Are you aware of the layout panels facility, eg http://www.splunk.com/base/Documentation/latest/Developer/AdvancedSearch#specify_layout_panels ... View more

There's a defect or a missing step. Please work with splunk support to resolve. ... View more

Users who had login access via splunk auth which was revoked? Or something else? We can't create such a list for LDAP/scripted auth, of course. ... View more

The markers for the eventlogs are stored on disk in $SPLUNK_HOME/var/lib/splunk/persistentstorage/... something or other. I'm presuming that somehow they got corrupted or erased on the BSOD. Can you evaluate what's in this directory? To identify the dupes you could run a search over a particular time range, something like : host=problemhost sourcetype=WinEventLog* | stats count as frequency by _raw |where frequency > 1 If this reliably is identifying them, someone smarter than me can figure out a search that grabs the first event for each duplicated set, and then delete those. ... View more

The goal here is to have the setup.xml control the sourcetype assigned in inputs.conf. I'm not sure exactly why though. Manager can modify the sourcetype for an input, so it seems to me you'd want to have the setup.xml somehow make use of the same endpoints, if possible. ... View more

If my response (or lowell's) was really the information you were looking for, please do go ahead and accept one as your answer. It will help identify useful solutions for others. ... View more

Continuing... if your job has no time axis at all, then there might be more performant datastores, but sometimes splunk is still worth using for interface, utility, accessibilty, etc. ... View more

Regarding splunk vs nonsplunk, where splunk really shines is when you have some amount of interest in selecting the data based on time. This is nearly always true for our use cases. People may care about historical windows, but they very, very frequently care about the recent window -- data in the last day/hour/etc. In splunk there's no cost for having 80 terabytes of historical data when you only care about the most recent 40MB, which is very much not true in most other data stores. ... View more

Agreed, I considered talking about the other issues, but didn't. The stability of data identification is probably the much more important factor in this case, given that the performance difference is likely to be very small. ... View more

You probably should work with support and/or investigate which files are open by looking in proc, or using lsof . We might be a bit too aggressive in how many files we open in the new tailing code, but that's just a wild guess. ... View more

This points to: we should really just add the version number to the boot up information. ... View more

Woohoo, generators. ... View more

Yeah, I probably had that answer ready after reading your bug. I read some bug that mentioned it, in any event. ... View more

I think our preclusion of this behavior is basically stale. Given that we do it all over the place, and I think customers are doing it, it does work. ... View more

In addition, you can make splunk treat sourcetype A as if it were sourcetype B for search purposes. http://www.splunk.com/base/Documentation/4.1.2/Admin/Renamesourcetypes This only allows you to cause ALL of sourcetype A to now be considered B. ... View more

Timestamps have already been extracted before the events exist. They're part of how we find event boundaries. Thus all event transformations are too late. ... View more

What's the incoming datastream like? What hosts are running in a locale where the timestamps will look like this? How does it arrive? The goal here is to have a splunk running in the desired locale, handling that data. ... View more

my non-answer suggestions, hopefully someone else will know more: investigate if you've got a proxy involved here somewhere. It's possible the CSRF header isn't doing what it should with providing the right values. use some sort of sniffer to see the http headers provided for the working and nonworking requests. get a baseline with splunk/en-US/debug/echo ... View more

A typical choice for a search head license is the splunk-forwarder.license which is a 1MB enterprise license that you are welcome to use on any search heads and forwarders. This is in $SPLUNK_HOME/etc, just waiting for you to copy/symlink it to splunk.license. ... View more

Really, is there more to this? I have run adblock since forever. Are there particular symptoms to look for? ... View more

I see this myself with Firefox 3.5, inconstantly. I believe my proxy is involved, probably cacheing an old answer, but I haven't looked into it. ... View more

Sure, but I don't like leaving stale ones lying around. ... View more

If Splunk is running in the that locale, then I would expect this %b conversion to work. What does the command # date +'%b' show for you, in the environment in which splunk is used? UPDATE: We don't have locale handling in our date parsing at all, currently. I had somehow imagined that we made use of the system library for the specific string decoding, but apparently it is a custom implementation for cross-platform consistency, existence at all on windows, and performance goals. Essentially this becomes an enhancement request (although a fairly important one) for handling localized european dates. In Asia this hasn't come up (yet) because mostly numerics are used for months, rather than names. The only short-term workarounds I can recommend are to pre-process the file, or to alter the date format in which it is emitted. Obviously neither is ideal but it's what's possible today. ... View more