Hi @Anantha123 ... 1). on DMC, you can get the index size details.  2). Using dbinspect command you can get the index size | dbinspect index=myindex | eval GB=sizeOnDiskMB/1024 | stat sum(GB) 3). rest command  | rest /services/data/indexes | stats values(currentDBSizeMB) by title 4) eventcount command:   | eventcount summarize=false index=* report_size=true | eval GB=(size_bytes/1024)/1024/1024 | stats sum(GB) by index, server    5) collect command: (not sure of this... pls test this one)   |collect index=myindex      ... View more

Hi @lucky .. for the rex beginners, i have created this youtube playlist.. pls check it, thanks. . https://www.youtube.com/watch?v=rXT35CnWorw&list=PLIJcAov3YzES8PJSX8gZ8cTHWsjh8KeyG   Youtube channel link is: https://www.youtube.com/@SiemNewbies101   ... View more

Hi @cert-team-admin .. lets say 10,000 Splunk engineers wrote this beta certification, you created a score baseline and 9000 Splunk Engineers failed in the first attempt. now in Oct, the 9000 Splunk Engineers should pay 130 dollars for their first attempt. I feel this is not fair.   maybe, just for the first time failure Splunk engineers, you should give only one free chance to write the exam.  if they fail again, then its ok, they should pay 130 dollars for their second attempt.  Please consider this request, thanks.  ... View more

are you looking for this one...  https://splunkbase.splunk.com/app/3283 or, check the other two apps... https://splunkbase.splunk.com/apps?keyword=HL7   ... View more

the tutorial data zip file contains all required indexes.  did you download the tutorial zip file and uploaded to Splunk?  when you search this, what results you get: index=* | stats count by index ... View more

one more question...approx, how long this exam will be in beta testing?!?! so, in oct, the cut score will be finalized and the results will be given to all exam writers.. for the who failed in the first attempt, for those who would like to re-appear for the exam, will the exam be in beta, so that we can re-appear for free, please suggest, thanks.  ... View more

Please check this post.. https://community.splunk.com/t5/Splunk-Search/How-to-find-all-searches-that-are-scheduled-to-run-every-hour/m-p/178652   ... View more

Hi @pinggru ...for the DAG error, you can search here in this community, you can find many solutions.  for the first issue, .. pls update us your search query (remove important details like username, etc..).. generally this issue represents the search query got some simple issues(mostly on the last part.. after the last "|")) ... View more

Please check this one...  index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" "CollateralProcessor - Completed calculating total balances:"| rex "Opening Balance:\s(?P<OpeningBalance>\d+)"|table OpeningBalance   ... View more

Pls check this https://community.splunk.com/t5/Getting-Data-In/Line-break-with-multiple-Linebreaker/m-p/400335 the values for BREAK_ONLY_BEFORE, MUST_NOT_BREAK_AFTER, MUST_BREAK_AFTER should be updated for your requirement properly..   rough one..  BREAK_ONLY_BEFORE=^Exception | ^java.io.FileNotFoundException | ^WARN MUST_NOT_BREAK_AFTER=something here MUST_BREAK_AFTER=something here   ... View more

Hi @spunk311z ... this right click on the URL and opening it in a new tab is controlled by the Chrome browser.. (this may be a splunk issue.. I think, the right click'ed URL is not passing the extra fields i think). One simple workaround is..  on the interesting fields list, instead of opening it in a new tab.. just click that interesting field directly.. so, the clicked interesting field will be added to the current SPL query and the logs will be filtered as per the interesting field you clicked.  one issue.. this will just run in the current tab itself.. as you wanted it to open in a new tab... just do this.  duplicate the current tab and click the interesting field.  (On Chrome browser, to create duplicate tab, you can right click the tab and duplicate it.. .. OR You can use a combination of two keyboard shortcuts to duplicate a Chrome tab. Step 1 – Press ALT + D. This selects the current tab. Step 2 – While the URL is selected in the address bar, press ALT + ENTER.) ... View more

you have  a single file, but you want to do multiple line breaking in that single file... is that right? ... View more

>>> So I need to integrate 12 new indexers to an existing multisite indexer cluster. i assume, you want to "add" 12 new indexer peers to the existing multisite indexer cluster.. Please check: https://docs.splunk.com/Documentation/Splunk/9.1.0/Indexer/Addclusterpeer   if this resolves you query, can you pls accept it as solution.. thanks.  ... View more

maybe you should provide some sample logs of how new user created, user deleted logs look like.  this task is achievable. just a good logic/idea is needed. when we can see the sample logs, we can try to work on the SPL query step by step. thanks.  ... View more

most probably, the ip addresses are already captured and assigned to some fields.. for example.. sourceip, srcip, etc.. so just find out what field you are looking for(if you want to include two or more fields, then you can use OR option). then you can speed up the search like this.. this one will be much faster than the search you mentioned(because as it searches the already extracted fields) index=* srcip="x.x.x.x"  as said in the previous reply.. the datamodel, saved search are the best options..  or if you manually search, last 1 day logs with the ip address, then it may take around two/three or few mins..  instead, try to create a report, which runs every 6 hrs or so, when there is a match, it should email you the details. hope you got the idea. let us know if any further details required. thanks.  ... View more

From your question, i could not understand much actually. i feel others will also face same issue.  More details are needed please.. Splunk ID... the Splunk process ID's or user ID's? ... View more

index=isilon sourcetype="emc:isilon:rest" "memory threshold" | table _time _indextime "Start Time" events.message Can you pls run this and update us the results..  do you know if the UF, heavy forwarder and indexer are having same clock times(are they using NTP for time sync?) ... View more

thanks for the Search Query... but still your question "Is the Search overall returning the SRC filed the way it does because  either A there is no data or B filling in from the search and the search needs to be changed." is not clear.. please update us, from the tstats command what kind of results you are looking for(maybe provide us a table format sample output what you are looking for)..then we can reverse engineer the tstats command for your.. thanks. ... View more

4. crashing on only one UF  .... if you are looking for short answer... uninstall that 9.0.4 UF, use another UF version... either 9.0.0 or 9.1.0..etc.. if you are looking for a perfect solution, then, Splunk support ticket is the only answer. (9.0.4 UF is a recent one... the linux and that UF may have some compatibility issues or.. that particular linux is giving some troubles to the UF.. only Splunk Support guys can solve this issues.. thanks.  ... View more