cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
GersonGarcia
Path Finder
Member since: ‎09-26-2014
‎11-30-2022
Community Statistics
Posts 55
Solutions 0
Karma Given 0
Karma Received 4
Member Since ‎09-26-2014
Activity Feed
Topics I've Started
View All

How can I reformat this report?

by in Reporting
‎11-28-2022 02:03 PM
‎11-28-2022 02:03 PM
All, I have this search       index=sro sourcetype=sro-cosmo "DL Cert OK" "Security Posture End of sweep report" | extract pairdelim="\n" kvdelim=":" | rex field=_raw "--ticket \'(?<ticket>.+)\' --summary" | fillnull value=0 | table _time ticket SA_Fail_Total_Count SA_Success_Count SA_Unreachables LP_Firmware_too_old | dedup _time ticket       That results in: But my user wants in this format: I am using Splunk 8.2.6. Is there any way to format this report? So my user does not need to manipulate it in Excel? Thank you, Gerson Garcia ... View more
Labels

Re: mvexpand not working on lookup.

by in Splunk Search
‎07-25-2022 09:01 AM
‎07-25-2022 09:01 AM
Yes, that works... Interesting why \n didn't... ... View more

Re: mvexpand not working on lookup.

by in Splunk Search
‎07-25-2022 08:37 AM
‎07-25-2022 08:37 AM
@richgalloway  I tried both: And: Thank you! ... View more

Why is mvexpand not working on lookup?

by in Splunk Search
‎07-25-2022 08:21 AM
‎07-25-2022 08:21 AM
Hello, I am trying to create dashboard input based on lookup table. I have simple lookup with monitor name and list of all components it may apply:   $ cat Itron_INS_monitors.csv "Monitor_Name",Component "AMM::DB::Unscheduled Jobs",DB "APP:::Tibco::ERROR: Accept() failed: too many open files",TIBCO "App::All::DB Connection Pool Exhausted","FWU GMR MPC MT NEM ODS THIRDPARTY TMB RMACA CAAS HCM NEC DMS DLCA * FPS SSNAGENT SSNAGENTFORWARDER TRAPROUTER AMMWSROUTE AMMJMSROUTE ODSJMSROUTE HCMWSROUTE MPCWSROUTE SENSORIQWSROUTE ODSWSROUTE AMMMULTISPEAK REG SAM PM SENSORIQ TBR ACTIVEMONITOR ZCU"   For some reason, mvexpand does not work. It is not memory, because my csv file has just ~100 lines. Please help!!! Thank you ... View more
Labels

Re: License utilization report mismatch

by in Monitoring Splunk
‎07-07-2022 02:19 PM
‎07-07-2022 02:19 PM
@ITWhisperer @PickleRick The license utilization reported by License Master is 947.996 ... View more

Re: License utilization report mismatch

by in Monitoring Splunk
‎07-07-2022 02:16 PM
‎07-07-2022 02:16 PM
@PickleRickand @ITWhisperer I am not rounding anything before stats, it does not make any difference if I run index=_internal host=licensemaster source=*license_usage.log* type=Usage earliest=-1d@d latest=-0d@d | stats sum(b) as sumb last(poolsz) as lastpoolsz by _time | addcoltotals sumb The sum(b) is the same 967069668524 or 900.653   ... View more

How to generate license utilization report per day...

by in Monitoring Splunk
‎07-06-2022 02:15 PM
‎07-06-2022 02:15 PM
All, This is another license utilization report mismatch. I have request to generate license utilization report per day and save it for historical data. I am using the 30 Days License Usage report as a base for my daily report:     index=_internal host=licensemaster source=*license_usage.log* type="RolloverSummary" earliest=-1d@d latest=-0d@d | bin _time span=1d | stats sum(b) as sumb last(stacksz) as laststacksz by _time component | eval sumgb=round(sumb/1024/1024/1024, 3) | eval laststackszgb=round(laststacksz/1024/1024/1024, 3)     And it is giving me the result as expected: I want to go further and try to get the license utilization per hour, so I changed the search to:     index=_internal host=licensemaster source=*license_usage.log* type=Usage earliest=-1d@d latest=-0d@d | stats sum(b) as sumb last(poolsz) as lastpoolsz by _time | eval sumgb=round(sumb/1024/1024/1024, 3) | eval lastpoolszg=round(lastpoolsz/1024/1024/1024, 3) | addcoltotals sumb     But the result is lower than than the daily one: 967069668524 bytes is 900.656 Gb. What am I doing wrong? I am running Splunk Enterprise 8.2.6. Thank you, Gerson Garcia ... View more
Labels

Best practice to move Splunk indexers servers.

by in Deployment Architecture
‎02-08-2021 01:35 PM
‎02-08-2021 01:35 PM
Hello all, We have Splunk Multisite Indexer Cluster in 2 different data centers. Each Site has 3 nodes in the Cluster running Splunk Enterprise 7.3.2. We are closing down one of the sites and I need to move these 3 indexers to a third site we are moving to. It would take up to 7 days to have the hosts moved from one site to another, racked and renamed / re-ip. Our clustering factors are: site_replication_factor = origin:2,total:3 site_search_factor = origin:2,total:3 What should be the best approach: 1) Move one host at time, wait for data replication is completed and move the next? 2) Move all hosts at the same time and add them back to the cluster one at time? 3) Do I need to place the cluster in Maintenance Mode before move? 4) At the end of move we will keep the 2 Sites environment. Should I create a new Site and move the indexers to there? Thank you very much, Gerson Garcia   ... View more
Labels

How to upload lookup file using REST to specific a...

by in Deployment Architecture
‎05-08-2020 11:05 AM
‎05-08-2020 11:05 AM
All, I am trying to manage lookup csv files using REST API. 1) I create the lookup file on the stage folder: : [1755] root@endpoint:~ # ; ls -al /opt/splunk/var/run/splunk/lookup_tmp/* -rw-r--r-- 1 root root 1631 May 8 17:49 /opt/splunk/var/run/splunk/lookup_tmp/nagios_gg.csv 2) I am able to upload it using REST: curl -k -X POST -u ggarcia https://endpoint:8089/services/data/lookup-table-files/nagios_gg.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/nagios_gg.csv It works fine, but it creates the lookup under search app: <content type="text/xml"> <s:dict> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">search</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">ggarcia</s:key> <s:key name="perms"/> <s:key name="removable">1</s:key> <s:key name="sharing">user</s:key> </s:dict> </s:key> <s:key name="eai:appName">search</s:key> <s:key name="eai:data"><![CDATA[/usr/ssn/splunk/etc/users/ggarcia/search/lookups/nagios_gg.csv]]></s:key> <s:key name="eai:userName">ggarcia</s:key> </s:dict> </content> If I move it to different app using: curl -k -X POST -u ggarcia https://endpoint:8089/services/data/lookup-table-files/nagios_gg.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/nagios_gg2.csv Enter host password for user 'ggarcia': <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">An object with name=nagios_gg.csv does not exist</msg> </messages> </response> How can I create it in different APP and be able to update using REST? Thank you! ... View more

sourcetype cron, cron-2 or syslog

by in All Apps and Add-ons
‎03-18-2020 12:42 PM
2 Karma
‎03-18-2020 12:42 PM
2 Karma
All, I am having issues with all versions of UF. I installed Splunk_TA_nix 7.0.0 on some Splunk UF 8.0.2.1 and old Splunk UF 6.2.4 It has the following stanza in the local/inputs.conf: [monitor:///var/log] whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out) blacklist=(lastlog|anaconda.syslog)disabled = 0 For some reason I have many different sourcetypes: | tstats count where (source=*cron earliest=-4h) by source sourcetype source sourcetype count 1 /var/log/cron cron 40884 2 /var/log/cron cron-2 41597 3 /var/log/cron cron-3 15487 4 /var/log/cron cron-4 3019 5 /var/log/cron cron-5 681 6 /var/log/cron cron-too_small 3192 7 /var/log/cron monolith_tool_usage 169 8 /var/log/cron sendmail_syslog 1732 9 /var/log/cron syslog 58095 I tried everything to find how this sourcetype is set, I cannot see anything in our indexer of UF props.conf. All the sources in the same stanza have the same issue, but cron is so far the worse. Any help will be very appreciated, Gerson Garcia ... View more

Re: Splunk UI not working windows 10.

by in Splunk Search
‎01-20-2020 11:18 AM
‎01-20-2020 11:18 AM
Any browser. Chrome, IE, Firefox. ... View more

Splunk UI not working windows 10.

by in Splunk Search
‎01-20-2020 07:39 AM
‎01-20-2020 07:39 AM
I believe the latest MS updates changed something that is preventing Splunk to open. The error message does not say much: This browser is not supported by Splunk. Please refer to the list of Supported Browsers. The updates that caused the issue are: January 14, 2020-KB4532938 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 1903 and Windows Server 1903 RTM and Windows 10, version 1909 and Windows Server, version 1909 https://support.microsoft.com/en-us/help/4532938/kb4532938-cumulative-update-for-net-framework OR January 14, 2020—KB4528760 (OS Builds 18362.592 and 18363.592) https://support.microsoft.com/en-us/help/4528760/windows-10-update-kb4528760 Any idea how to fix this issue? Thank you, Gerson Garcia ... View more

In a search head cluster, how to find what host se...

by in Splunk Search
‎02-12-2019 12:17 PM
‎02-12-2019 12:17 PM
All, I have production environment with Alarm email notification. Sometimes it works, sometime it does not. Since I have 3 search heads and all 3 can run Saved Searches, I don't know which one may fail to sendmail. Does anybody knows how to find the server that ran the sendmail command? Thank you, ... View more

Re: Issues with _internal metrics.log

by in Splunk Dev
‎02-04-2019 12:36 PM
‎02-04-2019 12:36 PM
The problem here is that if I have any transformation before ingestion, it will be lost... ... View more

Re: Issues with _internal metrics.log

by in Splunk Dev
‎02-04-2019 12:33 PM
‎02-04-2019 12:33 PM
@chrisyoungerjds I believe I can find in a different log: index=_internal sourcetype=splunkd group=tcpout_connections host=*xey* earliest="01/31/2019:1:29:00" latest="01/31/2019:2:29:00" | chart sum(kb) by host | sort - sum(kb) 1 lasxeypr01vmw01.las.ssnsgs.net 19532.55 2 lasxeypr01vmw02.las.ssnsgs.net 17314.92 3 lasxeypr01nan01.las.ssnsgs.net 1520.58 4 lasxeypr01sla01.las.ssnsgs.net 1393.90 5 lasxeypr01gpl01.las.ssnsgs.net 1360.50 6 lasxeypr01dem01.las.ssnsgs.net 1283.92 7 lasxeypr01vmw03.las.ssnsgs.net 1269.57 8 sanxeyte01dem01.san.ssnsgs.net 1233.25 ... View more

Re: Issues with _internal metrics.log

by in Splunk Dev
‎02-04-2019 12:18 PM
‎02-04-2019 12:18 PM
Yeah, I guess I could, but the problem is the log size depends of many factors, and it is never the same in two hosts... Thank you for your help. ... View more

Re: Issues with _internal metrics.log

by in Splunk Dev
‎02-04-2019 11:54 AM
‎02-04-2019 11:54 AM
Humm the problem is it will take forever to complete the search for all hosts past day: host=xey earliest=-1d@d latest=@d | eval len = len(_raw) | stats sum(len) as bytes by index host 1 main lasxeypr01slv01.las.ssnsgs.net 24430 2 os lasxeypr01dem01.las.ssnsgs.net 10702044 3 os lasxeypr01gpl01.las.ssnsgs.net 11615854 4 os lasxeypr01nan01.las.ssnsgs.net 19561100 5 os lasxeypr01sla01.las.ssnsgs.net 14134946 6 os lasxeypr01vmw01.las.ssnsgs.net 111012962 7 os lasxeypr01vmw02.las.ssnsgs.net 56708985 8 os lasxeypr01vmw03.las.ssnsgs.net 9954705 9 os sanxeyte01dem01.san.ssnsgs.net 9743627 10 ssn lasxeypr01dem01.las.ssnsgs.net 569558 11 ssn lasxeypr01slv01.las.ssnsgs.net 3102610 12 ssn lasxeypr01vmw01.las.ssnsgs.net 135302275 13 ssn lasxeypr01vmw02.las.ssnsgs.net 51478532 This search has completed and has returned 13 results by scanning 1,724,992 events in 86.817 seconds ... View more

Issues with _internal metrics.log

by in Splunk Dev
‎02-01-2019 03:49 PM
1 Karma
‎02-01-2019 03:49 PM
1 Karma
All, I am working on project to "predict" how much Splunk license I may need in order to onboard new customer. Usually we ingest the same information for all customers, what is the main difference is the number of entries in the logs. The problem I am having is that I cannot trust on the _internal metrics.log of my indexers. Looks like it does not have all information. For example, if I run: index=ssn host=*xey* earliest="01/31/2019:1:29:00" latest="01/31/2019:2:29:00" | stats count by host 1 lasxeypr01dem01.las.ssnsgs.net 107 2 lasxeypr01slv01.las.ssnsgs.net 120 3 lasxeypr01vmw01.las.ssnsgs.net 28865 4 lasxeypr01vmw02.las.ssnsgs.net 12242 At the same time: index="_internal" source="*metrics.log" group="per_host_thruput" earliest="01/31/2019:1:29:00" latest="01/31/2019:2:29:00" series=*xey* | chart sum(kb) by series | sort - sum(kb) No results found. Some data is there: index="_internal" source="*metrics.log" group="per_host_thruput" earliest="01/31/2019:1:29:00" latest="01/31/2019:2:29:00" | stats count by host 1 arnvtnpr01spl01.arn.ssnsgs.net 117 2 iadphite01spl01.iad.ssnsgs.net 116 3 janentpr01spl01.jan.ssnsgs.net 116 4 lascocpr01mys01.las.ssnsgs.net 116 5 lascocpr01mys02.las.ssnsgs.net 117 6 lascocpr01mys03.las.ssnsgs.net 116 7 lashrmpr01kaf05 117 8 lashrmpr01wor02 116 9 lasssnpr01spl01.las.ssnsgs.net 1160 10 lasssnpr01spl02.las.ssnsgs.net 1160 11 lasssnpr01spl03.las.ssnsgs.net 1160 12 lasssnpr01spl04.las.ssnsgs.net 679 13 lasssnpr01spl05.las.ssnsgs.net 170 14 lasssnpr01spl06.las.ssnsgs.net 116 15 lasssnpr01spl07.las.ssnsgs.net 116 16 lasssnpr01spl08.las.ssnsgs.net 213 17 lasssnspl01app01.las.ssnsgs.net 188 18 lcxfplpr02spl01.fpl.ssnsgs.net 1160 19 litentpr02spl01.lit.ssnsgs.net 117 20 okcogepr02spl01.okc.ssnsgs.net 116 21 pdxpcfte01spl01.pdx.ssnsgs.net 152 22 phlphipr01spl01.phl.ssnsgs.net 117 23 sanssnpoc02slv01.san.ssnsgs.net 116 24 sanssnpr01spl01.san.ssnsgs.net 1160 25 sanssnpr01spl02.san.ssnsgs.net 1160 26 sanssnpr01spl03.san.ssnsgs.net 1160 27 sanssnpr01spl04.san.ssnsgs.net 125 28 sanssnpr01spl05.san.ssnsgs.net 160 29 sanssnpr01spl06.san.ssnsgs.net 195 30 sanssnpr01spl10 1160 I know for sure I have data ingested for these hosts. So, how can get the exactly amount of data that is indexed? It is some rotation on the _internal index that I am missing? Thank you, Gerson ... View more

Re: My Indexer is not processing "Keep specific ev...

by in Splunk Dev
‎01-31-2019 01:37 PM
‎01-31-2019 01:37 PM
It didn't work. It is not finding the REGEX. In the documentation I found: Data:Host : The host associated with the event. The value must be prefixed by "host::" What does it mean? In my inputs.conf I have: [monitor:///usr/ssn/gateway/logs/metrics.log] host = lasconpr01vmw08.las.ssnsgs.net sourcetype = metrics-app-gateway _meta = ssnservice::CONED-PROD01 index = ssn Should I add: [monitor:///usr/ssn/gateway/logs/metrics.log] host = lasconpr01vmw08.las.ssnsgs.net sourcetype = metrics-app-gateway _meta = ssnservice::CONED-PROD01 host::lasconpr01vmw08.las.ssnsgs.net index = ssn ... View more

Re: My Indexer is not processing "Keep specific ev...

by in Splunk Dev
‎01-31-2019 12:10 PM
‎01-31-2019 12:10 PM
I can't do that, I just need to stop index this particular stanza [metrics-app-gateway] for all hosts except lasconpr01vmw08.las.ssnsgs.net. ... View more

Re: My Indexer is not processing "Keep specific ev...

by in Splunk Dev
‎01-31-2019 12:04 PM
‎01-31-2019 12:04 PM
But hold on, if I do that, I will exclude everything else (all apps and logs): [host::<other hosts>] TRANSFORMS-set= setnull Right? ... View more

Re: My Indexer is not processing "Keep specific ev...

by in Splunk Dev
‎01-31-2019 11:43 AM
‎01-31-2019 11:43 AM
Ah, that may be the reason. Is there any way I can use MetaData field something like: REGEX=host::lasconpr01vmw08.las.ssnsgs.net The props.conf and transforms.conf are in the Indexer Thank you. ... View more

My Indexer is not processing "Keep specific events...

by in Splunk Dev
‎01-31-2019 11:29 AM
‎01-31-2019 11:29 AM
Hello all, I have one app that generates a lot of data and it is killing my license. We need this data for sensitive customer only. So, I followed https://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Routeandfilterdatad Keep specific events and discard the rest: My props.conf is: [metrics-app-gateway] TRANSFORMS-set= setnull,setparsing And trasnsforms.conf: [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX=lasconpr01vmw08.las.ssnsgs.net DEST_KEY = queue FORMAT = indexQueue But for some reason it is not working. When I comment out #TRANSFORMS-set= in props.conf, I ingested the file properly. How can I troubleshoot this? How come it is not passing by REGEX? Thank you Gerson Garcia. ... View more

Re: maxVolumeDataSizeMB not enforced. Splunk is in...

by in Getting Data In
‎07-05-2018 09:11 AM
‎07-05-2018 09:11 AM
@acharlieh 1) Yes, I believe they are referencing the volumes. This is our indexes.conf: ################################################################################ # index specific defaults ################################################################################ maxDataSize = auto maxWarmDBCount = 600 frozenTimePeriodInSecs = 34128000 rotatePeriodInSecs = 60 coldToFrozenScript = coldToFrozenDir = compressRawdata = true maxTotalDataSizeMB = 500000 maxMemMB = 5 maxConcurrentOptimizes = 6 #blockSignSize = 0 ## removed per 6.3.3 upgrade maxHotSpanSecs = 7776000 maxHotIdleSecs = 0 maxHotBuckets = 3 quarantinePastSecs = 77760000 quarantineFutureSecs = 2592000 rawChunkSizeBytes = 131072 minRawFileSyncSecs = disable assureUTF8 = false serviceMetaPeriod = 25 partialServiceMetaPeriod = 0 throttleCheckPeriod = 15 syncMeta = true maxMetaEntries = 1000000 maxBloomBackfillBucketAge = 30d enableOnlineBucketRepair = true maxTimeUnreplicatedWithAcks = 60 maxTimeUnreplicatedNoAcks = 300 minStreamGroupQueueSize = 2000 warmToColdScript= tstatsHomePath = volume:_splunk_summaries/$_index_name/datamodel_summary homePath.maxDataSizeMB = 0 coldPath.maxDataSizeMB = 0 streamingTargetTsidxSyncPeriodMsec = 5000 # # By default none of the indexes are replicated. # repFactor = 0 [volume:_splunk_summaries] path = /usr/ssn/splunkDB/hot maxVolumeDataSizeMB = 5400000 [volume:splunk_hot] path = /usr/ssn/splunkDB/hot maxVolumeDataSizeMB = 5400000 [volume:splunk_cold] path = /usr/ssn/splunkDB/cold maxVolumeDataSizeMB = 15000000 ################################################################################ # index definitions ################################################################################ [main] homePath = volume:splunk_hot/defaultdb/db coldPath = volume:splunk_cold/defaultdb/colddb thawedPath = $SPLUNK_DB/defaultdb/thaweddb tstatsHomePath = volume:_splunk_summaries/defaultdb/datamodel_summary maxMemMB = 20 maxConcurrentOptimizes = 6 maxHotIdleSecs = 86400 maxHotBuckets = 10 maxDataSize = auto_high_volume repFactor = auto [history] homePath = volume:splunk_hot/historydb/db coldPath = volume:splunk_cold/historydb/colddb thawedPath = $SPLUNK_DB/historydb/thaweddb tstatsHomePath = volume:_splunk_summaries/historydb/datamodel_summary maxDataSize = 10 frozenTimePeriodInSecs = 604800 [summary] homePath = volume:splunk_hot/summarydb/db coldPath = volume:splunk_cold/summarydb/colddb thawedPath = $SPLUNK_DB/summarydb/thaweddb tstatsHomePath = volume:_splunk_summaries/summarydb/datamodel_summary [_internal] homePath = volume:splunk_hot/_internaldb/db coldPath = volume:splunk_cold/_internaldb/colddb thawedPath = $SPLUNK_DB/_internaldb/thaweddb tstatsHomePath = volume:_splunk_summaries/_internaldb/datamodel_summary maxDataSize = 1000 maxHotSpanSecs = 432000 frozenTimePeriodInSecs = 2592000 [_audit] homePath = volume:splunk_hot/audit/db coldPath = volume:splunk_cold/audit/colddb thawedPath = $SPLUNK_DB/audit/thaweddb tstatsHomePath = volume:_splunk_summaries/audit/datamodel_summary [_thefishbucket] homePath = volume:splunk_hot/fishbucket/db coldPath = volume:splunk_cold/fishbucket/colddb thawedPath = $SPLUNK_DB/fishbucket/thaweddb tstatsHomePath = volume:_splunk_summaries/fishbucket/datamodel_summary maxDataSize = 500 frozenTimePeriodInSecs = 2419200 # Removed after 6.3.3 upgrade per error message #[_blocksignature] #homePath = volume:splunk_hot/blockSignature/db #coldPath = volume:splunk_cold/blockSignature/colddb #thawedPath = $SPLUNK_DB/blockSignature/thaweddb #tstatsHomePath = volume:_splunk_summaries/blockSignature/datamodel_summary #maxDataSize = 1000 #frozenTimePeriodInSecs = 0 #maxTotalDataSizeMB = 0 # this index has been removed in the 4.1 series, but this stanza must be # preserved to avoid displaying errors for users that have tweaked the index's # size/etc parameters in local/indexes.conf. # [splunklogger] homePath = volume:splunk_hot/splunklogger/db coldPath = volume:splunk_cold/splunklogger/colddb thawedPath = $SPLUNK_DB/splunklogger/thaweddb disabled = true [_introspection] homePath = volume:splunk_hot/_introspection/db coldPath = volume:splunk_cold/_introspection/colddb thawedPath = $SPLUNK_DB/_introspection/thaweddb maxDataSize = 1024 frozenTimePeriodInSecs = 1209600 # Splunk app configured indexes [vmware-beta] homePath = volume:splunk_hot/vmware-beta/db coldPath = volume:splunk_cold/vmware-beta/colddb thawedPath = $SPLUNK_DB/vmware-beta/thaweddb [vmware] homePath = volume:splunk_hot/vmware/db coldPath = volume:splunk_cold/vmware/colddb thawedPath = $SPLUNK_DB/vmware/thaweddb [vmware-perf] homePath = volume:splunk_hot/vmware-perf/db coldPath = volume:splunk_cold/vmware-perf/colddb thawedPath = $SPLUNK_DB/vmware-perf/thaweddb [vmware-inv] homePath = volume:splunk_hot/vmware-inv/db coldPath = volume:splunk_cold/vmware-inv/colddb thawedPath = $SPLUNK_DB/vmware-inv/thaweddb [vmware-taskevent] homePath = volume:splunk_hot/vmware-taskevent/db coldPath = volume:splunk_cold/vmware-taskevent/colddb thawedPath = $SPLUNK_DB/vmware-taskevent/thaweddb [os] homePath = volume:splunk_hot/os/db coldPath = volume:splunk_cold/os/colddb thawedPath = $SPLUNK_DB/os/thaweddb disabled = 0 repFactor = auto maxTotalDataSizeMB = 1048576 [firedalerts] coldPath = volume:splunk_cold/firedalerts/colddb homePath = volume:splunk_hot/firedalerts/db thawedPath = $SPLUNK_DB/firedalerts/thaweddb repFactor = auto [unix_summary] homePath = volume:splunk_hot/unix_summary/db coldPath = volume:splunk_cold/unix_summary/colddb thawedPath = $SPLUNK_DB/unix_summary/thaweddb disabled = 0 repFactor = auto maxTotalDataSizeMB = 10000 [sos] homePath = volume:splunk_hot/sos/db coldPath = volume:splunk_cold/sos/colddb thawedPath = $SPLUNK_DB/sos/thaweddb frozenTimePeriodInSecs = 2419200 disabled = 0 repFactor = auto [sos_summary_daily] homePath = volume:splunk_hot/sos_summary_daily/db coldPath = volume:splunk_cold/sos_summary_daily/colddb thawedPath = $SPLUNK_DB/sos_summary_daily/thaweddb disabled = 0 repFactor = auto # Customer Generated Custom Indexes [ssn_prfm] coldPath = volume:splunk_cold/ssn_prfm/colddb homePath = volume:splunk_hot/ssn_prfm/db thawedPath = $SPLUNK_DB/ssn_prfm/thaweddb repFactor = auto [summary_ssn_prfm] coldPath = volume:splunk_cold/summary_ssn_prfm/colddb homePath = volume:splunk_hot/summary_ssn_prfm/db thawedPath = $SPLUNK_DB/summary_ssn_prfm/thaweddb repFactor = auto [summary_temp] coldPath = volume:splunk_cold/summary_temp/colddb homePath = volume:splunk_hot/summary_temp/db maxTotalDataSizeMB = 1000 thawedPath = $SPLUNK_DB/summary_temp/thaweddb repFactor = auto [sma] coldPath = volume:splunk_cold/sma/colddb homePath = volume:splunk_hot/sma/db maxTotalDataSizeMB = 500000 thawedPath = $SPLUNK_DB/sma/thaweddb repFactor = auto [summary_messaging_bus] coldPath = volume:splunk_cold/summary_messaging_bus/colddb homePath = volume:splunk_hot/summary_messaging_bus/db thawedPath = $SPLUNK_DB/summary_messaging_bus/thawddb repFactor = auto [ssn_test] homePath = volume:splunk_hot/ssn_test coldPath = volume:splunk_cold/ssn_test/colddb thawedPath = $SPLUNK_DB/ssn_test/thaweddb maxDataSize = auto_high_volume maxTotalDataSizeMB = 1000 repFactor = auto [summary_sourcetypes_ssn] homePath = volume:splunk_hot/summary_sourcetypes_ssn/db coldPath = volume:splunk_cold/summary_sourcetypes_ssn/colddb thawedPath = $SPLUNK_DB/summary_sourcetypes_ssn/thaweddb repFactor = auto [summary_loglevel_ssn] homePath = volume:splunk_hot/summary_loglevel_ssn/db coldPath = volume:splunk_cold/summary_loglevel_ssn/colddb thawedPath = $SPLUNK_DB/summary_loglevel_ssn/thaweddb repFactor = auto [summary_sources_ssn] homePath = volume:splunk_hot/summary_sources_ssn/db coldPath = volume:splunk_cold/summary_sources_ssn/colddb thawedPath = $SPLUNK_DB/summary_sources_ssn/thaweddb repFactor = auto [summary_sourcetype_host_source_ssn] homePath = volume:splunk_hot/summary_sourcetype_host_source_ssn/db coldPath = volume:splunk_cold/summary_sourcetype_host_source_ssn/colddb thawedPath = $SPLUNK_DB/summary_sourcetype_host_source_ssn/thaweddb repFactor = auto [uf-fschange] homePath = volume:splunk_hot/uf-fschange/db coldPath = volume:splunk_cold/uf-fschange/colddb thawedPath = $SPLUNK_DB/uf-fschange/thaweddb repFactor = auto [ssn] coldPath = volume:splunk_cold/ssn/colddb homePath = volume:splunk_hot/ssn/db thawedPath = $SPLUNK_DB/ssn/thaweddb maxDataSize = auto_high_volume homePath.maxDataSizeMB= 3145728 maxTotalDataSizeMB = 14680064 repFactor = auto [nagios] homePath = volume:splunk_hot/nagios/db coldPath = volume:splunk_cold/nagios/colddb thawedPath = $SPLUNK_DB/nagios/thaweddb maxDataSize = auto_high_volume maxTotalDataSizeMB = 500000 repFactor = auto [oracle] homePath = volume:splunk_hot/oracle/db coldPath = volume:splunk_cold/oracle/colddb thawedPath = $SPLUNK_DB/oracle/thaweddb maxDataSize = auto_high_volume maxTotalDataSizeMB = 500000 repFactor = auto [remedy] homePath = volume:splunk_hot/remedy/db coldPath = volume:splunk_cold/remedy/colddb thawedPath = $SPLUNK_DB/remedy/thaweddb maxDataSize = auto_high_volume repFactor = auto [network] homePath = volume:splunk_hot/network/db coldPath = volume:splunk_cold/network/colddb thawedPath = $SPLUNK_DB/network/thaweddb maxDataSize = auto_high_volume maxTotalDataSizeMB = 500000 repFactor = auto [scratch] homePath = volume:splunk_hot/scratch/db coldPath = volume:splunk_cold/scratch/colddb thawedPath = $SPLUNK_DB/scratch/thaweddb maxDataSize = auto_high_volume repFactor = auto [fschange] homePath = volume:splunk_hot/fschange/db coldPath = volume:splunk_cold/fschange/colddb thawedPath = $SPLUNK_DB/fschange/thaweddb maxDataSize = auto_high_volume repFactor = auto [summary_trap_counts_by_trap_type_sourcetype] coldPath = volume:splunk_cold/summary_trap_counts_by_trap_type_sourcetype/colddb homePath = volume:splunk_hot/summary_trap_counts_by_trap_type_sourcetype/db thawedPath = $SPLUNK_DB/summary_trap_counts_by_trap_type_sourcetype/thaweddb repFactor = auto [summary_index_sourcetype_host_source] coldPath = volume:splunk_cold/summary_index_sourcetype_host_source/colddb homePath = volume:splunk_hot/summary_index_sourcetype_host_source/db thawedPath = $SPLUNK_DB/summary_index_sourcetype_host_source/thaweddb repFactor = auto [summary_threads_count_by_state] coldPath = volume:splunk_cold/summary_threads_count_by_state/colddb homePath = volume:splunk_hot/summary_threads_count_by_state/db thawedPath = $SPLUNK_DB/summary_threads_count_by_state/thaweddb disabled = 1 repFactor = auto [summary_web_services] coldPath = volume:splunk_cold/summary_web_services/colddb homePath = volume:splunk_hot/summary_web_services/db thawedPath = $SPLUNK_DB/summary_web_services/thaweddb repFactor = auto [summary_os_timebased_stats] coldPath = volume:splunk_cold/summary_os_timebased_stats/colddb homePath = volume:splunk_hot/summary_os_timebased_stats/db thawedPath = $SPLUNK_DB/summary_os_timebased_stats/thaweddb repFactor = auto [summary_dlca] coldPath = volume:splunk_cold/summary_dlca/colddb homePath = volume:splunk_hot/summary_dlca/db thawedPath = $SPLUNK_DB/summary_dlca/thaweddb repFactor = auto [ucs] coldPath = volume:splunk_cold/ucs/colddb homePath = volume:splunk_hot/ucs/db maxTotalDataSizeMB = 200000 thawedPath = $SPLUNK_DB/ucs/thaweddb repFactor = auto [security] coldPath = volume:splunk_cold/security/colddb homePath = volume:splunk_hot/security/db maxTotalDataSizeMB = 500000 thawedPath = $SPLUNK_DB/security/thaweddb repFactor = auto [ssn-ext] coldPath = volume:splunk_cold/ssn-ext/colddb homePath = volume:splunk_hot/ssn-ext/db maxTotalDataSizeMB = 500000 thawedPath = $SPLUNK_DB/ssn-ext/thaweddb repFactor = auto [itil] coldPath = volume:splunk_cold/itil/colddb homePath = volume:splunk_hot/itil/db thawedPath = $SPLUNK_DB/itil/thaweddb maxDataSize = auto_high_volume homePath.maxDataSizeMB = 5000 maxTotalDataSizeMB = 25600 repFactor = auto [windows] homePath = volume:splunk_hot/windows/db coldPath = volume:splunk_cold/windows/colddb thawedPath = $SPLUNK_DB/windows/thaweddb maxDataSize = auto homePath.maxDataSizeMB = 75000 maxTotalDataSizeMB = 150000 repFactor = auto [wineventlog] homePath = volume:splunk_hot/wineventlog/db coldPath = volume:splunk_cold/wineventlog/colddb thawedPath = $SPLUNK_DB/wineventlog/thaweddb maxDataSize = auto homePath.maxDataSizeMB = 25000 maxTotalDataSizeMB = 75000 repFactor = auto [perfmon] homePath = volume:splunk_hot/perfmon/db coldPath = volume:splunk_cold/perfmon/colddb thawedPath = $SPLUNK_DB/perfmon/thaweddb maxDataSize = auto homePath.maxDataSizeMB = 50000 maxTotalDataSizeMB = 100000 repFactor = auto [sro] coldPath = volume:splunk_cold/sro/colddb homePath = volume:splunk_hot/sro/db thawedPath = $SPLUNK_DB/sro/thaweddb maxDataSize = auto homePath.maxDataSizeMB = 5000 maxTotalDataSizeMB = 25600 repFactor = auto [mysql] homePath = volume:splunk_hot/mysql/db coldPath = volume:splunk_cold/mysql/colddb thawedPath = $SPLUNK_DB/mysql/thaweddb maxDataSize = auto homePath.maxDataSizeMB = 75000 maxTotalDataSizeMB = 150000 repFactor = auto [ssn-infra] coldPath = volume:splunk_cold/ssn-infra/colddb homePath = volume:splunk_hot/ssn-infra/db thawedPath = $SPLUNK_DB/ssn-infra/thaweddb maxDataSize = auto homePath.maxDataSizeMB = 5000 maxTotalDataSizeMB = 25600 repFactor = auto [qualys] coldPath = volume:splunk_cold/qualys/colddb homePath = volume:splunk_hot/qualys/db thawedPath = $SPLUNK_DB/qualys/thaweddb maxDataSize = auto_high_volume homePath.maxDataSizeMB = 2000 maxTotalDataSizeMB = 10000 repFactor = auto 2) But if it would sum the quota (5400000+5400000=10800000) that is less than 85% of the total, hot=6T and cold=16T (6291456+16777216=23068672), so if Splunk would take both, it should stop at 46%, correct? 3) What will happen if I lower the maxVolumeDataSizeMB to 5100000? The oldest data will be moved to cold and then the cold volume will increase? Should I lower both? Thank you, Gerson ... View more

maxVolumeDataSizeMB not enforced. Splunk is indexi...

by in Getting Data In
‎07-03-2018 05:54 PM
1 Karma
‎07-03-2018 05:54 PM
1 Karma
All, I have the following configuration on my indexes.conf [volume:_splunk_summaries] path = /usr/ssn/splunkDB/hot maxVolumeDataSizeMB = 5400000 [volume:splunk_hot] path = /usr/ssn/splunkDB/hot maxVolumeDataSizeMB = 5400000 [volume:splunk_cold] path = /usr/ssn/splunkDB/cold maxVolumeDataSizeMB = 15000000 But for some reason, my FS is getting full: Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda2 20027260 2932088 16071172 16% / tmpfs 66019136 0 66019136 0% /dev/shm /dev/sda1 204580 272 204308 1% /boot/efi /dev/sda3 267338488 8004488 245747264 4% /usr/ssn /dev/sdc1 16910151576 12193755728 3857402392 76% /usr/ssn/splunkDB/cold /dev/sdb1 6150800784 5272422384 565929072 91% /usr/ssn/splunkDB/hot It should not go over 85%, correct, or do I need any additional configuration per index? Thank you, Gerson Garcia ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-30-2022 01:08 AM
Karma from