BTW, the issue is we recognize files by their contents, and these logs all have the same header. This setting essentially tells splunk "different filenames will have different contents". Or another way of looking at it "my files don't roll, they're new names by date, and don't get renamed." ... View more

To Splunk, Windows Event Logs are just another kind of event. Yes you can place any sort of windows event log data into splunk, and can create searches relatively easily to achieve the sorts of goals you outline. Splunk natively installed on a system as a forwarder can perform windows event log data collection and forwarding. Splunk can acquire all events from the logs. This would involve installing splunk on the windows XP devices. If you were to pursue this approach, I would guesstimate that you would want at least around 1 receiving splunk node per 1000 forwarders, purely to manage the number of open network connections. Forwarders can be configured to automatically distribute themselves across a group or to send to specific nodes (for the regional office case/goal). Alternatively, as you identify, Splunk can acquire the data over WMI. Similarly this is not restricted in the types of events acquired. The WMI subsystem provided by windows consumes memory proportional to the number of hosts. Because the behavior is typically memory limited, the ram available on the WMI-pollers is an important criteria. For a rough datapoint, one customer with 16GB WMI-pollers is servicing approximately 120 hosts per WMI-poller. Another customer was able to achieve higher numbers, closer to 300. Because the limiting factors are in a operating system subsystem, we're still learning about the scaling along factors such as data volume, network speed, etc. We've seen cases where the WMI subsystem is a bit brittle when overloaded so it's generally desirable to run it below capacity after testing to determine the capacity in your environment. Historically, some customers would use Snare to acquire windows event log data and send it to Splunk over syslog. From a splunk perspective, this is a bit more work, and the available data in the events is a bit less, but the point is that other means to transmit windows event log data to Splunk are also viable, should you have other means already in place to accomplish this. ... View more

In Splunk 4.1.x, both 'attempt' patterns are intended to work. There may be some outstanding issues with followTail, so you may want to evaluate what results you get without that. You may want to try turning on some debug settings to get more insight, or work with Splunk Support. In etc/log-local.cfg, you could turn these on. category.TailingProcessor=DEBUG category.WatchedFile=DEBUG category.BatchReader=DEBUG You can also turn them on/off interactively from Manager. This might be of use: http://www.splunk.com/wiki/Community:Troubleshooting_Monitor_Inputs#File_inputs ... View more

If the UI works at all, the message is likely incorrect. Interpret the message as "Your web UI may not work." Is it possible you somehow triggered the migration logic more than once? That can cause this message inaccurately (it thinks it has to rename the modules.new directory over the modules directory, but this can only be done once). Any information about the starting version and platform, and the download package might help us reproduce. ... View more

I assume you mean the script which ends up as /etc/init.d/splunk or similar? This thing invokes the launcher (bin/splunk) and passes its return values along. The values don't appear to be that useful right now. 0 obviously is success. 4 seems to suggest permissions problems 8 refers to environment problems The new 4.1 command line work incorporates this table: #define EXIT_NO_ARGS 8 #define EXIT_CMD_IGNORE 9 #define EXIT_FAILURE_USAGE 10 #define EXIT_FAILURE_DEPRECATED_CMD 11 #define EXIT_FAILURE_PARSE_CMD_LINE 12 #define EXIT_FAILURE_NO_HELP_EXISTS 14 #define EXIT_FAILURE_NO_DISPLAY_FUNC 15 #define EXIT_FAILURE_NO_CMD_EXISTS 16 #define EXIT_FAILURE_NOT_IMPLEMENTED 18 #define EXIT_FAILURE_NO_OBJ_EXISTS 19 #define EXIT_FAILURE_FGETS_READ 20 #define EXIT_FAILURE_REQD_ARG_MISSING 21 #define EXIT_FAILURE_REST_CALL 22 #define EXIT_FAILURE_DISPLAY_FUNC_ERR 23 #define EXIT_FAILURE_LOGIN 24 #define EXIT_FAILURE_URI_FORMAT 25 However we incorporate third party libraries. For example in some circumstances openssl (how the splunk executable communicates with splunkd) will exit(2) on its own. Compiling a complete list right now is not likely to be useful. Instead I would suggest: Try launching splunk yourself, ideally with the same user that the script does, or run the script yourself (sh -x -v /etc/init.d/splunk start) to see what happens. Review $SPLUNK_HOME/var/log/splunk/splunkd_stderr.log and splunkd.log ... View more

If you were sending syslog data to rsyslog without splunk declaring itself in a header like a normal syslogd forward mechanism, you were basically "getting lucky" by having splunk pass along whatever syslog data it receieved over tcp and having that look "syslog enough" to rsyslog. That is, in the past there was no specific support for emitting syslog data over udp or tcp. If you can still arrange to have only syslog-formatted events forwarded, and over TCP, I would expect it to work to the same degree that it it did before. If non-syslog-formatted data is involved then you have to take care not to forward that data, since it won't look anything like syslog to rsyslog. ... View more

The setting INDEXED=true for a field, which is not set by default, means that the field was created at indexing time, and is actually stored in a special way in the index (specifically the string instance::pango is indexed.) Since your fields are created via search-time extractions, this setting is incorrect. When you ad a wildcard to the value, apparently splunk is abandoning the requirement that it be locatable as an index-time field (though this surprises me). In short, this setting is simply not correct for your configuration, which is why it does not work. Realize that the strings are indexed regardless (INDEXED_VALUE=true) so there isn't really an expected performance cost for this. ... View more

I believe this is a bit of a moving target, as the scalability of the deployment server is improved. I certainly know of situations where a single deployment server was responsible for a few hundred clients, but many might be desktops or systems that are not always on. The pollFrequency specified on the client correlates quite directly with the amount of load per client, so this can be reduced in larger implementations, especially for forwarders which probably don't need rapid reconfiguration. As the number of active clients rises into range of 200 or more, I would recommend breaking out the server to a seperate splunkd, or possible several. This is guesswork. Please edit or correct this post as harder numbers emerge. ... View more