Yes, that was helpful and sorry for my delayed confirmation.  ... View more

Hi,  I would like to use it as an alert, but a bit confused the trigger index=_internal group=per_index_thruput source=*metrics.log NOT series=_* | eval last_seen=now()-_time | stats max(last_seen) as seconds_since_seen by series | rename series as index | where seconds_since_seen < 120 Specifically, a value for the 'seconds_since_seen', if most indices are about the 800 second range, I am not sure if a low value like 120 seconds going to cause false positives. Any suggestions for a proper value to monitor indices would be greatly appreciated. Cheers, Paul   ... View more

I like this query, but I have indices with long names that incorporate underscores "_" and the split command is not working in this scenario. Quotations did not work, but astericks did.  I do not want to use asterisks as I will be generating alerts and do not want extra characters in the message.  Please let me know how to use split with this naming convention for indices.  | metasearch index=AB_123_CDE OR index=CD_345_EFG OR index=EF_678_HIJ | stats count by index | append [ noop | stats count | eval index=split("AB_123_CDE;CD_345_EFG;EF_678_HIJ",";") | mvexpand index ] | stats max(count) as count by index | where count = 0 ... View more

Hi, I am troubleshooting a thruput issue regarding syslog feeds that have decreased in the total events by 50% as well as erratic metrics and was wondering if your question or observation has every been confirmed whereby the useACK is disabled in outputs.conf file a decrease in events takes place.  It is counter intuitive that the disabling of useACK decreased thruput, but would really like to know if you finally got confirmation of your problem.  ... View more

I like the search, but what are we using as the trigger. Typically, something like 'search count < 1' for a zero trigger I tried 'Communicated Minutes Ago < 1' ,but that is not triggering the alert.  Cheers, Paul ... View more

Hi PickleRick, So I did as the procedure stated, but it threw the following error as we are still using Master-Apps. I moved the server.conf to _cluster/local directory in Master-Apps and hopefully these indexers are updated.  Error message: "Populated manager-apps location found, but master-apps is also populated. There can be only one. This must be fixed before continuing" After moving the server.conf file to folder in Master-Apps folder the error stopped. Thanks! ... View more

Hi all, I need to update the max_content_length value in server.conf file across all indexers.  I thought we are doing this via the Cluster Master, but unfortunately the server.conf files are not getting updated on the search peers.  /Cheers ... View more

Hi Guiseppe,  I appreciate your quick response, but your script shows hosts sending data to an index. I need a script that displays hosts sending to a forwarder than sent an index.  hosts > forwarder > index Ciao, Paul     ... View more