Hi, I am new to summary indexes. I have scenario to work with. i have summary index searches for 1min, 5min,1hr,and a day. My 1min & 5min indexes have events from main index and 1 hr summary index is based on 5min summary index and for 1day its based on an hour summary index. i want to remove events from each summary index mentioned above for the period of 4\5\2016 22:00 to 4\8\2016 14:43 and back fill the same using fill_summary_index.py. (My deployment server was down on that particular time) Can anyone help me how can i achieve this without duplication of events please? ... View more

Not sure what's the reason. It was working till now, but suddenly stopped working. D:\Splunk\bin>splunk start Splunk> Winning the War on Error Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking configuration... Done. Checking critical directories... Done ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. Checking indexes... Validated: _audit _blocksignature _internal _thefishbucket histo ry main summary ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. Done ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. Checking filesystem compatibility... Done Checking conf files for problems... ERROR - Error opening "D:\Splunk\var\log\splunk\btool.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\btool.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\btool.log": Access is denied. Done ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. ERROR - Error opening "D:\Splunk\var\log\splunk\splunkd-utility.log": Access is denied. All preliminary checks passed. Starting splunk server daemon (splunkd)... Splunkd: Starting (pid 3260) Timed out waiting for splunkd to start. Warning: can't create "D:\Splunk\var\run\splunk\merged\literals.conf": Access is denied. Warning: can't create "D:\Splunk\var\run\splunk\merged\server.conf": Access is d enied. Warning: can't create "D:\Splunk\var\run\splunk\merged\web.conf": Access is deni ed. Starting splunkweb... splunkweb: Stopped Failed to start splunkweb service. ... View more

We have an indexer clustering Splunk environment, and recently, all our indexers are consuming 100% CPU. Not sure what will be the issue. Kindly suggest ... View more

My search: host=* sourcetype=* | stats last(Cnt) as CurrentQueueLength by _time | appendcols [ | inputcsv Langdon_Inbox ] | fillnull CurrentQueueLength | where CurrentQueueLength=LastAlertedQueue+5 | eval host=*| eval sourcetype=* | eval difference=CurrentQueueLength-LastAlertedQueue | eval exception=* | fields host sourcetype CurrentQueueLength LastAlertedQueue difference exception 1) if LastAlertedQueue(CSV) is greater than Zero, it should alert once and after alerting once, it shouldn't alert till 00:00 AM. (I am writing results from 1st alert in a CSV file) 2) if CurrentQueueLength=LastAlertedQueue(CSV)+5 , it should trigger an alert once and after alerting once, it shouldn't alert me till 00:00 AM 3) if CurrentQueueLength=LastAlertedQueue(CSV)+10, it should trigger an alert once and after alerting once, it should not alert me till 00:00AM I have to run the search every 15 min. Please help me to get the logic right ... View more

What am i looking for: My search results contains Count field. 1) if Count greater than Zero should alert once and after alerting once it shouldn't alert till 00:00 AM. (I am writing results from 1st alert in a csv file) 2) if number increases by 5 from that of no. in CSV (csv+5), i should trigger an alert once and after alerting once it shouldn't alert till 00:00 AM 3) if number increases by 10 from that of no. in CSV (Csv+10), i should trigger an alert once and after alerting once it shouldnot alert till 00:00AM I have to run the query for every 15 min. ... View more

I am not able to see my extracted field. I can see the field created under splunk/etc/users/local Also, I added the same to props.conf, but still I am not able to see the field in Splunk Web. ... View more

Saved search: sourcetype=* | timechart last(Cnt) as CurrentQueueLength span=5m | Where CurrentQueueLength>0 | table CurrentQueueLength | outputcsv ABC CSV: CurrentQueueLength 15 If the value increases by 5 (Value to be taken from CSV file), I need to trigger an alert ( cond=CurrentQueueLength+5). ... View more

1) 1st Qty > 0 2) and shouldnt alert till it becomes Qty>= 5 or more Below is the search that I used. It triggers the alert when cnt >0 & diff>0 for every 15 min. host=* sourcetype=* earliest=-20m | timechart last(Cnt) as CurrentQueueLength span=5m | delta CurrentQueueLength as difference p=3| Where (CurrentQueueLength>0 AND difference>0 AND difference>5) My requirement: 1) trigger alert when count >0 and do not trigger next alert until count goes above 5. please help me to get this logic right. ... View more

host=* sourcetype="Perfmon:Memory" collection=Memory object=Memory counter="% Committed Bytes In Use" Value=27.863303753428205 My stats looks like above and i want to be notified when my memory usage goes above 80% ... View more