This is an issue specific to AIX causing the fsck utility to fail. If you do not wish to see this error you may wish to delete the meta.dirty file that is located in the $SPLUNK_HOME/var/lib/splunk/defaultdb/db/ directory. Keep in mind that this will only delete the file that was generated on an unclean shutdown and does not actually repair the buckets. To do so you may wish to run the fsck utility manually with the following command: $SPLUNK_HOME/bin/splunk cmd splunkd fsck --all --mode metadata --repair Otherwise, have a look at the following answer which describes how to validate the metadata files as well as the bucket tsidx files. http://splunk-base.splunk.com/answers/5374/how-to-quickly-validate-the-metadata-files-of-a-given-index-and-of-all-its-buckets ... View more

You will probably want to route those events to the null queue. This means that you will want to configure Splunk to take specific events such as what you have posted, and it will not index these events. Here is another answer link that is similar: http://answers.splunk.com/questions/11617/route-unwanted-logs-to-a-null-queue Also, the Splunk documentation contains some great examples to get you started with filtering events out that you do not want. http://www.splunk.com/base/Documentation/4.2/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest ... View more

Hi Josh, You may want to create a log-local.cfg file in $SPLUNK_HOME/etc/ which includes a custom path for the following log configuration setting: appender.A1.fileName=/path/to/your/custom/file.log For more information, the following documentation link has some useful configuration settings for your log files. http://www.splunk.com/base/Documentation/4.2/Admin/SplunkLogFiles#log.cfg ... View more

I believe you may want to use something similar to the following search. host="hostName" | rex "(?P<IDLetter>[A-Z]).RECV..(?P<Requests>\\d+),.(?P<ErrorCount>\\d+)" | eval time=_time| transaction fields=IDLetter maxspan=60m | stats range(ErrorCount) range(Requests) range(time) by IDLetter The search will first break up the string by using regex to extract the fields we want to pay attention to followed by getting the UTC time stamp and then piping that to only show the events for the last 60min. Then its just a final pipe to the stats in order to work the math to find the differences between the error count, the requests and the time. ... View more

You may want to take a look at the answer posted here. More specifically, you will want to take a look at the serverclass.conf file so that you can set up the source directory of the config files you want to deploy as well as the target directory. Lastly, you will need to configure the client to be sure to grab the config files. The documentation illustrates this quite nicely in the terms of apps but config files can be deployed in a similar manner. ... View more

There are several formats in which IPv6 can be displayed in your event log. You will want to use transforms.conf to find and parse these addresses. Here is a list of regex that matches the different forms. (The IPv4 address converted to IPv6 used in the examples below is 192.168.10.100 with a net mask of 255.255.255.0) Full IPv6 address: fe80:0000:0000:0000:0000:0000:c0a8:a64 Regex to match and return full address as $1: ([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}) IPv6 drop leading zero's: fe80:0:0:0:0:0:c0a8:a64 Regex to match and return full address as $1 (yes, its the same as the above): ([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}) IPv6 collapse multiple zero's: fe80::c0a8:a64 Regex to match collapsed zero groups. This will also work with collapsed zeros at the beginning of the address but not for single group addresses(e.g. '::1') and does not check for illegal IPv6 addresses (e.g. fe80::c0a8::a64): (:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?) To account for mixed IPv4 and IPv6 addresses, IPv6 allows for changing the last 4 bits to include the IPv4 address fe80:0000:0000:0000:0000:0000:c0a8:a64 would then be noted with the quad address at the end and become 'fe80:0000:0000:0000:0000:0000:192.168.10.100'. Full IPv6 with IPv4 quad: fe80:0000:0000:0000:0000:0000:192.168.10.100 Regex to match: ([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3}) IPv6 dropping leading zero's with IPv4 quad: fe80:0:0:0:0:0:192.168.10.100 Regex to match (same as above): ([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3}) IPv6 with collapsed zero's and IPv4 quad: fe80::192.168.10.100 Regex to match: (:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?(?:\d{1,3}.){3}\d{1,3}) Depending on the IPv6 address type that you are seeing in your events, you may want to tailor the regex to fit your IPv6 addresses more specifically. ... View more