See my reply here if it can help https://community.splunk.com/t5/Deployment-Architecture/Splunk-Storage-Sizing-Guidelines-and-calculations/m-p/708258/highlight/true#M29013 ... View more

According to your reply and https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself splunk does not mange python.log rotation, but then how it is being rotated?  I've made python.log around 100MB with stopped splunk service and the python.log was NOT rotated. Once I've started splunk, log was immediately rotated to python.log.1, additionally the newly created python.log (size only few bites) I've also made it well over 25MB and it was rotated once again.  ... View more

@strive , @th1agarajan - My requirement is similar to this but I don't want daily peak hour. I just need to get peak hour from time range. Lets say, If I am searching for last 7 days data, it needs to report only one peak hour of whole hours (out of 24*7) . How can I achieve this ?  ... View more

Thanks so much for this! Also fixed my similar issues! 🙂  ... View more

you will need to install the following packages for the above commands yum install iotop -y yum install sysstat -y ... View more

Yes, @strive can you please tell me why you have used license_usage.log and license_usage.log* , I know it does make a difference but can you please explain why you used it differently specifically in this case ?  Also can someone please tell the difference between type=RolloverSummary and type=Usage along with addressing @strive 's initial query.  Thank you so much. ... View more

Thank you !!! ... View more

Hi , given the below input (4 mins of sample access log data): _time,URI,Bytes 2021-05-18 02:01:00,a,1 2021-05-18 02:01:00,a,1 2021-05-18 02:02:00,a,1 2021-05-18 02:03:00,b,1 2021-05-18 02:03:00,b,1 2021-05-18 02:04:00,a,1 assuming a window of 2 mins, i want to perform some computations (average and standard dev of bytes grouped by URI) as below source="ds1.csv" host="vgspl11hr" index="sfp" sourcetype="csv" | table _time,URI,Bytes | timechart span=1m avg(Bytes) AS avg_bytes, stdev(Bytes) AS std_bytes by URI limit=0 | fillnull value="" | untable _time Measure Value | eval Metric=mvindex(split(Measure,": "),0),uri=mvindex(split(Measure,": "),1) | fields - Measure | eval time_uri=_time."__".uri | fields - uri - _time | xyseries time_uri Metric Value | eval _time=mvindex(split(time_uri,"__"),0),uri=mvindex(split(time_uri,"__"),1) | fields - time_uri with 2-min time window between (5/18/21 2:01:00.000 AM to 5/18/21 2:03:00.000 AM), below is the output: _time uri avg_bytes std_bytes 2021-05-18 02:01:00 a 1 0 2021-05-18 02:02:00 a 1 0 So, the timechart performed the computations on the existing URIs in the first 2 mins time window, in that case the URI=a. but i want the timechart to consider the existence of the URI = b. Is there a way to have the timechart consider all the values of the URI in the computation, even if not all of the URI have values in the time window? I need the output to be as below in the first 2 mins time window: _time uri avg_bytes std_bytes 2021-05-18 02:01:00 a 1 0 2021-05-18 02:01:00 b 2021-05-18 02:02:00 a 1 0 2021-05-18 02:02:00 b Is that possible? ... View more

Here's the source from docs: https://docs.splunk.com/Documentation/Splunk/8.1.1/Installation/RunSplunkasadifferentornon-rootuser In section "Run Splunk Enterprise as a different or non-root user": It says: "On *nix based systems, you can run Splunk Enterprise as a user other than root. This is a Splunk best practice and you should configure your systems to run the software as a non-root user where possible."   ... View more

Hi, I'm looking for the answer for the question you posted, Do you find any answer for this? ... View more

Tried this on the search heads.  Restarted them but the default Time Picker in Pivot Edit is still "All Time".  We are also trying to promote the user of Data Models, but the default "All Time" is a real concern, as most biz users will use whatever default is there, and all these will put lots of strain on the servers. ... View more

Splunk team have told that it is a bug and it will be fixed. ... View more

Splunk has accepted that it is a bug and they will fix it. ... View more

The daily scheduled searches are going to be affected because of this. Is there any workaround for this for daily scheduled searches. Whats happening is: The daily scheduled search reruns automatically for all the days from the beginning till DST start date and thus creating duplicate summary data. This is because splunk is not able to resolved the time modifier snapped to day. Any workarounds for this would be highly appreciated. Meanwhile a case has been raised with Splunk to look into this issue. ... View more

Even i have seen this behavior. You need not add the attributes sslKeysPassword and password to server.conf and inputs.conf respectively. Without you entering these attributes, splunk adds them. See my other post: https://answers.splunk.com/answers/643307/why-is-the-ssl-connection-between-forwarder-and-in.html In my case: a. in server.conf, i did not even have [sslConfig] stanza. Splunk adds that and underneath sslKeysPassword attribute also. b. In inputs.conf, i had [SSL] stanza but not password attribute. During restart splunk adds password attribute. ... View more

I am not sure what you are seeing or where you are putting your conig settings because I am not seeing what you see. First, let's define working. In your version of splunk, what time range do you get by default when you are on the Pivot creation screen that has the url path app/launcher/pivot ? This is the page the original question is referring to where it always seems to default to "All Time". Now, I just took your config settings and put them in user-prefs.conf under <SPLUNK_ROOT>/etc/system/local/ and in <SPLUNK_ROOT>/etc/users/admin/user-prefs/local on 6.4, 6.5, and 7.0 and there was no effect on the default search period of the Pivot creation page. In all cases I made the config changes, and then rebooted Splunk. No change to the Pivot creation page was observed. ... View more

Does this return results to you? Or does it just run the search? ... View more

@tiagofbmm in _audit I found something like this : "Audit:[timestamp=03-20-2018 11:12:33.191, user=, action=quota,search_id=user_name_user_name_c3BsdW5rX2lzZWNh_search2_1521558753.140417_E1EDCF3F-8C8F-4C77-A662-09D345FAC644, elapsed_ms=17, cache_size=4027][n/a] " ... View more

I do something similar in the following search. It grabs the past 30 minutes and the prior three weeks same 30 minute window and averages the historical data to establish "normal" and then displays "now" in the same timechart. I thought this would give you something to work from. Not the prettiest search, but it works. index=main earliest=-30m@m latest=-0m@m host="xxxxxxx" | timechart span=30s count as TOTAL | eval ReportKey="Last30" | append [search index=main host="xxxxxxx" earliest=-10110m@m latest=-10080m@m | timechart span=30s count as TOT | eval ReportKey="1WkAgo" | eval _time=_time+604800] | append [search index=main host="xxxxxxx" earliest=-20190m@m latest=-20160m@m | timechart span=30s count as TOT | eval ReportKey="2WksAgo" | eval _time=_time+1209600] | append [search index=main host="xxxxxxx" earliest=-30270m@m latest=-30240m@m | timechart span=30s count as TOT | eval ReportKey="3WksAgo" | eval _time=_time+1814400 ] | timechart avg(TOT) as Three_week_average values(TOTAL) as The_previous_30_minutes ... View more

You're welcome. I've converted it to an answer. ... View more

Please refer this document http://docs.splunk.com/Documentation/Splunk/6.1/Admin/Alertactionsconf ... View more

Hi valiquet- Does this search required a match alert to happen for us to see the eval in the e-mail body? I set up is equal to 0 to test for now to see if this work. ... View more

total_raw_size: essentially uncompressed bytes indexed on this indexer for this index total_size: essentially size on disk for after compression and indexing metadata on this indexer for this index On average it will be normal for total_size to be 50% of total_raw_size. ... View more