If i want to send the raw event text to the POST receivers/stream endpoint, the raw data is streamed in as OutputStream data type in Java? ... View more

What is the purpose of creating a search time extracted field while i still can use search commands to retrieve he fields during the search? ... View more

Is Splunk_Server field a internal field that values cannot be set. ... View more

How do i search for data from other indexes in the Splunk's search app? ... View more

When i retrieved the results as an xml during search from the search app i saw that there are field xml tags with attribute k values with _cd, _si, _time. Are those metadata fields? I wanted to set the metadata field values such as cd, _indextime etc. I appended the key=value pair of such metadata fields to the receivers endpoint url to add events with cd and _indextime values that are set before indexing. However, when i retrieve the results from the search via search/jobs/{search_id}/results endpoint the _cd, _indextime metadata field values were default. http://localhost:8089/services/receivers/simple?host=myhost&index=main&source=sexydata&sourcetype=sexuality&_indextime=894904&_cd=23:456 Is it impossible to set those metadata field values? Are those metadata fields extracted during index time? ... View more

I have a set of log data in Splunk Search app contained in source=sampledata,sourcetype=sample. field1,field2,field3 are new fields that i added through the recievers REST endpoint 3/30/12 8:56:11.000 AM field1=Happy,field2=Sad,field3=Angry host=myhost sourcetype=sample source=sampledata index=main timestamp=none splunk_server=L33604 punct==,=,= linecount=1 3/30/12 8:56:11.000 AM field1=Happy,field2=Sad,field3=Angry host=myhost sourcetype=sample source=sampledata index=main timestamp=none splunk_server=L33604 punct==,=,= linecount=1 3/30/12 8:56:11.000 AM field1=Happy,field2=Sad,field3=Angry host=myhost sourcetype=sample source=sampledata index=main timestamp=none splunk_server=L33604 punct==,=,= linecount=1 Lets say if i want to extract the fields: field1, field2 & field3 at search time, so i configured the say i am going to create new field exractions in $Splunk_HOME/users/admin/search/local/props.conf (props config file for search app) What is the regex expression to extract each of these fields at search time(extracting the key value pairs during search time)? I thought it would be something like [\^$.|?*+()]. ... View more

I would like to create a new field extraction through props.config for search app. For example i want to retrieve a custom field called partner whenever i search for events in a source called sexydata and sourcetype = sexuality using the search app. I created the new field extraction through this REST endpoint. https://localhost:8089/servicesNS/admin/search/data/props/extractions?name=sexuality&stanza=partner&type=EXTRACT&partner=\[w+\](? [^:]+) I don't understand why an HTTP 400 error was thrown when all the GET key=value parameters i appended to the url was thrown and the new field wasn't extracted. ... View more

Can i access the Splunk's configuration files throught the Splunk's REST API? ... View more

I found that both props.conf & transforms.conf config files are found the $SPLUNK_HOME/etc/system/default/ directory. I would like to create search time field extraction through those two config files in that location. However, the doc http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles says Note: Do not edit files in $SPLUNK_HOME/etc/system/default/. So can i still create search time field extraction through those two config files in $SPLUNK_HOME/etc/system/default/ ???? ... View more

May i know where i can find more documentation on Java Splunk REST API SDK besides the docs provided here? ... View more