not a Splunk problem, but this community is most likely to have an answer.... I have a non-Splunk related utility we're putting together, and we need to specify start and end times. It turns out the use cases are pretty much the same as they are for Splunk time modifiers... so... Has anyone seen Java code that can parse and interpret Splunk time modifiers? ... View more

There is a pulldown in the SearchBar to the right of the "Enter search here..." box that has the names of applications installed in Splunk. Not all applications show up, but the criteria does not seem to be whether or not I have access (some apps that I can use, such as S.o.S, do not appear). What controls which apps show up on that pulldown? ... View more

Just had this pop up; there is only one instance of it in the notification area, but the time stamp keeps advancing, so I assume that this is recurring. Search peer adculsplunkp1 has the following message: received event for unconfigured/disabled/deleted index='wineventhog' with source='source::WinEventLog:Security' host='host::PON-ASIADCP1' sourcetype='sourcetype::WinEventLog:Security' (1 missing total) Note the bad index name. I'm reading this as adculsplunkp1 thinks it's getting events destined for index 'wineventhog' from PON-ASIADCP1. I go to PON-ASIADCP1 and do a "splunk cmd btool input list" to a file, and search the output for "wineventhog", I get no hits. I bring everything in the splunkuniversalforwarder/etc on PON-ASIADCP1 over to a linux box and grep everything there for "wineventhog", I get no hits. The etc directory does not appear to have been touched lately, and this machine is under deployment server control, and the deployment server has not been touched for weeks. I grep everything in the splunk/etc directory on adculsplunkp1 (our indexer) for 'wineventhog', no hits. I check index=_* and index=* for 'wineventhog' and only see my own searches for 'wineventhog'. I can't even find any messages with the text in the notification. Any thoughts on where else to look to see what's going on? ... View more

I have a lookup table of userids that I want to use as the search terms for a fulltext search. Basically, the outer search should match if the events contain any of the userids in the lookup table. I can make things work if I extract the proper userid field from the outer search, but I'm not positive I can write a reliable regex to extract the userid from sourcetype=ItimUsage (too much cruft in there), so I want to use a full text search to hedge my bets (false positives are cheap, missed positives are expensive). I saw http://answers.splunk.com/answers/268992/use-subsearch-result-as-fulltext-search-in-outer-s.html, but it does not seem to work for me: index=w_itimlogs sourcetype=ItimUsage [ | inputlookup executives | eval _raw="*" . userid . "*" | fields + _raw ] Any thoughts as to why the outer search is not matching? ... View more

I noticed that our splunk installs have a $SPLUNK_HOME/share/splunk/mbtiles/splunk-tiles.mbtiles file. This makes me suspect that the webserver bundled in with Splunk has the ability to serve tiles. Has anyone seen this, or have any hints as to if this can be used for mbtiles that we create ourselves? ... View more