Hi Splunk team, I have a scenario where i have a raw index and a summary index, and a scheduled search which is used to populate data from the raw index to summary index. My scheduled search runs on daily basis and fills the summary index, and every thing is working fine as expected. Now here the problem is for Eg . if my raw data is updated with the newer portion of data on already passed days, I need to fill this as well in the summary index which I tried a backfill script for, but it give me proper results. Example : index="main" -- raw index index="summary" - summary index Assuming the main index has only Dec 12th data i.e with _time Dec 12th and summary generating search ran on dec 12 th and populated all the 12th data in summary index. Now lets say Dec 15th , I had a few more data of Dec 12th which has come now from the forwarder and it has gone to the "main" index for Dec 12th. Now my issue is to fill in this newer portion of data in the summary index. I have tried backfill and re-run the searches, but every time it's creating duplicates. I used the nolocal option as well, but no luck. Any way to fill only the newer portion of data every time to a summary index? manythanks, Rakesh. ... View more

Hi All, I am using Splunk version 6.1.2 and running a simple search with index name. My search is resulting 27 lakh events for last 30 days, but it's taking too much time for execution. It's almost taking 2.03 minutes to execute the search, which I feel is a bit slow. Is this retrieval time good or bad? I definitely feel the customer experience would be not good letting the customer wait for 2 minutes to get the results. Now even when I tried adding required fields to the search to get the exact results, 2 minute window is increasing and not reducing. Can anyone help why Splunk is taking this much time to return search results? I have used the following search. index="summary" thanks, Rakesh. ... View more

Hi , I have custom fonts for my dashboard and added the same in my app in the below path. /opt/splunk/etc/apps/MY_APP/static/fonts/BTFont_Rg.ttf but when I run the dashboard, it is not able to load the fonts and throwing a 404 errror when looked in Firebug. Can u please suggest the appropriate path to put the fonts folder? //error i am seeing in Firebug NetworkError: 404 Not Found - http://localhost:8080/en-GB/static/@255606/app/fonts/BTFont_Rg.ttf ... View more

Hi All, I have configured Splunk SSO configuration with siteminder for my application. All the siteminder configurations and splunk configurations looks fine, and I am able to access my application via siteminder URL without any error in Mozilla, but when comes to Internet explorer i am not able to see any data in the drop-downs. My drop-downs will use the REST API interface commands to list different roles based on the user login, but this is not working in internet explorer. By the way, the Splunk version I am using is 6.2.2 and Internet explorer version is 11. REST API command which is not in working in I.E alone is | rest /services/authentication/current-context | table username,roles Is there any configuration or cache issue with internet explorer? The same is working fine in Mozilla. Any help on the above scenario would be appreciated. Thanks, Rakesh. ... View more

Hi , I have a single source which has a huge number of events. These events are broadly classified into two groups and all are present in the same file single file. Now, my requirement is to get the file indexed into a single index as called "myindex" and have two different sourcetypes "group1" and "group2". group1 and group2 category in the file is distinguihsed with the help of the keyword XXX and YYY in my log file.for example XXX denotes group1 and YYY denotes group2. Here is the sample of log file. // mylog_sample.txt 24-08-2014 10:23:34 12e,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:35 12e,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:36 1w2,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:37 12e,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:39 122,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 25-08-2014 10:23:34 12e,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:35 12e,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:36 1w2,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:37 12e,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:39 122,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 All the data is present in the same file. Now i want to split the whole data into two different sourcetypes "group1" and "group2" in a single index. so if i search the data with: index="myindex" sourcetype="group1" it should list the following data .. 24-08-2014 10:23:34 12e,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:35 12e,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:36 1w2,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:37 12e,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 24-08-2014 10:23:39 122,34,56,67,87,90,123, 34,545,45,XXX,56,5768,342,34456 and if I search with the following: index="myindex" sourcetype="group2" it should list the following data .. 25-08-2014 10:23:34 12e,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:35 12e,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:36 1w2,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:37 12e,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 25-08-2014 10:23:39 122,34,56,67,87,90,123, 34,545,45,YYY,56,5768,342,34456 Any help on the above use case. I used to transforms.conf, but no luck on separation. Please post the proper configuration that helps and suits the requirement. Many thanks. Rakesh. ... View more

Hi All, I was having a requirement to enable / disable table element drilldown. i mean if my SH is a Job server i would enable the drilldown option for table elment and should disable the option if its a Search head. I have used the following code snippnet . but this not working . Can you please help me ? where am i going wrong ?? // Sample code var element1 = new TableElement({ "id": "element1", `"link.exportResults.visible": "true", "link.inspectSearch.visible": "false", "link.openSearch.visible": "false", "drilldown": "row", "rowNumbers": "true", "managerid": "search1", "el": $('#element1') }, {tokens: true}).render(); if(host ="JobServer") { element1.settings.set("drilldown","row"); } if(host ="SearchHead") { element1.settings.set("drilldown","none"); } Please help me !! Thanks in Advance 🙂 ... View more

Hi Team, When ever splunk dameon (splunkd) process was down , Splunk is reporting the "splunk daomen error page and giving a link to return to Splunk Home Page" . We are looking at a requirement to modify or edit this html page. Can you anyone help us where this html page located in the server. I have tried searching but couldnt able to find the error html page , that is been shown when splunkd was down. Thanks for ur help in advance !! Rakesh. ... View more

Hi , I am using Splunk 6.1.2 version, I have a requirement to add custom messages to the sendemail.py script like adding a logo etc. I have modified the script and kept in the script in my app directory "MYAPP/bin/local_sendemail.py" . local_sendemail.py is the script edited by me. point here is this seems to be not working in Splunk 6.1.2 version . I have included the following in commands.conf as well as below. // commands.conf settings [sendemail] filename = local_sendemail.py streaming = false run_in_preview = false passauth = true required_fields = changes_colorder = false supports_rawargs = true I have used the same earlier in Splunk 4.3.2 and it's working. Now modified the existing latest script in Splunk 6 and its not working. Is commands.conf deprecated in Splunk 6.x , or is there is something i need to do to make the script work? earlier question w.r.t splunk 4.3.2 posted by me http://answers.splunk.com/answers/95735/sendemail-external-search-command-sendemail-returned-error-code-1.html Present script in splunk 6.1.2 is not even throwing any error. Can someone help me on this? Thanks. Rakesh. ... View more

Hi , I have a created a role called "userrole" and have imported the default "user" role capabilities and added the "change_own_password" to the capabity. i.e below is the sample [role_userrole] importRoles = user change_own_password = enabled cumulativeRTSrchJobsQuota = 0 cumulativeSrchJobsQuota = 0 search = enabled srchIndexesAllowed = _internal,_audit srchMaxTime = 0 Now i have created a user called "rakesh2" and assigned the above role "userrole" . Once logging with the below user "rakesh2" and clicking on the edit account to change the password.. its not all showing me any data. i am getting the below screen .. alt text Can anyone suggest ..is this a bug in 6.1.2 or am i missing something ?? ... View more