You can probably achieve this via custom css. Use firebug to find what element is controlling its placement and then adjust it from there. Once you have your custom css you can include it in the dashboard to control alignment. http://docs.splunk.com/Documentation/Splunk/latest/Developer/UseCSS ... View more

The real question here is if a file rename affects the file descriptor splunk is using to read the file during log rotation. The answer is no. If we have the file handle open and we are actively reading from it, we will continue until EOF unless the rotation results in the creation of a new file handle. In your case if we don't have a file handle open on that file the next time we see the file blah.log.1 it will be ignored because the stanza doesn't match it. Consider this, for example: This behavior is actually due to the fact of how FD's will reference the file which will be linked to the inode of the file. And the inode of a file will usually only change if you are moving across filesystems. So the scenario would really be something like this given stanza [monitor://blah/var/log/blah.log] 1 -Tailing processor matches blah.log which (for the sake of this example, it has inode 777) 2 -Opens the file via FD1 which is actually referring to inode 777 3 -Tailing processor has not yet reached EOF, but blah.log rolls to blah.log.1 (usually implemented by the equivalent of mv blah.log to blah.log.1) 4 -inode remains the same (777) for blah.log.1 which is being referenced by FD1 which was previously opened by splunk 5 -new blah.log is created with inode (776) which is caught by stanza and splunk opens new file descriptor (FD2) which references inode 776 6 -Tailing processor reaches EOF on blah.log.1, waits 3 seconds before closing FD 1 and will no longer monitor this file. Why three seconds you ask? because this is controlled by the default value of time before close configured for that particular input. time_before_close = <integer> * Modtime delta required before Splunk can close a file on EOF. * Tells the system not to close files that have been updated in past <integer> seconds. * Defaults to 3. After discussing this further with the devs it should also be noted that: Of course step 5 could happen after step 6. Or step 6 (close) could happen before step 3 (file rolls). Additionally, there's no guarantee of inodes; not all filesystems have them. However all unix filesystems (that are not insane -- I mean you can access FAT32 on UNIX) have to offer some form of seperation of the idea of the actual data stream from the filename, so there's always some form of indirection, an inode being the most common implementation. Furthermore, keep in mind that on windows based systems there are no inodes but this is a whole other topic that would deal with MFT's. So what is the main take away from this? If you are absolutely sure that no additional data will be appended to the file after it rolls to blah.log.1 then it is safe to configure such stanza to monitor .log only and not .log* However, if you suspect that more data will be appended to that rolled file in the future, then you should either monitor rolled files as well or increase time_before_close to a larger window. ... View more

This is actually pretty easy. Save yourself the headache and do this using the pulldown module available from sideview utils. Here is snippet of what it will look like. <module name="Pulldown" layoutPanel="panel_row2_col1" autoRun="True"> <param name="staticFieldsToDisplay"> <list> <param name="value">your first search</param> <param name="label">Telnet</param> </list> <list> <param name="value">your second search</param> <param name="label">session</param> </list> </param> <param name="name">selectedReport</param> <param name="label">Show</param> <module name="Search"> <param name="search">$selectedReport$</param> <param name="earliest">-1h</param> <param name="latest">now</param> <module name="Pager"> <param name="entityName">results</param> <module name="SimpleResultsTable"> <param name="entityName">results</param> <param name="displayRowNumbers">False</param> </module> </module> </module> </module> ... View more

This should do the trick | cluster | table cluster_count, _raw | sort - cluster_count Reference the docs for the cluster command here: http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Cluster ... View more

<yoursearch> | transaction _time | where eventcount > 1 ... View more