This needs to be added to the documentation as a 'gotcha'. WSA uses EST UNITED STATES by default if you don't set a time zone in the WS environment variables. It's NOT EST Australia. Changing this value once WSA apps are deployed may create unknown side effects, according to the websphere guys I'm talking to. Note that the end result of this for diligent system admins who've set up ntp is that the time zone in the events does not agree with the system time that Splunk ingests the event on. This causes a lot of interesting problems in the app, as I have just discovered at my customer site. Can we please have an official, tested and supported solution for this problem which does not involve messing around with WSA, as that would typically involve change control, outages, and maybe even app rewrites which might be out of the question. ... View more

I've been looking at questions and answers about version control of knowledge in Splunk and frankly it's weak to non-existent. There's nothing in the BUI and you're on your own with text files. On non-*x platforms where svn, git, even rcs and make (for placing files) are unknown, this is getting to be a large problem with our customers especially after a few years cranking away developing their own knowledge artifacts. From what I've seen of sourcesafe and other windowsy things, you do not want to go down that road if you can avoid it. So, how about an RFE to include even very basic version control in the BUI so that your latest and maybe a couple of previous diffs of your conf files get stored somewehere, and you can roll back if you want? I shouldn't think this would be much of a stretch, and for extra credit some hooks into popular version control systems would be REALLY nice...:-) SoS is only a partial answer at best and points the way to something better. ... View more

Figured out how to do it with yet another ugly hack. You can get the host name part of the windows computer name, however it appears, with this: eval x=split(host, ".") | eval w_host=mvindex(x,0) This normalises your hostname if it does have the domain part, but still works if it doesn't. You can then use this in a form to match your windows host however it appears: sourcetype=wmi:cputime host=*$w_host$* which normalises data sources which do not have the domain part, but still works if they do. Nasty, should be unnecessary, but it works. ... View more

I've been affected by and tracking this issue for more than a year. There doesn't seem to be any good answer (this isn't one either I'm afraid), and windows hosts seem to return an essentially random host value based on the computer name somehow :-). Can we please have a proper solution to this in the windows app, which allows the user at setup-time to require ALL events to be indexed with either FQDN or computer name, or at any rate ONE VALUE PER COMPUTER. I've seen 'solutions' which range from hard-coding the name in inputs.conf (which isn't available with WMI anyway), messing around with props and transforms, to rewriting the data at index time. In my experience, Splunk admins can't control how a given windows box has been setup, so we must have a way to work around this reliably and consistently. Many shops, and nearly all the larger ones, are multiplatform, and it's high time that the windows and unix apps behaved the same way. Even in an all-windows site, you will see interesting variations on the hostname, which make searches and UI elements needlessly painful to construct. ... View more

I've just noticed another very interesting thing. I ran splunk-wmi.exe to get a better idea of what it does, which isn't that much--just passes wql to the WMI provider. What it does NOT do is return any kind of hostname. So where is that coming from? If this can be changed to something sensible for WMI inputs, all will be well. ... View more

WMI inputs appear to use the Netbios name, regardless of other settings. A number of questions have been asked on this topic. netbios names are always uppercase. ... View more

I've been wrestling with this problem for more than a year (http://splunk-base.splunk.com/answers/28879/host-value-for-windows) and the only response I've had is to make an enhancement request. AFAIC, splunk does not have to mirror windows' broken behaviour. It is nonsensical to have the same host reporting events under three or four possible hostnames, even if they're related. It adds needless complexity to searches to have to account for the possibilities. There's no way I know of in windows to compel wmi to return the dns name, or if there is I haven't found it yet. Having to configure each wmi input manually is not, in my view, a solution, not to mention that it doesn't seem to work 🙂 It is high time Splunk did something about this, and I see quite a few unanswered questions here on this subject. I'm pretty sure wmi can be asked for the dns name and not the netbios name; should be simple enough to fix. ... View more

I was able to get the results I wanted with this incantation: sourcetype=interfaces | multikv forceheader=1 | dedup MAC I can't see how to do this in props or transforms so I'm using saved searches. Since I can't add a screenshot illustrating the problem (tried png, gif, jpg, results above), I can only say that in our installation splunk seems to be unable to extract fields properly when interfaces.sh returns virtual interfaces as well as physical ones, and looking at the UNIX app code and scripts I don't really understand why. ... View more

It seems that official support for wildcarding sourcetypes in this context is something that comes up pretty often. Enhancement coming soon? 🙂 ... View more

This advice conflicts with the documentation I've seen, which specifies the following sourcetypes: LTM product – ltm_log Firepass – firepass_log GTM product – gtm_log APM product - apm_log Packetfilter – packet_log I tried using sourcetype F5_SPLUNK_iRULE and no events appeared in the apps. Furthermore, after looking at the saved searches in the apps, the above would seem to be what they use. So where does this other sourcetype come into the picture? Which is correct for the current version of the apps? And if you have multiple products, do you have to set up each module to log to a different port? Otherwise, how do you get multiple sourcetypes from one data input? There is a fair bit about setting this thing up that I don't get. ... View more

Fine and dandy--dropdown populates instantly or thereabouts. Thanks! ... View more

OK this is weird. The question answered itself. All I had to do was substitute 'myapp' for 'search' in the href, restart splunk, and it worked. Funny thing is, I tried this exact same thing before and it didn't work, which is why I asked the question. Oh well, that's IT for you: 80% tech, 15% voodoo and 5% hammer, when tech and voodoo fail. ... View more

yet another variation on theme. The above solution only works on a heavy forwarder. Now that I've deployed some Universal Forwarders, you CAN'T use sedcmd there, evidently because the apparatus to make it go isn't there. HOWEVER, now it DOES work on the indexer. Can someone from splunk please explain these interactions? ... View more

I have had this same discussion with a customer some months ago. Here is what I sent them: The problem I thought of with this is--what exactly are you measuring? http is connectionless, so there isn't exactly a start and end of a session to track... I came up with some scenarios: User is interacting with a travel booking site. For the duration of their activities, there will be a stream of http traffic, puts and gets etc. No problem here. User opens a newspaper or mag and reads a long article. You might have one set of interactions as they get the page; they might sit there reading it for half an hour. You won't know anything until they browse the next web site. Alternatively, they might skim it in a minute and leave it open for half an hour in background. What, then, is the duration of their stay at the site? User opens multiple bookmarks in tabs but doesn't read any of them. Any traffic information here might be highly misleading; they might not in fact interact with any, but they could be open on the screen all day. I don't think what you want to do can be done in a meaningful way--not with splunk anyway. ... View more

The silence has been deafening... ... View more

Looks like the forum software has eaten the backslash characters in the above post. Sigh. ... View more

Found the answer, but not where I was expecting. It seems--correct me if I'm wrong--that SEDCMD does not work on events forwarded from another system. I moved my SEDCMD from the index host--where it was NOT working--to the forwarder, and presto! it came good. This is not documented as far as I can see, unless it's buried somewhere in the discussion of the pipeline. I'm quite happy to subst the whole output from getmac.exe, since I throw away most of it and keep the mac address--the field extraction on the index server DOES work. This would be nice to have in the windows app, so you can align mac addresses in a multi-platform shop. Also, if windows had utilities like sed built-in, none of this would be necessary since you could do it all in the script, like on a real OS. Anyway, the complete solution if anyone is interested: On windows host--input and rewrite -- create $SPLUNK\bin\scripts\getmac.cmd @echo off getmac.exe /nh -- add an input to etc\system\local\inputs.conf [script://C:\Program Files\Splunk\bin\scripts\getmac.cmd] disabled = false interval = 60 sourcetype = getmac index = my_index -- add sedcmd to etc\system\local\props.conf [getmac] TRANSFORMS-routing=route_bering # added by forwarder config SEDCMD=s/-/:/g On indexer: field extraction EXTRACT-macaddr = (?P<mac_addr>\w{2}:\w{2}:\w{2}:\w{2}:\w{2}:\w{2}) Result: maximum joy 19/08/2011 11:44:06.000 00:16:3E:23:E8:09 \Device\Tcpip_{60AE15D3:02BD:4E10:8D86:D1FECF394DAB} host=barents.remora.com.au sourcetype=getmac source=C:\Program Files\Splunk\bin\scripts\getmac.cmd mac_addr=00:16:3E:23:E8:09 ... View more

Does not work as per this doc in 4.2.1 or any other version I've used since 4.1. Nor does <option name="displayRowNumbers">false</option> Still seeing em. ... View more