Splunk FreeBSD and OpenBSD v4.0 are completely different and incompatible, so it will not work. Now, OpenBSD might have some support for executing FreeBSD binaries via some compatibility layer that the you could probably deploy or add. However, such a configuration would be 100% untested and also not supported by Splunk. Therefore, you will either need to install Splunk on FreeBSD or try installing on another supported platforms as your best bet. ... View more

The HPUX download of Splunk should work on either version of the HPUX OS, both Itanium and PA-RISC based system. Perhaps the download page is misleading as there is only one download of Splunk for HPUX on either Itanium or PA_RISC, so we will clean up the Splunk download page to be more apparent in that regard. ... View more

Okay. and by time of day you mean the current time that the search is actually ran? ... View more

@gkanapathy - in this case he may have multiple events that need to be associated all at once with the corresponding ticket id. Wondering if, when using transaction command, the resulting metaevent has a unique _cd as well that can be linked (or enriched via the lookup to the ticketing db). Another idea could be to create a custom command that links the metaevent with the ticket id and writes final report result into summary index. ... View more

No. A server reboot is not required after you install Splunk or make config changes. However, you may need to restart the splunkd and splunkweb services for your changes to take. ... View more

Perfect! Thanks, Ledio. ... View more

Your description is somewhat vague to me, but I think I understand the overall gist of what you are wanting to do and I'm thinking you may want to take a look at a couple Splunk features (links provided below) to see if one of them works for you. As mentioned already (in the answer above) the first feature is called sub-search and is used when you want to search your data to get back some preliminary results that you intend to include (pass into) an outer search, essentially. See this page in our online doc on how sub-search feature works: http://www.splunk.com/base/Documentation/latest/User/HowSubsearchesWork The second feature is merely piping to a search command again to further filter down results obtained from a previous search (i.e. search for parent1 and child1 | search child1> 5 | ..... essentially applying one or more additional conditions AFTER your search results are returned. See this page for more details on the search command: http://www.splunk.com/base/Documentation/latest/SearchReference/Search A third feature you could try is using the stats command with a list function, such that you group your child1..n to your single parent1, like this maybe: some search terms here to get parent1 and child1...n | stats list(child) by parent See this page for detail on using stats command and the functions: http://www.splunk.com/base/Documentation/latest/SearchReference/Stats http://www.splunk.com/base/Documentation/latest/SearchReference/CommonStatsFunctions Finally, if all these options fail to get you what you want, you can always create your own custom command to process your search results the way you intend, similar to this: search to get parent1 and child1...n | mynewsearch | stats values(child) by parent See these links for details on creating your own custom search command: 1) http://www.splunk.com/base/Documentation/latest/SearchReference/Aboutcustomsearchcommands 2) http://www.splunk.com/base/Documentation/latest/SearchReference/WriteaPythonsearchcommand 3) http://www.splunk.com/base/Documentation/latest/SearchReference/Customsearchshape ... View more

For any one license, the smallest we can go is 100MB with increments thereof up to 900MB. ... View more

Please see this Splunk Wiki table for more details, or to add your own events and their sizes now: http://www.splunk.com/wiki/Community:CommonEventSizes ... View more

Take a look at this link on how to setup Splunk forwarders on the TripWire servers and then configure TripWire to exports it's events out to disk every hour so that Splunk can monitor and forwarder them up to your central Splunk receiver (indexer). http://www.splunk.com/wiki/Community:IndexTripwireLogs ... View more

That makes more sense. Thanks for the confirmation! ... View more

Got it to work, finally. I can NOW see the events after enabling local admin auditing as well as group auditing. (log into the domain controller -> administrative tools -> Domain Controller Security Settings and enable the auditing from there. ... View more