Try modifying your saved search to add a NOT statement for that sourcetype ... View more

The default username and password for a new Splunk install is user: admin password: changeme ... View more

Run the command ./splunk enable module input/UDP input/UDP enabled. You need to restart the Splunk Server for your changes to take effect. ... View more

Splunk is not able to blindly connect to a remote machine and collect system information. We require a user agent of some sort that will grant the necessary access. There are a number ways of that you can get data from remote systems into your Splunk instance. You can install a forwarding agent on each of the machines that you wish to collect data from that will send events to the central indexer. More information on data cloning and routing can be found here: http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/AboutforwardingandreceivingdataReceiving You can configure syslog/syslog-ng to forward event data to a central Splunk index. You will then configure Splunk to listen on the specified UDP (syslog) or TCP (syslog-ng) port. More information on configuring Splunk to listen on a network port can be found here: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitornetworkports You can write a small script that collects the various files from your remote systems and feeds them into your index using our scripted input method. More information on scripted inputs can be found here: http://docs.splunk.com/Documentation/Splunk/5.0/AdvancedDev/ScriptedInputsIntro ... View more

There are a number ways of that you can get data from remote systems into your Splunk instance. You can install a forwarding agent on each of the machines that you wish to collect data from that will send events to the central indexer. More information on data cloning and routing can be found here: http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Aboutforwardingandreceivingdata You can configure syslog/syslog-ng to forward event data to a central Splunk index. You will then configure Splunk to listen on the specified UDP (syslog) or TCP (syslog-ng) port. More information on configuring Splunk to listen on a network port can be found here: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitornetworkports You can write a small script that collects the various files from your remote systems and feeds them into your index using our scripted input method. More information on scripted inputs can be found here: http://docs.splunk.com/Documentation/Splunk/5.0/AdvancedDev/ScriptedInputsIntro ... View more

This will send a cooked data stream to the indexer (10.1.12.1:9997) and a second smaller uncooked tcp stream to the third party (10.1.12.2:1234). If you need the second stream to be syslog out then you will need to shift that work to the indexer. props.conf [syslog] TRANSFORMS-routing = routeAll, routeSubset transforms.conf [routeAll] REGEX=(.) DEST_KEY=_TCP_ROUTING FORMAT=Everything [routeSubset] REGEX=(SYSTEM|CONFIG|THREAT) DEST_KEY=_TCP_ROUTING FORMAT=Subsidiary,Everything outputs.conf [tcpout] defaultGroup=nothing [tcpout:Everything] disabled=false server=10.1.12.1:9997 [tcpout:Subsidiary] disabled=false sendCookedData=false server=10.1.12.2:1234 ... View more

A report is a visualization of the data that was returned by a given search. They allow you analyze the information you uncover through your searches and use it to create compelling stories. A dashboard is a collection of objects (reports, links, etc.). This allows you combine multiple different "stories" into a single interface. From the documentation: Use dashboards to highlight interesting and useful aspects of your data, link to important searches and display common reports Another way to look at it: The Search app contains an Indexing Activity dashboard. This dashboard has several different reports that visualize the state of various indexing operations. Each of these reports could be run independent of the dashboard and the two are not mutually exclusive. ... View more

Splunk currently does not provide a unique event id but will in a future release. This Q&A talks about it in greater detail ... View more

Yes. Summary indexes do count toward your total daily indexing volume. From a license perspective summary indexes are no different than the main index. The only indexed data that does not count towards your license are Splunk's own log files. ... View more

Hostnames in splunk can be set in many ways. You can set it explicitly in inputs.conf . For incoming TCP traffic, the host can be set with the following in your inputs.conf connection_host = ip | dns The host value can always be overwritten via props/transforms configurations. This is how the host value is set when the event is sourcetyped as syslog. Props/transforms configs will trump what is defined in inputs.conf More details can be found here ... View more

Like Ben said you can change these via Manager. These settings will persists until the next reboot or you restore the original log setting. This great when you know the specific area that you are troubleshooting The majority of Splunk's log settings (including the number of copies to keep and the size at which it rolls) are specified in log.cfg. In 3.x the Splunkweb logs are controlled in $SPLUNK_HOME/etc/SplunkWEB.tac . When you make a modification here you can make the changes to log levels permanent. You can also start splunk in debug mode ( splunk start --debug ) which will put all components of the product in debug mode until it is restarted ... View more