Hover 4tw! ... View more

A Splunk server may have several roles. You can host your deployment server on your indexer and the two won't interfere with each other. Your indexer can even be a client of its deployment server. "I'm not only the Hair Club president, I'm also a client" ... View more

You can use CSS to change the SubmitButton color. .splButton-primary { background-color: #FFFFFF; } You would place this in application.css or dashboard specific CSS. You may generally use Firebug or a similar tool to discover the classes to manipulate. ... View more

That is if you intend to pass it through the client's browser which already has an authenticated session. You can authenticate through url parameters too by enabling insecure login. If you want to do this all programagically without use of client's browser, you'll want to leverage the REST API. ... View more

You will not need to enable receiving specifically for the deployment server. That feature is to allow forwarders to send their data to the indexer. On the deployment server, you will need to have a serverclass.conf that defines classes and assigns apps to those classes. On the deployment client, you will need to have a deploymentclient.conf that contacts the deployment server on its splunkd port (8089 by default). The below configuration would allow the deployment client to pull the application testApp from the deployment server's $SPLUNK_HOME/etc/deployment-apps/testApp to its $SPLUNK_HOME/etc/apps/testApp serverclass.conf sample: [global] [serverClass:testClass] whitelist.0 = * [serverClass:testClass:app:testApp] deploymentclient.conf sample: [deployment-client] [target-broker:deploymentServer] targetUri= 192.168.0.100:8089 ... View more

You were pretty close with a few. Instead of quoting the field and the value, just quote the value. Like this: index=proxy uri="*abc=321*" edit: The percent sign is included in the search from this query on my Splunk instance... dest_url="ord=810167203?%5C%22" ... View more

The easiest way is probably to set the sourcetype in your inputs.conf file [monitor:///tmp] sourcetype = tmp [monitor://c:\temp] sourcetype = temp Alternatively, sourcetype may be updated using props & transforms against the full or partial path (source stanza) name or the host (host stanza). It is important to note that if the formats of the files are the same - it is usually better practice to leverage the same sourcetype and distinguish between the two at report/search time via host or source. ... View more

If you don't see anything in the logs - it may be worth verifying the new index is available as a 'selected index' for the admin role (via the Manager). ... View more

If you don't want to tackle it via conf - I'll see your clunky and raise you one (sans _raw) | stats count | eval jumboField="MLQK=3.5000;MLQKav=3.7370;MLQKmn=3.2782;MLQKmx=5.3000;ICR=0.0000;CCR=0.0003;ICRmx=0.0027;CS=1;SCS=0;MLQKvr=0.93" | eval jumboField=replace(jumboField,"([^=]+)=([^;]+);?","<\1>\2</\1>") | xmlkv jumboField | fields - jumboField ... View more

When you created index "C" to indexer "B" did you also update the roles so that they searched index "C" by default? Are you using the Splunk default certs for SSL or custom? ... View more

Splunk allows the creation of custom search commands. Alternatively, you can do this using the existing Splunk search language to solve this problem. The below solution is intentionally verbose to show the different steps. First, break the binary into 4 equal parts (each having a length of 8). Next, convert each octet to its decimal form. Finally, combine the results. This example would take an ip_binary=11000000101010000000000000000001 and create an ip_decimal=192.168.0.1 ... | eval ip_binary=substr(ip_binary,1,8) + "." + substr(ip_binary,9,8) + "." + substr(ip_binary,17,8) + "." + substr(ip_binary,25,8) | makemv delim="." ip_binary | eval ip_decimal=tostring(tonumber(mvindex(ip_binary,0),2)) + "." + tostring(tonumber(mvindex(ip_binary,1),2)) + "." + tostring(tonumber(mvindex(ip_binary,2),2)) + "." + tostring(tonumber(mvindex(ip_binary,3),2)) ... View more

Splunk is not case sensitive when it comes to field values so we can extract fields with mixed case and not worry about searching. In other words, these searches would all return the same results: technology=Audio technology=AUDIO technology=audio NB: Fields are case sensitive, but the values are not. So these searches would NOT return the same result: Technology=audio TECHNOLOGY=audio technology=audio For reporting purposes, you may wish to show a consistent value. In this case, we can use the lower() or upper() functions of eval. This will return audio technology=AUDIO | eval technology=lower(technology) This will return Audio ... | eval technology = if(len(technology)>0,upper(substr(technology,1,1)) + lower(substr(technology,2,len(technology))),technology) ... View more

You can prepend instead of append to eliminate the subsearch. NB: In below text, due to comment formatting, replace the two instances of ~ with a _ source="access_combined" | head 10 | outputtext usexml=false | rename ~xml as raw | fields raw | fields - ~* | append [|inputcsv results.txt ] | outputcsv results.txt ... View more

The above comment should have a '_' prefix before the xml and the asterik but were used to italicize the text between ... View more

outputcsv doesn't currently support an append. So we use it as an input, add a search to it, and the write the results out again... |inputcsv results.txt | append [search * | head 10 | outputtext usexml=false | rename _xml as raw | fields raw | fields - _* ] | outputcsv results.txt ... View more

It is interesting you're seeing the deployment client listed as phoning home via deployment server but not seeing it pick up any apps. Do you see any relevant information in splunkd.log? ... View more

hazekamp's answer will send columns to the null queue per your question - but it is a better practice to keep the event 'as is', extract the fields of which you are currently interested, and do any filtering at search/report time. ... View more

Did you perform a 'splunk reload deploy-server' after editing serverclass.conf? ... View more

Actually - I see where you reported st2 was phoning home to st1, which answers my 2nd question. ... View more

Regarding st2: Is your deploymentclient configuration in "$SPLUNK_HOME/etc/system/local/serverclass.conf" or "$SPLUNK_HOME/etc/system/local/deploymentclient.conf". That is as equally as important as the above hyphen comment. ... View more

In the same vein, did you intend to write "$SPLUNK_HOME/etc/system/local/serverclass.conf contains" or "$SPLUNK_HOME/etc/system/local/deploymentclient.conf contains". It should be the latter and is as important as the hyphen in my above comment. ... View more