If the wireshark text file is simply stored as a rolling text file (i.e. more data is appended to file, and not stored in a new file). I would set the input up as a "file monitor". I would like to know how do set the input file as a "file monitor"? ... View more

Ever since i enabled light forwarding, i couldn't launch splunk web as normal. i double clicked the splunk.exe in windows 7 and there was this command line window that says. Launching web browser pointing at SplunkWeb waiting for splunk web to start..... I have been waiting for a long time but the splunk web doesn't launch. How am i supposed to launch Splunk web now????? ... View more

How does the Splunk monitor a Wireshark capture file in its textual form in windows 7? I converted the wireshark pcap file to the txt file. Based on what i read from the Splunk answers forum : http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file , jerrad installed the Splunk Light Forwarder and have it monitor the textual file from the /tshark/splunk/gtp/ directory. So that means i can set up a Splunk light forwarder using Splunk web right? I followed the instructions from the http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deployaforwarder which teaches how to set up the light heavy forwarders. The instruction states a heavy forwarder has to be set up before setting up a light forwarder, which im not sure of cos i clicked add new against the configure forwarding section, which i have entered the host and port no and saved the settings. However, i'm quite new to Splunk and now im using Splunk 4.3. When i was about to go to the manager in the Splunk Web to set up the forwarder, the instruction in the forwarding and recieving section in manager states that CAUTION: This will immediately turn off Splunk Web if the light forwarder in the Splunk web. So i would like to know if the light forwarder is the one that monitors the converted wireshark captured file as txt file since Splunk 4.3 ? I hope this would not be treated as a duplicate question. ... View more

I have created a new field extraction on props.conf via Splunk REST API I have a raw message that looks like this. field1=Happy,field2=Sad,field3=Angry, messenger : my message, keyer : jun i put in the regex expression to extract jun from the raw message into a search time field called hhj. the regex that i generated from the IFX was this : (?!)keyer : (P .+) Using the Java SDK to create the new field extraction via Splunk REST API RequestMessage reqMsg = new RequestMessage(); reqMsg.setMethod("post"); reqMsg.setContent("name=hhj&stanza=source::sample&type=EXTRACT&\value=(?i) messenger : (?P .+)\""); authService.send("/servicesNS/admin/search/data/props/extractions",reqMsg); When i viewed the props.conf file, it gave me [source::sample] EXTRACT-hhj = (?i) keyer : (?P .) The plus + sign inside the regex that i set through the rest endpoint was missing. How do i make sure that the plus sign appears whenever i create the search time field extraction via the REST endpoint using Java for the above regex that i set. ... View more

I have a problem creating new search time field extractions using the Splunk's REST API and the Java SDK. This is the java code. RequestMessage reqMsg = new RequestMessage(); reqMsg.setMethod("post"); reqMsg.setContent("name=firstname&stanza=sexuality&type=EXTRACT&value=(?i)^[^,]*,\w+=(?P [^,]+)"); ResponseMessage resMsg = authService.send("/servicesNS/admin/search/data/props/extractions",reqMsg); The result was an error : HTTP 500 -- In handler 'props-extract': Data could not be written: /admin/search/props/sexuality/EXTRACT-firstname: (?i)^[^,]*,\w How do i fix this so that i can create a new search time field extraction through the REST API using Java ?? and i also cannot create the extraction on the IFX the error still persists. ... View more

May i know which Logback appender should i use if i want to create new events using the Splunk's REST receivers endpoint if i'm using logback framework. because i went to make a custom basic appender for that? Is it socket appender? ... View more