im assuming that you do not just want to re-index the data and have duplicates in. If what you would like to do is clean all of your existing data, and then re-indexing it all up again then you can do the following: ./splunk stop ./splunk clean eventdata index_name ./splunk start For more info on this go here Cheers, .gz ... View more

remy you can try something like this: [source::e:\logs\yourlogs\*] MAX_TIMESTAMP_LOOKAHEAD = 75 TIME_FORMAT = %d/%m/%y %H:%M:%S Here are the docs on this, read them for more knowledge on how to deal with this: Configure Timestamp Recognition Cheers, .gz ... View more

Scott, For your specific role (you might want to create a different role for this other then admin?) you need to change your default indexes. Go to: Manager » Access controls » Roles » admin (or whichever role youre trying to change it for) and add other indexes to the Default index list. You might want to do this also for the 'indexes' list as well. Then check if you see your sourcetypes and sources etc on the global summary page. Cheers, .gz ... View more

rayfoo, go to Manager » Indexes and find your index there. Go ahead and Disable this index. Make sure you have removed all input.conf stanzas that monitor data and send it to this particular index. Once finished, restart splunk. Check to make sure that the index got disabled. Then to completely delete/remove the index go to $SPLUNK_DB/INDEX_NAME/ and either delete or move this index to a different folder. Then, go and find where the stanza for the particular index that you want to delete got saved in your indexes.conf. You can check /etc/system/local or /etc/apps/search/local/ or even /etc/apps/launcher/local/ Find and remove the stanza that is relevant to your index (the one you want to delete) Should look something like this: [test] coldPath = $SPLUNK_DB/test/colddb homePath = $SPLUNK_DB/test/db thawedPath = $SPLUNK_DB/test/thaweddb disabled = 1 Then restart splunk again. I believe this should be enough for you to "delete" the index and not have it show up in the indexes list on your manager page. Cheers, .gz ... View more

Scott, Yes, total max index sizes should never equal more then your total disk space available. In your described scenario, when diskspace is 400GB and Index1 has 200GB and index2 has also 200GB indexing will be stopped until you release at least 2GB(definitely more then 2 though) space. Best way would be: Index A + B + C + D +... < TOTAL HD Space ... View more

here's a few of them, credits go to Simeon: Which IP addresses are connecting to Splunk as inputs and how many times is it logged in metrics.log? index=_internal source=metrics.log tcpin_connections | stats count by sourceIp Where is Splunk trying to forward data to? index=_internal source=metrics.log destHost | dedup destHost What output queues are setup? index=_internal source=metrics.log group=queue tcpout | stats count by name What hosts (not forwarder/tcp inputs) have logged an event to splunk in the last 10 minutes (includes rangemap | metadata type=hosts index=netops | eval diff=now()-recentTime | where diff < 600 | convert ctime(*Time) | stats count | rangemap field=count low=800-2000 elevated=100-799 high=50-99 sever=0-49 ... View more

unfortunately i have never tried this, so you might need to learn by trial (and error), but there is a way to edit and manipulate indexes. Please read the wiki page located at: http://www.splunk.com/wiki/Community:Modifying_indexed_data_via_export_and_import GK (or jrod) can you comment a bit more on this? For example, if you export the data using the export tool into a CSV, can you then not index the CSV itself? (i have a customer who asks the same question, and for him its not a matter of different people being able to read different data, but its a matter of optimizing indexes etc.. ps. historical logs are not available and so they cant re-index the data) ... View more

muebel, i would suggest sending an email to education@splunk.com for all concerns with registration and education classes.. If you'd like i can inquire for you as well, but direct email to education is probably the best choice of action. Good luck ... View more