thank you. 100% my case. ... View more

excellent. this is exactly what's important. i'd also add this: there's No difference between "left join" and "left OUTER join". ref. https://stackoverflow.com/questions/406294/left-join-vs-left-outer-join-in-sql-server ... View more

Here's the source from docs: https://docs.splunk.com/Documentation/Splunk/8.1.1/Installation/RunSplunkasadifferentornon-rootuser In section "Run Splunk Enterprise as a different or non-root user": It says: "On *nix based systems, you can run Splunk Enterprise as a user other than root. This is a Splunk best practice and you should configure your systems to run the software as a non-root user where possible."   ... View more

Hello Rich! (I don't have the problem, but I'm preparing to move some old index data, and I read this page. That's why I'm asking, disturbed a little bit.) If I'm correct the quick remedy is to remove back those new folders I placed in db storage of my new Splunk server. I mean its bad to have the instance down. But how can I avoid the collision? Maybe by appropriate naming of new buckets or directories? ... View more

(under the link) Thanks a lot. Uninstall an app or add-on To remove an installed app from a standalone Splunk platform installation: (Optional) Remove the app or add-on's indexed data. Typically, the Splunk platform does not access indexed data from a deleted app or add-on. However, you can use the Splunk CLI clean command to remove indexed data from an app before deleting the app. See Remove data from indexes with the CLI command. Delete the app and its directory. The app and its directory are typically located in $SPLUNK_HOME/etc/apps/<appname>. You can run the following command in the CLI: ./splunk remove app [appname] -auth <username>:<password> You may need to remove user-specific directories created for your app or add-on by deleting any files found here: $SPLUNK_HOME/etc/users/*/<appname> Restart the Splunk platform. ... View more

hi, i think i can give an answer for one indexer, i.e. non-clustered (as i don't see the answer here). a. for TCP inputs: just resize (up\down) the max volume (and you will not lose date and the size will be changed) b. for dbinputs: * resize up = just change max size to lager value * resize down = CAUTION (since you can lose all data in case you do it the wrong way) step 1:  stop dbinput step 2:  change max index size to a lesser value step 3:  refresh the indexer via UI (.../debug/refresh) step 4 (optional): check that you didn't lose your data step 5: enable back you dbinput, and check your data again ... View more

Hello Ismo, one question: am i correct that i can install several add-ons on the same Splunk server? ... View more

Thanks a lot, Rich! But what with disaster recovery? I mean should that heavy forwarder be a "backuped" server? Or maybe a containerized thing?.. I this case a lot depends whether my Heavy FWR is alive... And regarding speed, if I manage to min recommended set up, is 5-15 seconds speed of replication accesseble? ... View more

Guys, really no ideas? ... View more

no support - ok, I got it but no updates - that's kinda unfair... ... View more

hi, am i correct that the data is replicated (i.e. present on both indexers) and available for search on search heads, but not shown when search on them (indexers) ? i have not read yet the whole page, honestly... ... View more

thank you Rich, but i guess i don't have to pay annuals... i bought perpetual license for N gigabytes per day... no? ... View more