Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is Splunk 4.2.3 for Windows 64 buggy or is it just me?

luke_mitchell
New Member
‎08-11-2011 06:27 PM

Hi

I'm not sure if this is just me but, I'm running Splunk on Windows 7 Professional, 6 gig Ram, Intel i5 2.30 Ghz, and it seems like its as buggy as ... something really buggy.

I've only installed this on my laptop temporary in order to quickly index some old linux syslog files. Unfortunately it hasn't been quick its been quite painful.

To start with when import the syslog files:
- If imported individually the host of each entry is over written with the localhost name.
- So then I import via a directory, great host name is now correct, but the timestamp is almost random for about 20% of the logs imported (around 39 syslogs over the same number of days).

Trying to fix the timestamp issue:
- So I create a rex and covert the correct timestamp and try to use "chart count over new_time" and produce a line or area chart and instead of nice connected lines like the example I get broken up almost column looking chart, I guess the data is not contiguous.
- So then I do "eval _time=new_time | timechart ..." and everything worked great last tonight. Today trying to over write _time cause splunkd to crash.

What else:
- Oh yeah si commands don't create any summary index data. Yay!
- Plus the cycle redundancy check to stop it importing the same file, yeah that doesn't work either (in fact it doesn't work on our main linux installation of Splunk either, 3/4 of our licensing volume is Splunk re-ingested old "messages.[0-9]+.gz" logs, fun).

I love Splunk, in fact I introduced it to my current company, but this is driving me nuts.

If there a patch or something that magically fixes this then great, otherwise I guess I just need to vent.

Regards
Luke

Tags (1)
0 Karma
Reply

malberto
Explorer
‎08-15-2011 12:45 PM

Is ANY of this behavior than Splunk on any other platform?

1) What sourcetype are your syslog files classified as?
If they aren't syslog, you should add them as inputs and explicitly set the sourcetype to syslog.

2) This is probably a result of #1. Otherwise, you can explicitly specify the timestamp format in props.conf with TIMESTAMP_CONFIG

3) cycle redundancy check is not windows related it sounds.

Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...