You could probably use eval to work out the data quantities in bytes, for example (assuming field being extracted as "Size" and "Used" from df -h 😞 * | rex field=Size "(?P<Size>\d+[\.,\d]*)G" | rex field=Used "(?P<Used>\d+[\.,\d]*)M" | eval Size=Size*1024*1024*1024 | eval Used=Used*1024*1024 | This will give you the Size field and the Used field in bytes instead of GigaBytes and Megabytes (respectively). This obviously gets messy very quickly... I would rather change the script to not use GB or MB or KB (or whatever) and use just a df instead of df -h ... if you really want to handle larger block sizes, make sure to define the size in the command, e.g. df -m for MB. EDIT: To complete the answer... then to work out the total of each column/field you would pipe to a stats command and then use the sum() function on your fields. e.g. ... | stats sum(Size) as totalSize sum(Used) as totalUsed Hope this helps ... View more

Okay, in the mean time I have work around using the \x special character and the hex equivalent of " . Using this in my example above this would be: foo \x22bar\x22 This (if you haven't already guessed) is for regex... it's added/modified from the Splunkweb and then used in scripts in the background. This is for an odd use-case. Any other suggestions are welcome of course. ... View more

If you can edit the CSV that you are using as a lookup directely, have you tried including the offending field in quotations (e.g. " ). For example: field0, field1, field2 efuieb, "foo,bar", blah inevei, "foo", blah Hope this helps. MHibbin ... View more

Hi, Welcome to the world of Splunk... Without re-writing what has already been written... the following documentation would be helpful here. http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/RemovedatafromSplunk ... View more

Not used it, but there appears to be... If you navigate to the Apps section of site, and the "Browse all apps", there is an RSS link next to the "Browse all Apps" header. Hope this is what you meant. EDIT: To include additional info for others that wanted to know: There is an RSS feed for the Answers section, which should appear to the right of this question. There is an RSS feed for Splunk news here... http://www.splunk.com/page/company_news/rss There are links to "business"-like feeds here... http://investors.splunk.com/rss.cfm ... View more

That's kind of correct... modifying inputs.conf is the way to go (make sure you restart Splunk to apply the changes), however your config is slightly wrong, you should try: [WMI:WinEventLog:Security] disabled = 0 start_from = oldest current_only = 1 This will just read from the oldest to newest (i.e. normal cronological flow), but only starting from the first event, from when the input is enabled (i.e. restart Splunk to apply config). At the moment you have it backwards, as it will read in reverse chronological order and then go back to the latest, which doesn't make sense. HOWEVER... although you may exceed your daily limit, Splunk will not punish you for you first offence, as in a real world there are times when we find the unexpected, and perhaps your logging source goes rogue and pumps out gigs of data. You should read the following doc, as indexing some of you older/historic events may be useful in showing Splunk's potential... http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Aboutlicenseviolations Hope this helps ... View more

I had a "weird" (well I thought so until I saw this) use-case, that involved modifying lookups from Splunkweb... Basically you will need to follow these steps (well this is how I got a solution): Write a python script to interact with the file Create/Edit a commands.conf file in your Splunk App Write a search query to take user input from text box To give some more detail on this... You will need to write a python script that will take standard system arguments (i.e. "sys.argv[n]") and apply them to the file of choice. If you a not familiar with writing Python scripts, it is quite an easy language to grasp the basics that you will need for this task. You should look at the following sources for support, if you need them: http://stackoverflow.com/ http://www.python.org/doc/ http://docs.python.org/tutorial You will need to make sure that you are writing your script for Python version 2.7, as this is the version that Splunk is using. Once you have the script written and tested. You will need to create a command.conf file in your app's directory (e.g. " $SPLUNK_HOME/etc/apps/<yourApp>/local/commands.conf "). This will be the method for informing Splunk that you have written a new script for it to use. The following is a simple example of how this may be setup, but you may wish to look at the spec file for more potential: [yourCommand] filename = /path/to/you/command.py The following resources, can help here: http://docs.splunk.com/Documentation/Splunk/5.0/admin/Commandsconf http://docs.splunk.com/Documentation/Splunk/4.3.3/Developer/SearchScripts You will then need to restart Splunk to apply these changes. Now you will need to create a form that will handle the user's input. This view will include a the use of your script/command, " yourCommand ", where you would use the user input (e.g. in the form xml, this would be something like " $foo$ "). The following links would be able to help here: http://docs.splunk.com/Documentation/Splunk/4.3.1/Developer/Step1CreateAForm http://docs.splunk.com/Documentation/Splunk/4.3.1/Developer/AdvancedFormSearch You should then be good to go. ... View more