Error message pop-up each and every day with new event any solution for this. ... View more

Could you please share it with me as well? ... View more

I'm facing the same issue, I have created new index under /opt/splunk/etc/master-apps/_cluster/local. on master node Indexes.conf [test] disabled = false repFactor = auto homePath = $SPLUNK_DB/test/db coldPath = $SPLUNK_DB/test/colddb thawedPath = $SPLUNK_DB/test/thaweddb tstatsHomePath = volume:_splunk_summaries/test/datamodel_summary maxMemMB = 20 maxConcurrentOptimizes = 6 maxHotIdleSecs = 86400 maxHotBuckets = 10 maxDataSize = auto_high_volume and I was able to see the index on all 3-peers from backend, but couldn't the index from any peer UI and also was unable to index any data to that index (test) ... View more

Another version that could work is: (?:arrived in state : )(?P\w+) ... View more

hey, you can show it using appendcols command but it will take longer to run. Try this ! Your base search with all 5 columns | appendcols [Your base search with all 5 columns | eventstats sum(third_column) as total | head 1] otherwise, i do not think any other solution for this! let me know if this helps you! ... View more

@risgupta, thank you for your answer. I’ve played with many possible options in inputs.conf/outputs.conf: 1) Set indexAndForward to true/false in outputs app folder and cef app folder 2) Made adjustments to cef index configuration 3) Moved /bin folder from apps/splunk_app_cef to apps/Splunk_TA_cefout Unfortunately, I was not able to make it work. From what I can see in the logs there is some activity going on, for example: Splunkd.log 01-22-2018 09:12:38.784 +0900 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/1516579955_57250.stash_cef_Production_RSyslog' 01-22-2018 09:12:39.820 +0900 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/1516579956_35645.stash_cef_Production_RSyslog' 01-22-2018 09:12:40.835 +0900 INFO TailReader - Batch input finished reading file='/opt/splunk/var/spool/splunk/1516579957_75123.stash_cef_Production_RSyslog' CEF Index also valid and exists according to what I see during splunk initialization process: Checking indexes... Validated: _audit _internal _introspection _telemetry _thefishbucket **cef* cim_summary firedalerts history idx_common_6y idx_ss main os perfmon summary unix_summary windows wineventlog Done* However, when I search for index=cef, or sourcetype=stash_cef, it still returns absolutely nothing. I believe this is the reason for events not being sent: there's nothing to send basically. However, when I configure CEF App and click on "Show preview of CEF events", it shows correct results and events do exist. Was anybody able to configure search head as a forwarder? ... View more

You can use chart to do the same as timechart: ... | eval Time = strftime(_time, "%m/%d %H:%M") | chart count as Total by Time ... View more