Hi, if your events are : - really separated by a new line (in the file) - or send to splunk one after the other (syslog by example) then the solution is to use a sourcetype that define the events are "singleline events" see SHOULD_LINEMERGE in http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Indexmulti-lineevents example inputs.conf [monitor:///var/log/json] sourcetype=myjson props.conf (on the indexer) [myjson] SHOULD_LINEMERGE= false ... View more

Good question, but there is no such value. _time is the timestamp extracted from the events. _indextime is the time when the event was written to the index, not when it was received by the indexer. ... View more

Splunk starts to search events at the current time, and progressively search backward in the past. first() returns the first seen result -> the most recent reference last() returns the last seen result - > the oldest reference Please read the documentation with attention : http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonStatsFunctions ... View more

This is not the intended behavior of splunk monitoring, that will not reindex a file until it changed. Here is one method to achieve this : use the CLI command "add oneshot //path/to/my/file" to index the file at will. see http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/MonitorfilesanddirectoriesusingtheCLI setup the command in a scripted input, and define the scripted input interval with a cronjob notation. see http://docs.splunk.com/Documentation/Splunk/4.3.1/Developer/ScriptedInputsIntro ... View more

yes, check mysearch | outputcsv myfile.csv the file will be written in $SPLUNK_HOME/var/run/splunk folder see http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Outputcsv ... View more

It is a uncommon issue, probably issue during the upgrade. By the way, this error message is likely caused by invalid file name in c:\Program Files\Splunk\bin OR $SPLUNK_HOME\bin. Search for a file named program or files or Splunk or bin and likely 0 byte size. If you find it remove it and try to startup. ... View more

This is all new bug, should be resolved quickly. Here is the workaround to change it manually use the CLI command or edit $SPLUNK_HOME/etc/systen/local/server.conf add or edit this part , with the correct url [license] active_group = Enterprise master_uri = https://the.url.of.my.license-master.com:8089 ... View more

Hi Mata The options are simple : reduce the indexed volume. or get a license volume upgrade (contact splunk sales) For the first option here are the steps : 1 - Analyze you data, to identify where the volume it is coming from. in 4.2+ you can use those searches on the license-master see http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume if you prefer detail, you can add details on the source "s", host "h", sourcetype "st", indexer "i". total per pool index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool detail per sourcetype index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st useother=false detail per source index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by s useother=false detail per host index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by h useother=false 2- If some forwarders are not necessary, turn splunk forwarder off on those boxes. Why did you deployed a forwarder on every single box in the first place !!! 3- If some useless files are being indexed, be more selective. Disable the inputs, or use whitelist/blacklists to limit the scope example to drop the core files, or to index only .log files: `[montitor:///var/log] blacklist=.core$ [monitor:///mypath/.log] ` 4 - If some servers are sending to much data (syslog by example) disable the routing to splunk, or select the components to send. example on syslog.conf (send only critical and errors, and every event from my application) *.CRITICAL splunk.mydomain.com *.ERROR splunk.mydomain.com myapplication.* splunk.mydomain.com 5 - If some log files contains too much data, change the verbosity level of your applications (by example, avoid the DEBUG mode) 6- Search for duplicates events in the logs, please check they exists in the original logs, or if the same log file is being indexed several times (some log rotation may cause that) here are searches to find duplicates in splunk : * | eval raw=_raw | convert ctime(_indextime) as indextime | stats count first(indextime) as first last(indextime) as last by raw | where count > 1 | table count first last raw Then drilldown to the source to figure. 7 - If your cannot disable an input but don't need all the events, you can setup a NULLQUEUE filtering of the events. This has to be setup on the indexers (or heavy forwarders) (with windows eventlogs, we usually use filtering on the eventcode) see examples http://docs.splunk.com/Documentation/Splunk/4.3/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest: Discard specific events and keep the rest or Keep specific events and discard the rest ... View more