It's been a while, but there used to be a way to enable (Event Collector?) logging to a text file in SiteProtector. It may call them "trace" logs - I can't remember now. Once you have the text files, indexing them with Splunk is pretty trivial. Found some more information in my old notes. Things may have changed in more recent versions of SiteProtector, but look for trace file settings under Advanced Event Collector Configuration, and/or look for the Event Archiver. ... View more

I know you're asking about Splunk specifically, but remember that that Microsoft does not support Windows 2000 servers anymore. http://www.microsoft.com/windows/lifecycle/default.mspx http://support.microsoft.com/lifecycle/?LN=en-us&x=10&y=10&p1=7274 ... View more

This will be easier to deal with if you define a permanent extraction. In transforms.conf: [extract-filename] SOURCE_KEY = source REGEX = TheWord-([^\.]+) FORMAT = filename::$1 In props.conf: [yoursourcetype] REPORT-filename = extract-filename Tweak the regex to your liking. Change the [yoursourcetype] heading to [host::yourhost] or [source::yoursource] as needed. The fact that you are extracting from source is something of a special case, since you can be sure of having that field already populated in the index. If your first field is not host , source , or sourcetype , then you also need to make sure that your field extractions are called in the correct order -- naming becomes important. For example REPORT-000-fullpath and REPORT-999-filename . ... View more

Yes, that's correct. ... View more

Yes. There are a few things you can do. Here's an example site (from the guys who do the SplunkTalk podcast):      http://bit.ly/splunktalkanalytics Take a look at this video blog post:      http://blogs.splunk.com/2010/09/27/video-glimpse-into-splunktalk-podcast-analytics-insecure-login-dashboard-tricks/ The gist is that you can use "insecure" authentication, and embed login credentials into the URL. Then, create a dedicated role for that user, giving it access to on the indexes, search commands, etc. that it actually needs. Maybe even assign a search filter. Also, create a dedicated search app, with just the dashboards you need, and make that the default for the user. Using a separate, stripped-down search head can also help limit your attack surface. If you want to use always-on displays, the timeouts can be a problem as well, so see this thread:      http://answers.splunk.com/questions/7233/user-specific-browser-session-timeout Remember the common tradeoffs between security and usability apply, so doing this of course involves a bit of additional risk. Provided you're ok with that, this should get you started. ... View more

Splunk won't age out buckets to frozen until all events in that bucket are older than frozenTimePeriodinSecs . In the search app, take a look at Status->Index Activity->Index Health. Also take a look at the | dbinspect search command. ... View more

You can also use cidrmatch in the eval command. If you are dealing with known (usually internal) subnets, you can also resolve them by name - see this thread: http://answers.splunk.com/questions/5916/using-cidr-in-a-lookup-table ... View more

Take a look at the format command:     http://www.splunk.com/base/Documentation/4.1.5/SearchReference/format ... View more

Assuming you always want only two levels: | rex field=s_hostname "\.(?<s_domainname>\S+\.\S+)$" ... View more

What happens if you reverse the order in the transform line? [wmi] TRANSFORMS-null = setnull, 2008lockouts [WinEventLog:Security] TRANSFORMS-null = setnull, 2003lockouts The order in transforms.conf shouldn't matter, but the order in the actual TRANSFORM= line of props.conf may be significant. I think in your original version, setnull will match after 200Xlockouts , so it will first set the queue to indexQueue , but then change it back to nullQueue when your single-dot regex matches. ... View more

This sets sourcetype , not source . ... View more

In inputs.conf , you can explicitly set the value of source for a given input definition: [monitor:///var/log/something] disabled = false sourcetype = mysourcetype source = mysource Or, you can use a transform to assign it in a more targeted way: [mysourcetype] DEST_KEY = MetaData:Source REGEX = (?=) FORMAT = source::mysource The above example will always set the source - adjust the REGEX setting as needed to match text in your events for a more targeted assignment. ... View more

To be clear, the original suggestion was not advocating dumping the entire database, just the results of a single query. It depends on how your data is structured though - if you're continually adding new records, then it's more like a traditional log table than just a list of stats. See edits above for more information. ... View more

If you just want to dump the contents of that table every XXX minutes, it should be very easy to do. Just write a shell script or batch file that runs the command-line postgres client and dumps the table(s) you want, and have Splunk index the output. Basically, any query you can run at the command line would do. Take a look at the documentation on scripted inputs - that should help get you started. http://www.splunk.com/base/Documentation/4.1.5/Admin/Setupcustom(scripted)inputs If the table you want to monitor is continually growing (i.e., you're continually logging stats over time), then your problem is the same as for any other application that logs to a database. You may wish to consider having whatever populates the stats table log directly to Splunk, if that's feasible. Assuming it isn't, then you need to do a little more work scripting, and you should consider using Python instead of dealing with shell-scripts and psql: It depends how your table is structured, but here's a common approach if your table has an an increasing primary key value or timestamp: Keep track of the last-seen record ID in a file Build your SQL query to retrieve all records with ID values higher than the last one you saw Dump the results of the table to stdout Update the file with the highest ID value retrieved by your query ... View more

If the timestamps are in a consistent format, you could use rex to extract the time into a new field at search time, then pipe to convert mktime() to get epoch time, and where or eval to see if it matches the value in _time . ... View more

It should let you add more than one wildcard if you need to add another directory level, but only one segment can be used for extracting the hostname. If you add a second host_segment line, it will just override the previous one. To get both, you'd need to go back to using host_regex . Even then, it would extract as 'cctld/flexreg', and not as a fqdn like 'flexreg.cctld'. If you want the host to be extracted as a fqdn, and the fqdn is in the body of each event, you could get it with an index-time extraction in transforms.conf and props.conf instead of going from the pathname. ... View more

It's timing out waiting for the manage_agents prompt. Usually that means it's getting hung up on an SSH key or password prompt. It's strange though that you would have a successful connection when you tried it from the command-line. When you tested from the command line, did you by any chance have an SSH key agent running? I just uploaded an experimental build 1.1.76 - try that version and see if it helps. The new build has better handling of certain types of connection error. ... View more

It's not passed in the command line, nor as an environment argument, at least when run directly from the search bar. InterSplunk won't get it either. You might be able to figure it out by having the script call back into the REST API but it would be messy at best. The sendemail script has it though, since it uses it in the embedded links. That may be something special about email alerting, or maybe it has to do with being called from a scheduled search. What are you trying to accomplish? Is the job ID strictly necessary? ... View more

You'd need to build the evaluation logic into your Python script. Parameters like this are going to be passed into your Python script as command-line arguments -- you can get them from sys.argv and do whatever you want from there. ... View more

Run splunk list monitor and see if you still see that file. Is there any possibility that binary data could have made it's way into that file? Run a search for index=_internal catalina.out and look for any warnings or errors. ... View more

First, is Splunk listening on port 514, or are you having syslogd write a file for Splunk to index? syslog-ng and some other syslog daemons can filter for you, but assuming you want Splunk to do the filtering, what you want is nullQueue . Take a look here: http://www.splunk.com/base/Documentation/4.1.5/Admin/Routeandfilterdata#Discard_specific_events_and_keep_the_rest and here: http://answers.splunk.com/questions/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk ... View more

It's possible that an error is occurring somewhere in the backend and the error message is being masked by that view. What happens if you call it directly? (see edits above) ... View more