Map is like a foreach iterator. It will take each "result" of a previous search, and perform the map search that many times with the specified map search. An example might help. So I have a search (let's call it SRCH_1 ) " sourcetype=syslog sudo|stats count by user host " This returns a table such as: user host count user1 server1 1 user3 server1 3 user1 server3 2 Right after SRCH_1 , we will pipe, and then add the map command ( SRCH_MAP it shall be known as): |map search="search index=ad_summary username=$user$ type_logon=ad_last_logon" . This command will take each of the three results above, and search in my ad_summary index for a user logon event. The results are returned as a table and look like this(ish): _time computername computertime username usertime 10/12/12 8:31:35.00 AM ADMIN28-H$ 10/12/2012 08:25:42 user1 10/12/2012 08:31:35 AM What this is doing, putting it together, is finding who sudo'd and then tracing back to the computer and time they logged on to prior to the sudo event. EDIT: Here is the complete search: sourcetype=syslog sudo|stats count by user host|map search="search index=ad_summary username=$user$ type_logon=ad_last_logon" ... View more

You can use a lookup. http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources So the search would be something like: foo_search| lookup ldapLookup err OUTPUT description | top description ... View more

Using metadata is a great tool for this question. This search will return any sourcetype that hasn't reported a "lastTime" before (now - 7 days of seconds ago). |metadata type=sourcetypes|eval sevenDaysAgo = now() - (7*24*3600)|where lastTime < sevenDaysAgo Same thing for sources |metadata type=sources|eval sevenDaysAgo = now() - (7*24*3600)|where lastTime < sevenDaysAgo ... View more

Nope. It is only for forwarding, it is not a full instance. Adding link: http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Introducingtheuniversalforwarder ... View more

You will want to review the docs here : http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Aboutdeploymentserver . It is totally possible to update inputs.conf on a forwarder from the Deployment Server. ... View more

Have you added any inputs on the UF? On the linux box add this into etc/system/local/inputs.conf : [monitor://var/log] disabled=false sourcetype=syslog host=myhost You can find more at : http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf ... View more

Splunk uses it's own python to execute scripts. So if Splunk Python doesn't know about _mssql, it won't find it. Did you install _mssql to the file system? Try running manually with splunk cmd python /path/to/your/script . I got around that by using a sh script to call the python script with #!/usr/bin/python as the executable to use. ... View more

Looking at your metrics log, i see that the parsing queue is being blocked. Check here: http://splunk-base.splunk.com/answers/45676/what-causes-queues-on-indexer-to-block for some ideas on a blocked parsing queue. This is a little old, but http://wiki.splunk.com/Community:TroubleshootingBlockedQueues . And finally, http://splunk-base.splunk.com/answers/38218/universal-forwarder-parsingqueue-kb-size (notice how queue=parsingQueue [BIG Q] ) Might be case sensitive. ... View more