Awesome! Glad you are up and working! Could you share what you did to resolve the issue so that future readers can benefit? ... View more

+1 to the the 'add data' wizard . It's a great place to test out these settings on sample data!! j ... View more

I think we are confusing things a bit here... All that matters is how much raw data makes it into the indexing pipeline (after any filtering). Licensing is not how much data is in your index, it is how much data did the indexer have to index. ... View more

it will be 100 GB. There is no need to confuse things with how splunk compresses and stores the data. If you send 100GB to the indexing pipeline, you are using 100GB of license. ... View more

my bad for the quick read of the issue. if you go into the Splunk for *nix app, and go to settings >> your data >> Memory data are you set to sourcetype=vmstat? If so, when you hit the preview button, do any events return? Perhaps try hitting save on that page again? Also, can you advise where in the app you are looking? Both on the home page and on the hosts page? What do you see for the hosts page when in table view? ... View more

index=[myindex] host=[myhost] source=/var/log/messages PHP Warning would search for events with PHP AND Warning in it. index=[myindex] host=[myhost] source=/var/log/messages "PHP Warning" would search for the literal string "PHP Warning" BONUS: index=[myindex] host=[myhost] source=/var/log/messages PHP OR Warning would search for events with PHP OR Warning string in it. FYI, you can use the comment function when discussing questions further, rather than posting an answer. You can convert your answer to a comment with the gear symbol on your answer! Also, don't forget to accept the answers you get if they help! Happy Splunking! ... View more

Hi SplunkLunk! When searching over events to match strings contained within them, there is no need to explicitly tell Splunk to check the _raw message, as it will be doing that by default. For example: index=n00blab host=n00bserver sourcetype=linux:ubuntu:auth root This search tells Splunk to bring us back any events that have the explicit fields we asked for AND (any space in your search is treated as an implicit 'AND') contains the literal string "root", anywhere in it. It is the same as saying: index=n00blab host=n00bserver sourcetype=linux:ubuntu:auth _raw=*root* The tricky part when searching _raw= is to remember that if you simply said _raw=root, nothing would match, cause I don't have any raw events that only contain the word 'root'. However, I have plenty of events that CONTAIN the string root, so by adding the asterisks, I turn it into a CONTAINS rather than EQUALS... I strongly recommend bookmarking the Splunk search reference manual, as even the most seasoned Splunker needs to consult the docs for search syntax and rules, from time to time! http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/WhatsInThisManual ... View more

+1 for making sure sysstat is installed! ... View more

+1 for cleaning up the perms on the splunk.key on a 6.5 indexer. ... View more

This is precisely what you should do ... View more

HAHAAH! did startup not balk at that? or any config checks? btool? ... View more

It all comes down to what you want your scripted action to do, but generally, anything is possible with the right tools and desire to accomplish the task. If the alert action lives on linux SH and the scripts need to run against a windows box, you will need to get creative to facilitate that, but it's nothing an ssh server on the windows box can't accomplish. (ie.ssh to windows box, and kick off a windows script that lives on the machine) Just depends on scale, appetite for creativity, etc etc. ... View more

Ha! Wow. I was sure that was going to get ya going. ... View more

ahhh good eye fz!! That's gotta be it!!! compressed = [true|false] * Applies to non-SSL forwarding only. For SSL useClientSSLCompression setting is used. * If true, forwarder sends compressed data. * If set to true, the receiver port must also have compression turned on (in its inputs.conf file). * Defaults to false. ... View more

Great troubleshooting step! Writing to log is best practice anyhow.... So what does ./splunk list inputstatus say about that log? What about if you grep /opt/splunkforwarder/var/log/metrics.log, you seeing any 'blocked=true'? Or is it saying its sending your sourcetype? This one is killing me. I'm so close to sending you a webex to see this for myself LOL ... View more

still battling this? ... View more

still working on this one? ... View more

Ah, just noticed...thats not a csv at all...appears semi space delimited, although I am not sure I'd even call it that.... You are going to have issues with this data in this format as there are spaces in the headers and there are fields that don't get populated and dont contain nulll values... for example...your first 7 headers don't match all of your events... SiteID Domain TotalRequests SavedRequests TotalBytes SavedBytes HitTime 1033027 ma.my.yahoo.com 10/12/16 0:10 1350 0 0 0 0 1033027 ma.my.yahoo.com 10/12/16 0:20 91 0 0 0 0 1033027 ma.my.yahoo.com 10/12/16 0:30 251 0 0 0 0 1033027 ma.my.yahoo.com 10/12/16 0:40 581 0 0 0 0 1033027 ma.my.yahoo.com 10/12/16 17:50 74 0 0 0 0 Is there anyway to clean up the format of this data??? What is the source of this data? At this point index time csv fields are not going to work on this...you may be able to do some searchtime magic...but truly, this data needs to be formatted better Even Excel doesn't like it lol ... View more

lets look at btool before I go set it up in my lab. I have a very similar set up, but i catch the logs with rsyslog then tail the file. Try: splunker@n00b-splkufwd-01:/opt/splunkforwarder/bin$ ./splunk btool inputs list udp --debug /opt/splunkforwarder/etc/system/default/inputs.conf [udp] /opt/splunkforwarder/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunkforwarder/etc/system/default/inputs.conf connection_host = ip /opt/splunkforwarder/etc/system/local/inputs.conf host = n00b-splkufwd-01 /opt/splunkforwarder/etc/system/default/inputs.conf index = default ... View more

wow..cant give up now! MUST. KNOW.WHY lets check btool ./splunk btool inputs list --debug im going to set it up in my lab. i use rsyslog to write to disk, but lemme set up udp as well ... View more

You can, and should be able to avoid the need for a heavy forwarder, using route and filtering options for inputs http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Routeandfilterdatad see: Route inputs to specific indexers based on the data's input you can create a single outputs.conf with all target indexers defined [tcpout:systemGroup] server=server1:9997 [tcpout:applicationGroup] server=server2:9997 Then in inputs you can use TCP_ROUTING to point the inputs accordingly. [monitor://.../file1.log] _TCP_ROUTING = systemGroup [monitor://.../file2.log] _TCP_ROUTING = applicationGroup ... View more