Hi there, When I issued "splunk restart" command, it takes more than 5 min. Looks like stopping splunk takes most of the restart time. Could you give us the possible reasons why restarting splunk takes longer time? Thank you! ... View more

Hi, I am trying to create email performance monitor using imap app. Using email header, I would like to get how long it takes to deliver email between each mail server, possibly using bar graph. This will give email service provider brief service assurance view. I can get email using imap app. Next step is to extract timestamp that shows email arrival time at each mail server. (information after Received = ) The following is the email address we used for test. Date = "13-jan-2011 15:10:28 +0900" Return-Path = "<testuser1@mydomain.poc>" Received = "from localhost by mail3.mydomain.poc with LMTP for <testuser2@mydomain.poc>; Thu, 13 Jan 2011 15:10:28 +0900" Received = "from mail3.mydomain.poc with LMTP by mail3.mydomain.poc (3.1.0/sieved-3-1-SW-build-1314) for <testuser2@mydomain.poc>; Thu, 13 Jan 2011 15:10:28 +0900" Received = "from mail2.mydomain.poc ([192.168.30.112]) by mail3.mydomain.poc (Switch-3.3.3/Switch-3.3.3) with ESMTP id p0D6AR0U023082 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <testuser2@mydomain.poc>; Thu, 13 Jan 2011 15:10:28 +0900" Received = "from mail1.mydomain.poc ([192.168.30.111]) by mail2.mydomain.poc (Switch-3.3.3/Switch-3.3.3) with ESMTP id p0D6AQ1N023608 for <testuser2@mydomain.poc>; Thu, 13 Jan 2011 15:10:27 +0900" Received = "from mail1.mydomain.poc (localhost.localdomain [127.0.0.1]) by mail1.mydomain.poc (Switch-3.3.3/Switch-3.3.3) with ESMTP id p0D6APqB026204 for <testuser2@mydomain.poc>; Thu, 13 Jan 2011 15:10:26 +0900" Received = "(from root@localhost) by mail1.mydomain.poc (Switch-3.3.3/Switch-3.3.0/Submit) id p0D6AOoj026203 for testuser2@mydomain.poc; Thu, 13 Jan 2011 15:10:24 +0900" From = "testuser1@mydomain.poc" Message-Id = "<201101130610.p0D6AOoj026203@mail1.mydomain.poc>" To = "testuser2@mydomain.poc" Subject = "Mail Performance Check" mailbox = "INBOX" size = 1375 ____________________ Message Body ____________________ sentAt = 2011/01/13 15:10:24 There are multiple Received information, I need to get each arraival timestamp and possibly get the similar result to the following. messageid sentAt mail_server time_taken ReceivedAt ----------------------------------------------------- ------------------- ----------- ---------- ------------------- 201101130610.p0D6AOoj026203@mail1.mydomain.poc>" 2011/01/13 15:10:24 mail1 2 2011/01/13 15:10:28 mail2 1 mail3 1 201101130610.p0D6AOoj026203@mail1.mydomain.poc>" 2011/01/13 15:10:34 mail1 2 2011/01/13 15:10:38 mail2 1 mail3 1 201101130610.p0D6AOoj026203@mail1.mydomain.poc>" 2011/01/13 15:10:44 mail1 2 2011/01/13 15:10:48 mail2 1 mail3 1 201101130610.p0D6AOoj026203@mail1.mydomain.poc>" 2011/01/13 15:10:54 mail1 2 2011/01/13 15:10:58 mail2 1 mail3 1 Thanks! --- added Jan 14, 2011 I can get the Received, but only the last Received value is shown. configuration includes MV_ADD=true. # splunk search 'sourcetype="imap" mailbox="INBOX" Message_Id="*201101130610.p0D6AOoj026203*" From="testuser1@mydomain.poc" To="testuser2@mydomain.poc" | stats list(Received)' -auth admin:changeme list(Received) ----------------------------------------------------------------------------------------------------------- from localhost by mail3.mydomain.poc with LMTP for <testuser2@mydomain.poc>; Thu, 13 Jan 2011 15:10:28 +0900 How do I get multiple Received values? ... View more

Hi I am creating a search for sendmail log on multiple mail servers to obtain time taken to relay between MTA and each process happened on each Mail server. I have already configured distributed search on each mail server(mail1,mail2,mail3) and each splunk sees /var/log/maillog. To be specific, I want to get time taken between each log entry of the following, and show the result in bar or column graph with each process' elapsed time stacked so you can know how long it takes to get mail1 to mail3(spool), total time and time taken in each mail server. Could anyone help me create a search string to get the result? <mail1> Dec 16 17:14:08 mail1 sm-mta[22714]: oBG8E7wE022714: from=<testuser1@mydomain.poc>, size=475, class=0, nrcpts=1, msgid=<282997A8AE804969B7AEDEF9E8C357F6@ChangeMe>, proto=SMTP, daemon=MTA, relay=[192.168.30.110] Dec 16 17:14:09 mail1 sm-mta[22716]: oBG8E7wE022714: to=<testuser2@mydomain.poc>, delay=00:00:01, xdelay=00:00:01, mailer=smtp, pri=120475, relay=[192.168.30.112] [192.168.30.112], dsn=2.0.0, stat=Sent (oBG8E8u5017130 Message accepted for delivery) <mail2> Dec 16 17:14:09 mail2 sm-mta[17130]: oBG8E8u5017130: from=<testuser1@mydomain.poc>, size=658, class=0, nrcpts=1, msgid=<282997A8AE804969B7AEDEF9E8C357F6@ChangeMe>, proto=ESMTP, daemon=MTA, relay=[192.168.30.111] Dec 16 17:14:11 mail2 sm-mta[17132]: STARTTLS=client, relay=[192.168.30.113], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256 Dec 16 17:14:11 mail2 sm-mta[17132]: oBG8E8u5017130: to=<testuser2@mydomain.poc>, delay=00:00:02, xdelay=00:00:02, mailer=smtp, pri=120658, relay=[192.168.30.113] [192.168.30.113], dsn=2.0.0, stat=Sent (oBG8EALJ002849 Message accepted for delivery) <mail3> Dec 16 17:14:11 mail3 sm-mta[2849]: STARTTLS=server, relay=[192.168.30.112], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256 Dec 16 17:14:11 mail3 sm-mta[2849]: oBG8EALJ002849: from=<testuser1@mydomain.poc>, size=851, class=0, nrcpts=1, msgid=<282997A8AE804969B7AEDEF9E8C357F6@ChangeMe>, proto=ESMTP, daemon=MTA, relay=[192.168.30.112] Dec 16 17:14:11 mail3 lmtpd: session=1 msgid=<282997A8AE804969B7AEDEF9E8C357F6@ChangeMe> recipient=<testuser2@mydomain.poc> mailbox=!users/testuser2/INBOX size=1458 uid=9 stat=Delivered Dec 16 17:14:11 mail3 sm-mta[2851]: oBG8EALJ002849: to=<testuser2@mydomain.poc>, delay=00:00:00, xdelay=00:00:00, mailer=mstore, pri=120851, relay=localhost [127.0.0.1], dsn=2.0.0, stat=Sent -- additional information I created search just to get the delay with in the mail server. # splunk search 'sourcetype="sendmail" testuser* | transaction queueid | table host, from, to, delay, msgid, queueid' -auth admin:changeme host from to delay msgid queueid ----- ---------------------- ---------------------- -------- --------------------------------------------- -------------- mail3 testuser1@mydomain.poc testuser2@mydomain.poc 00:00:00 282997A8AE804969B7AEDEF9E8C357F6@ChangeMe oBG8EALJ002849 mail2 testuser1@mydomain.poc testuser2@mydomain.poc 00:00:02 282997A8AE804969B7AEDEF9E8C357F6@ChangeMe oBG8E8u5017130 mail1 testuser1@mydomain.poc testuser2@mydomain.poc 00:00:01 282997A8AE804969B7AEDEF9E8C357F6@ChangeMe oBG8E7wE022714 mail3 testuser1@mydomain.poc testuser2@mydomain.poc 00:00:01 FA1F6FD73ED347CB8F3B5451C59750CA@ChangeMe oBG8Ard9002705 mail2 testuser1@mydomain.poc testuser2@mydomain.poc 00:00:02 FA1F6FD73ED347CB8F3B5451C59750CA@ChangeMe oBG8Aq5h016984 mail1 testuser1@mydomain.poc testuser2@mydomain.poc 00:00:01 FA1F6FD73ED347CB8F3B5451C59750CA@ChangeMe oBG8Aok0022150 ... But, I would like to get the result in the format similar to the following. I think I still have to do transaction search for msgid. * OK with different format if the result have those information. msgid from to total host ArrivedAt StayedFor SentAt ------- ----- ----- ------- ------ ---------- --------- -------- abcdef user1 user2 6 sec mail1 HH:MM:SS 2 sec HH:MM:SS mail2 HH:MM:SS 3 sec HH:MM:SS mail3 HH:MM:SS 1 sec HH:MM:SS What would be an easy way to get the result...? Thanks! ... View more

Hi, I would like to know how to force web clients to use only SSLv3 and TLSv1? I found the following configuration in the documentation. http://www.splunk.com/base/Documentation/4.1.5/Admin/Webconf supportSSLV3Only = [True | False] * Allow only SSLv3 connections if true * NOTE: Enabling this may cause some browsers problems Does this configuration force web clients to use only SSLv3 and TLSv1? * The splunk version is 4.1.4. Thank you! ... View more

Hi, I want to use google analytics to get user trace. In which template should I put the google analytics code so that all splunk page can have the google analytics code embedded? $SPLUNK_HOME/share/splunk/search_mrsparkle/templates/layout/base.html Can I put google code here? Thank you! ... View more

Hi, I am trying to create network traffic trend graph by: execute snmpget to network devices every minute to get counter value for IN/OUT in Octets and put the output to splunk as scripted input. extract counter field to get counter value, convert counter value to decimal, get delta to get bit per minute, then get bps by dividing by 60. use timechart command to get avg(bps) in 5min. I can see the scripted inputed is successfully indexed into splunk, but I can't get 5-minute average bps using the folloing search: sourcetype=snmpget host=192.168.1.1 mib_name=*ifIn* | eval decimal=tonumber(counter,8) | delta decimal as bpm | eval bpm = abs(bpm) | eval bps=(bpm/60) | timechart avg(bps) span=5m the search result looks like this: _time avg(bps) --------------------------- ----------- 2010-10-27 15:30:00.000 CST 2010-10-27 15:35:00.000 CST 2010-10-27 15:40:00.000 CST 2010-10-27 15:45:00.000 CST 2010-10-27 15:50:00.000 CST 837.983333 2010-10-27 15:55:00.000 CST 940.983333 2010-10-27 16:00:00.000 CST 942.333333 2010-10-27 16:05:00.000 CST 1250.377778 2010-10-27 16:10:00.000 CST 3151.966667 2010-10-27 16:15:00.000 CST 3144.083333 2010-10-27 16:20:00.000 CST 2010-10-27 16:25:00.000 CST 1466.822222 2010-10-27 16:30:00.000 CST 2010-10-27 16:35:00.000 CST 2010-10-27 16:40:00.000 CST [root@syslog1010 ~]# There are several gaps. Is there any usage mistake in my query? or if anyone know how to achieve this kind of traffic graph, please let me know. Thanks.. ... View more

Hi there, I have asked to use SplunkWeb with 2048bit SSL certificate. Access to SplunkWeb with default certification worked, but it did not work with 2048bit certification. Does splunk support 2048 bit certification for SplunkWeb SSL use? If so, should I take the certification concatenation step shown in the following splunk answer? http://answers.splunk.com/questions/1899/how-do-i-use-intermediate-ssl-chain-certs-on-splunk Thanks! ... View more

Hi there, I added customized message and image to the login screen by setting login_content parameter in web.conf. However, I need to customize the login screen beyond just adding messages. http://www.splunk.com/base/Documentation/4.1.5/Developer/CustomizeLogin As I saw the documentation above, I could not find any information about customizing login screen. Is there any customization option for login page? Thanks! ... View more

Hi there, I need to re-index some data. In inputs.conf, host_segment parameter is configured as follows: host_segment = 3 And I issued the following add oneshot command after deleting indexes using "| delete" command: splunk add oneshot "/path/to/host1/file" -index myidx -sourcetype mytype splunk add oneshot "/path/to/host2/file" -index myidx -sourcetype mytype splunk add oneshot "/path/to/host3/file" -index myidx -sourcetype mytype However, I got the following result: splunk search '* | top host' host count percent ------ ------ ---------- myhost 5 100.000000 myhost is hostname of splunk server. I expected host1, host2 and host3 in the result. Could anyone help me retrieve host value using host_segment? Thanks! ... View more

Hi there, I have a chart that takes 15+ sec to draw area graph after loading completed. Loading data can be tuned by using summary index, but any way to tune drawing part? The number of data is around 9000 * 3 series. Thank you! ... View more

Hi there, I am trying to have splunk know the right timestamp in the following event. COR_00000001,Com1,LOC_00000001,DC1,SUB_00000001,21F,GRP_00000001,Rack1,CON_00000001,Saving,8A0000000521A81D_1,2010/09/03,3F PW System,Powe,8A0000000521A81D_1,kWh,2010/09/03 00:00:00,15,83946325 There is a .csv file, and there are a header line at the first line and the rest of the lines are similar to the event above. The correct timestamp is "2010/09/03 00:00:00" which is in %Y/%m/%d %H:%M:%S format. My props.conf looks like the follwing, but I can not get the right timestamp. [source::<path>] CHECK_FOR_HEADER=false [<sourcetype>] SHOULD_LINEMERGE = False BREAK_ONLY_BEFORE_DATE = False TIME_FORMAT = %Y/%m/%d %H:%M:%S Could anyone help me out? Thanks! ... View more