I'm not sure if this is just me but, I'm running Splunk on Windows 7 Professional, 6 gig Ram, Intel i5 2.30 Ghz, and it seems like its as buggy as ... something really buggy.
I've only installed this on my laptop temporary in order to quickly index some old linux syslog files. Unfortunately it hasn't been quick its been quite painful.
To start with when import the syslog files:
- If imported individually the host of each entry is over written with the localhost name.
- So then I import via a directory, great host name is now correct, but the timestamp is almost random for about 20% of the logs imported (around 39 syslogs over the same number of days).
Trying to fix the timestamp issue:
- So I create a rex and covert the correct timestamp and try to use "chart count over newtime" and produce a line or area chart and instead of nice connected lines like the example I get broken up almost column looking chart, I guess the data is not contiguous.
- So then I do "eval _time=newtime | timechart ..." and everything worked great last tonight. Today trying to over write _time cause splunkd to crash.
- Oh yeah si commands don't create any summary index data. Yay!
- Plus the cycle redundancy check to stop it importing the same file, yeah that doesn't work either (in fact it doesn't work on our main linux installation of Splunk either, 3/4 of our licensing volume is Splunk re-ingested old "messages.[0-9]+.gz" logs, fun).
I love Splunk, in fact I introduced it to my current company, but this is driving me nuts.
If there a patch or something that magically fixes this then great, otherwise I guess I just need to vent.