Awesome, thanks! ... View more

Your backslash was lost in myhost\foo ... View more

It's not entirely clear to me whether you want to actually run splunk as a non-privileged user, or if you want to run it as root but be able to manage the install while being logged in as a non-privileged user. If it's that you want to run it as a non-privileged user, that's very easy to do, but no, you cannot then listen on privileged ports or read files which that user doesn't have privileges to read. There's really no way around that that I know of. For instance, when you instruct Splunk to listen for syslog traffic, it's the splunkd process that is doing the listening, evident by the following: $ sudo lsof -i UDP:8514 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME splunkd 81284 mw 33u IPv4 0x0881a2e8 0t0 UDP *:8514 In the above, I'm explicitly not using a privileged port because I'm not running Splunk as root, but you can see the command which is listening on the port is splunkd. So, in order to use port 514 splunkd needs to be running as root. In order to read some logfiles splunkd would need to be running as root as well. Running splunkd as root and "Starting Splunk" as root are effectively identical statements. So, you need to make a decision. Do you require the ability to listen to privileged ports and read "privileged" files? If so, then you must run Splunk as a privileged user. If you want to run Splunk as root, but manage it as another user, that can mostly be done by giving your user sudo access to the "splunk" command (i.e. /opt/splunk/bin/splunk). However, that's really only going to give you management over a reasonable bit of functionality, but you'll probably find that there's a class of things that you'd like to do which either can't be done through that command or would be more easily done by directly editing config files, etc. Some software would provide a separate setuid process that would do privileged things, so that you could run the solution as a non-privileged user, but still have privileged capabilities for very specific items. In other words, splunkd could run as the user "splunk" and would spawn a setuid process called, for instance, "syslog_listener" which would run as root and have the ability to listen on privileged ports. I can't speak to the security issues with that or why Splunk isn't architected with that in mind. ... View more

Ah, I'm following now. ... View more

First, I agree with jrodman that there are some syntax issues. Also, it sounds like you actually want to keep specific events while discarding the rest, rather than discarding specific events and keeping everything else, as the link you provided leads me to. Do you maybe need this link? http://www.splunk.com/base/Documentation/4.1.6/Admin/Routeandfilterdata#Keep_specific_events_and_discard_the_rest ... View more

If you have any searches which utilize this command, please chime in and let us know what it's doing for you. ... View more

Thanks Ron. Good stuff! I'm going to post some more of these, so please keep your eyes peeled and chime in if you can. ... View more

Do you have the Windows app installed? If not, I believe it should take care of all of these extractions for you. You can install it even if your splunk instance is on *nix. ... View more

Pro tip: "tar zxvf filename.tar.gz" will tar and gunzip at the same time. ... View more

The answer can also depend on what you mean by substring. For presentation purposes, there are generally better mechanisms to carve up the raw data. If the relevant data is in fields then you can "table" them as well. Depending on the purpose, this can be prettier to look at: fail* sourcetype=syslog | table pid, process ... View more

Thank you, sir! That was my next destination. Incidentally, is there data regarding the performance of various actions, or some sort of performance priority chart? ... View more

It shouldn't change your actual results. Do you see JSON keys in the field picker on the left-hand side (i.e. do you see host, source, sourcetype, favorite_food, whatever? What errors are you getting from jsonkvrecursive? I know that one requires valid JSON in particular, where jsonkv is a bit more liberal, but not recursive. ... View more

The JSON utilities are splunk search commands, so they would be used on events, e.g.: <your search> | jsonkv The commands will attempt to extract the JSON key/value pairs into splunk fields for further processing. This is modeled after the existing "xmlkv" command which performs the same way. It looks like you may have already figured out your other question. ... View more

Thanks nick! I hadn't thought to use "stats values" to multivalue the field. Because I want to plot both compliant=True and compliant=False values, I assume I can add an eval and mvfilter in there maybe to basically say "if complaint contains a value of False, compliant=False". Thanks for the jumpstart! ... View more

Have you looked into scripted inputs at all? http://www.splunk.com/base/Documentation/latest/Admin/Setupcustom(scripted)inputs Rather than writing the data to a logfile, the Splunk light forwarder can consume the stdout of the script directly and pass that along. My preference would be to avoid writing custom socket communications. What's the point when Splunk can already do it, plus you could use the LWF to consume other logs, etc, as the need presents itself. ... View more