To get that first artifact, I always just schedule the search for 1 minute in the future via cron (example: it is now 3:23pm, set it for 24 15 * * * ). Then I let it run, generate the saved artifact to check out in my dashboard, then when it's right I set it to the final schedule it needs to have. ... View more

html coding of <a href="urlname">Linktext</a> also works. ... View more

Looks like it works ... View more

Accepted own answer - thanks! ... View more

Not everything forwarded from a SH to an indexer is license free - only things that are license-free anyways, such as internal logs and summary indexing. It is possible to bust a forwarder license with something like the UNIX app inputs and no indexer to forward to! ... View more

Confirmed, this 4.1.x command does work as expected in 4.2. ... View more

And would not bust its license if you accidentally enabled something like the Unix app inputs without specifying an indexer to forward to. Just wanted to make sure it was indended - thanks. ... View more

In 4.1.x and earlier, using the forwarder license was the method for applying the enterprise features to a box that did no indexing, such as search heads and deployment servers. ... View more

Okay, I'll go with the 4.1.x method for now. Bucket-maint is mentioned by Josh here: http://answers.splunk.com/questions/2473/ ... View more

I had to figure out MySQL slow query logs today. These configs should help you out. They tell Splunk to only break on a line starting with # Time: 110408 12:34:56 , get the time format right, and extract some other fields. --inputs.conf-- [monitor:///path/to/file] # input settings, send to the splunk that is collecting sourcetype = mysql:slow --props.conf-- [mysql:slow] # index-time settings, send to the indexer SHOULD_LINEMERGE = true TIME_FORMAT = Time: %y%m%d %k:%M:%S BREAK_ONLY_BEFORE = #\sTime:\s\d{6}\s[\s\d]\d:\d\d:\d\d MAX_EVENTS = 512 # search-time settings, sent to search head REPORT-query_for_mysql_slow = query_for_mysql_slow REPORT-user_src_for_mysql_slow = user_src_for_mysql_slow REPORT-times_rows_for_mysql_slow = times_rows_for_mysql_slow --transforms.conf-- # search-time settings, sent to search head [query_for_mysql_slow] REGEX = Rows_examined:\s\d+[\r\n\s]+([\s\S]+) FORMAT = query::$1 [user_src_for_mysql_slow] REGEX = User@Host:\s([^[]+)\[([^]]+)\]\s?@\s+?\[([^]]+)\] FORMAT = user::$1 src_user::$2 src::$3 src_bestmatch::$3 [times_rows_for_mysql_slow] REGEX = Query_time:\s([\d.]+)\s++Lock_time:\s([\d.]+)\s++Rows_sent:\s(\d+)\s++Rows_examined:\s(\d+) FORMAT = query_time::$1 lock_time::$2 rows_sent::$3 rows_examined::$4 ... View more

Splunk v4.2 now supports real-time alerting. ... View more

I've generally avoided all the si* helper commands and handled the funky statistical corner cases myself - Is there a writeup anywhere on what these cases are, or even what the si* commands do? ... View more

I am also seeing these errors, identical except for errno is errno: 104 - and we're seeing horrible performance in Deployment Server. We're still investigating. ... View more

I am noticing this problem too. When I search for the first event in my transaction, I see 100% of them with the dest field. When I transact them together with a few nearby log entries that do not have dest fields, ... SOME transactions have dest , some do not. ... View more

BTW this is still broken as of 4.1.8. ... View more

Any response from support? This does seem to be a bug, as a transaction should always respect startswith and endswith, regardless of maxspan or maxevents values. ... View more

Great - yes, I control splunkweb independently of LWF sometimes, so I wanted to know from splunkd.log. ... View more