more

So I got this error today: Your maximum disk usage quota has been reached. usage=114MB quota=100MB The search was not run. I know I can up this in authorized.conf with srchDiskQuota for the appropriate role. Curious though where on disk this is stored and how it naturally gets cleaned up? I assume the data doesn't stay around endlessly. Thanks, Scott ... View more