Hi athorat, forward the _internal logs of the forwarder to the indexer and search like this: index=_internal component=ShutdownHandler This will list all shutdown events. Basics about _internal forwarding can be found here http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/Forwardsearchheaddata Yes, you can do the same on your forwarder. Hope this helps ... cheers, MuS ... View more

Hi clorne, the image is broken or missing ... View more

Hi alexsuv, this is a good approach as long as you have CLI access to the server. If not, you can try this app https://splunkbase.splunk.com/app/2613/ made by @martin_mueller it works just fine and your app is packaged and ready as a spl file. Hope this helps ... cheers, MuS ... View more

Hi DTERM, using this search: | tstats count WHERE index=* OR sourcetype=* by index,sourcetype, host | stats values(index) AS indexes values(sourcetype) AS sourcetype by host you can list all hosts sending events and you will also get a list of the sourcetype and the index they are sending to. Hope this helps ... cheers, MuS ... View more

Hi pathuris, you can search over both sourcetypes and count each events and compare them with this per day search example: base search here sourcetype=XYZ OR sourcetype=ABC | bucket _time span=1d | stats count(eval(events=="success")) AS success_count count(eval(events=="failure")) AS failure_count | eval perc=failure_count*100/(failure_count + success_count) This assumes you have a field called events which contains either success or failure as status. Hope this helps ... cheers, MuS ... View more

Hi szabados, take a look at this great blog post http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/ where you learn to use the REST endpoint of the TailingProcessor to show its activities and what files are currently being read. Hope this helps ... cheers, MuS ... View more

@ryantzj, see this answer http://answers.splunk.com/answers/27230/what-is-the-best-method-to-reindex-the-file-after-deleting-the-data.html ... View more

Hi 12onetwo, given you have a field called path or uri you can use dedup on this field base search goes here | dedup uri | stats count by uri see the doce for more details http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Dedup Hope this helps ... cheers, MuS ... View more

This the answer, because the Em dash will cause this error. You can test it with the two following searches: working: | metadata type=hosts | eval seconds_lag=(recentTime -lastTime) | convert ctime(lastTime) as LastTime | convert ctime(firstTime) as FirstTime | convert ctime(recentTime) as IndexTime | rangemap field=seconds_lag low=0-1800 elevated=1801-3600 | fields host,FirstTime,LastTime,IndexTime,seconds_lag,range not working: | metadata type=hosts | eval seconds_lag=(recentTime -lastTime) | convert ctime(lastTime) as LastTime | convert ctime(firstTime) as FirstTime | convert ctime(recentTime) as IndexTime | rangemap field=seconds_lag low=0—1800 elevated=1801—3600 | fields host,FirstTime,LastTime,IndexTime,seconds_lag,range Returns the error Error in 'rangemap' command: Invalid range: '0—1800'. '-' expected. because of the Em dash http://www.thepunctuationguide.com/em-dash.html cheers, MuS ... View more

Yes, the logic is the same. You can easily switch between Google Maps and Openstreetmap or any other Map tile server in Splunk; see the docs http://docs.splunk.com/Documentation/Splunk/6.3.0/Viz/Editdashboardpanelvisualizations Topic Map Tiles PS: You can even create your own map tiles and use them in Splunk 😉 ... View more

check any available outputs.conf on your forwarder cheers, MuS ... View more

Yes, by setting this option the internal logs of the forwarder will be forwarded to the server set in the outputs.conf of the forwarder. More details? Hmm, the basics are the same if you forward search heads internal logs or forwarder internal logs - so I don't know if there is more detailed information available....sorry ... View more

Hi athorat, sure, this can be done as well. Just make sure the $SPLUNK_DB path matches the new disks and all is good. cheers, MuS ... View more

Hi athorat, take a look at the docs http://docs.splunk.com/Documentation/Splunk/6.3.0/Indexer/Moveanindex about moving an index to a different file system / disk. As well take a look at this answer http://answers.splunk.com/answers/149248/how-to-move-index-from-one-hard-drive-to-another-in-splunk-clustered-environment.html which covers the cluster index move. Hope this helps ... cheers, MuS ... View more

here is a link on how to fix the execution problem http://answers.splunk.com/answers/70039/windows-deployment-server-to-nix-deployment-client-permission-issues.html if you deploy from a windows deployment server to *nix clients ... View more

or you install this app https://splunkbase.splunk.com/app/1607/ and access it in the Splunk UI without worrying where to cd to 😉 You will be directly in the right place and can start using the cli as Splunk user... cheers, MuS ... View more

try this regex (\w+)[\s:\-\s]*([^|\s]+) .. thanks for the kudos 🙂 ... View more

Hi ptrstpp950, I deleted the duplicate question and hope you don't mind 😉 cheers, MuS ... View more

Hi skender27, one hint would be extract http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Extract another hint can be this answer http://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html .. in your use case you would split the key value pair with the | cheers, MuS ... View more

No, $SPLUNK_HOME is the path to Splunk. $SPLUNK_DB is the path to your indexes which can be stored outside of Splunk ... View more