Thanks for the inputs. Your answer answered another one of my question. I was seeing very uneven indexing (in terms of volume of data indexed) across my two indexers even when all my forwarders know about both the indexers. I think that what is happening is that one of my job servers (which is a heavy forwarder) runs scripted inputs and transfers large volumes of data into indexer.
... View more
I have multiple indexers in production and I would like to use the rest api to input data using receivers/stream.
The question I have is - should I send the rest api data to a forwarder which would then forward it to all the indexers ? Or Can I only send the data to one indexer this way?
... View more
If I do that, I think it would have the data and time included in the value. I just need the time part so that I can find the events that occurred in that time period for last 30 days. So how do I just extract the time part is the question.
... View more
I would like to know how to subtract 30 minutes from the call to the now() function and set the value of a field called StartTime
| eval StartTimeInSecondsSince12AM = SomeFunction(now() - 30) | eval EndTimeInSecondsSince12AM = SomeFunction(now())
From there I want to run a query like
earliest = -30d latest = -1d | where SecondsSince12AM(_time) >= StarTimeInSecondsSince12AM AND SecondsSince12AM(_time) <= EndTimeInSecondsSince12AM
Thank you.
... View more
It seems that Splunk is not sending the emails when the alerts are triggered. Is there any place where I can see what errors were logged when splunk tried to send the alert email?
... View more
Thank you. I am planning to use this in a monitoring scenario so if error counts in last 30 minutes increase more than the 30 day average (during the same 30 minutes) then we have a problem. So would you recommend sticking to rounded 30 minutes or do last 30 minutes?
... View more
I would like to get an average of a any given value for a time range say 7:00 PM to 8:00 PM over last 30 days.
Would I need to use sum(eval(if(_Time >= StartTime,if (_time<=EndTime,ValueToSum,0),0) and then calculate the average?
... View more