I found this very usefull search for a dashboard on gosplunk: | rest /services/data/indexes | dedup title | fields title | rename title AS index      | map maxsearches=1500 search="| metadata type=sourcetypes index=\"$index$\"     | eval Retention=tostring(abs(lastTime-firstTime), \"duration\")     | convert ctime(firstTime) ctime(lastTime)     | sort lastTime     | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\"     | eval index=\"$index$\""     | fields index  sourcetype TotalEvents FirstEvent LastEvent Retention     | sort sourcetype     | stats list(sourcetype) AS SourceTypes list(TotalEvents) AS TotalEvents list(FirstEvent) AS "First Event" by index     | append [| rest /services/data/indexes | dedup title | fields title | rename title AS index]     | dedup index | fillnull value=null SourceTypes TotalEvents "First Event" "Last Event" Retention | sort index | search index=* (SourceTypes=*) However, when i first ran it, some of the "lastevent" values appeared correctly. Ever since then, "LastEvent" and "Retention" have allways been "Null". I cant figure out why i dont get any return values on these fields. I got an error saying the limit on "list" command of 100 was surpassed. So i tried replacing "list()" with "values()" in the search, but the result is the same, just without the error.  ... View more

Trying to fix a corruption issue with a _metrics bucket, using the "./splunk rebuild <path> command. Doing this, i recieve the following WARN "Fsck - Rebuilding entire bucket is not supported for "metric" bucket that has a "stubbed-out" rawdata journal. Only bloomfilter will be build" How would i rebuild the metrics bucket to fix the error? ... View more