I like this search as it gives me source, sourcetype, host and volume in a nice table which can then be sorted by whichever column you want (defaults to volume):
index=_internal source=*license_usage.log | eval MB=b/1024/1024 | stats sum(MB) by s,st,h | rename s AS Source st AS Sourcetype h AS Host sum(MB) AS Volume(MB) | sort -Volume(MB) | head 50
... View more
If your using bash on a *nix based system make sure your in the $SPLUNK_HOME/bin directory before you run that command. Or add /opt/splunk/bin/splunk cmd [etc] to your command.
... View more
Hi Jenn,
I think this Splunk Answer may be what you're after:
http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html
... View more
I tried applying the work-around suggested above but this did not stop our indexer splunkd process from crashing. After adding negotiateNewProtocol = false to the outputs.conf on all our tier 1 intermediate Splunk servers + search head + deployment server the crashes stopped.
Note that we have no Windows UF's connecting directly to our indexer, only Linux UF's or full Splunk instances built on Linux, so I'd suggest this issue might apply to more than just Windows UF's connecting to an indexer.
... View more