Are queries that go to two index servers in different time zones handled correctly? I'm assuming it does, but want to be sure. Specifically, do queries get adjusted for the time zone they originate in and pull the right data according to the time zone the index servers are in? Also, does the gui adjust and handle the results appropriately coming back? ... View more

Is there a way to tell if a regex has been applied to an event? I'm doing field extractions and want a way to confirm the field extractions applied to all the correct events. I suppose I could do this validation outside of Splunk using grep | linecount and cross checking with the event count in Splunk. It would be cool though if I could use Splunk though. ... View more

WHen I try to install it gives me a message that GLIBC-2.3 is required but there is no support to get this package for RHEL AS 2.1? ... View more

What is the mechanism for federating credentials between splunk servers when doing a distributed search? ... View more

Is there a way to change the splunk admin password from the command line when splunk isn't running? Anytime I do a splunk install on our servers where splunk is on the net, I have to go manipulate firewall rules twice because splunk comes up with a default password. I'd really love to set that password to a specific one before I start splunk the first time. ... View more

I've got a user that is missing the "show source" entry at the drop-down box at the left of any search result. How does she set it up? ... View more

I got Your index exceeded your 20.00 GB/day limit again. I would like to know which data inputs cause this. ... View more

I installed the Splunk Linux version today (rpm version) but I don't know how to start Splunk service. I tried to input command service Splunk start and /etc/init.d/splunk start but these services did not have Linux. How can I start Splunk service? ... View more

We plan to use Splunk to keep log for several java application including web server like Tomcat. Those application are using log4j with org.apache.log4j.RollingFileAppender. The partial config will be like below: log4j.appender.R.MaxFileSize=10MB log4j.appender.R.MaxBackupIndex=20 That is when the server.log reaches 10MB, it will be renamed/rollover to server.log.1 and server.log.1 will be server.log.2 and so forth... My questions: Is that correct to setup Splunk to monitor (set the file as an input) server.log only. No need to monitor server.log.n. Is that correct? How quick can Splunk react to a change of server.log For example, if my app server write lots of log (e.g., 10MB log is written in less than 2 second), can Splunk still read and capture my log just before my server.log rollover to server.log.1? If not, how should I setup Splunk? ... View more

Im not sure if this is the right place but I've been looking through your site like crazy for the price of your enterprise version cost with no luck. Can you please tell me how does your Licensing works and what's the cost of it? ... View more

How do I take output (say . . . "View Sources") and pipe it to a file? ... View more

what are the steps to get running jobid in splunk. after gettign the jobid can i put it in https://localhost:8089/services/search/jobs/jobid/results?output_mode=xml ... View more

For every Retention key (already extracted by Splunk: 20181947800000) I want to subtract the requestTime="2009-05-26T08:43:15" when pageSubmitted="/snapcCustomer.xhtml" from requestTime="2009-05-26T08:47:23" when pageSubmitted="/snapcPremium.xhtml" 08:47:23 - 08:43:15 = 4:12 (4 minutes and 12 seconds) This the value I want to compute. How can I achieve this? ... View more

In the past we've always logged all of our applications to SQL. We've used a variety of ways to do that, including home-grown and now Microsoft Enterprise Library Logging Application Block (LAB). Log4Net is also in the picture. We have LAB set to crank out files to a rolling file appender. So, pretty standard, each day, new file. The entries look like this currently: ----- Timestamp: 9/22/2009 4:50:04 PM Message: MPP LAB says the app is starting. Category: General Priority: -1 EventId: 1 Severity: Information Title: Machine: VDEVAPP2 Application Domain: /LM/W3SVC/1/ROOT-4-128981118015194687 Process Id: 2724 Process Name: c:\windows\system32\inetsrv\w3wp.exe Win32 Thread Id: 4052 Thread Name: Extended Properties: ----- Easy enough to have Splunk read these files, but obviously we want to have every line (Fieldname:value) parsed as fields in Splunk. A complete entry is bracketed by the ----- lines. How do I go about this? ... View more

When we build 2 Splunk indexing servers for High Availablity, 2 Splunk indexing servers may receive the same log data. While one of them is in maintenance phase, ONLY the other Splunk can get data. I'd like to restore missed data from another Splunk after the maintenace. Could you tell me what is the best way to do the above scenario? ... View more

When I configure a script in Splunk to run when an alert fires, how I can pass event arguments ( node name, message, etc) to the script? ... View more

We get an alert from sourcetype=ps as a result of running this save search: (authentication failure) OR (Account * too many attempts) OR (Failed password) startminutesago=5 We turned off the *nix app ps savedsearch but we still get the email. Here is the collapsed version of the alert: 9/2/09 2:01:55.000 PM ... 126 lines omitted ... nagios 7033 5 0.0 00:00:00 0.0 1216 54904 ? S 00:03 bash /usr/local/nagios/check_su_failures nagios 7038 3 75.3 00:00:02 0.0 400 49936 ? R 00:03 cat /var/log/messages nagios 7039 7 59.0 00:00:01 0.0 624 51096 ? R 00:03 grep authentication_failure nagios 7040 1 0.0 00:00:00 0.0 588 51096 ? S 00:03 grep root nagios 7041 5 0.0 00:00:00 0.0 572 51092 ? S 00:03 grep logapp-b ... View more

The username and password that I created when I registered to download the product doesn't seem to work. How do I login to the product? ... View more

Apparently enabling LWF turns off udp input. What are the step steps to enable it? ... View more

I do not see in any of the manuals or Help how to add host servers. You label the targets as Host on the main page but a search does not return anything applicable. ... View more

I just installed splunk on RedHat enterprise 5, and want to know how to monitor remote linux servers from RedHat server ... View more

I need to do the following on my forwarder: Forward all data received and gathered by the forwarder to Splunk indexer Replicate subset of the data, based on a source or sourcetype, to a 3rd party server Can someone share a basic configuration example? ... View more

When I've created a new index. how can I direct certain sourcetypes to be indexed in that new index, rather than into main? Likewise, is it possible to have one or more sourcetypes indexed into multiple indexes simultaneously? The use case for this would be if you had two roles who were allowed to see only indexA and indexB, respectively, but there were some small amount of data that each needed to see in common. ... View more

Is there an internal log message that will tell me when Splunk has finished indexing a file? ... View more