Try dynamic drill-down based dashboard. ... View more

Facing the same error message. Env details: Win2008R2/SP1, Splunk 6.2.3, DB_Connect v1, SQL Server 2008R2 Express, Java v8 u45, Java Bridge is 'running'. Path in DBX auto-detected. Attempting connection to locally installed McAfee ePO Server. Splunk running as local admin user, SQL Server service configured for Windows Authentication running on port 1433. ... View more

Here is what I use while installing Splunk 6.2.2 on Mac OS X (Yosemite 10.10.2): #mvohra: tar -zxf ~/Downloads/splunk-6.2.2-255606-darwin-64.tgz -C ~/Applications; ~/Applications/splunk/bin/./splunk start --accept-license --auto-ports --no-prompt --answer-yes Do share your experience so others reading this post can benefit. Mitesh. ... View more

Here is the link to Splunk Doc dedicated to the topic: http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/Routeandfilterdatad . HF does not demand super-dome compute power and hence, it makes more sense to have a dedicated HF to filter data and give more headroom to the Indexer for its core function. ... View more

Splunk Enterprise 4.2.2 has reached EOL on Oct'2013. However, here is the link to getting data in using Splunk 4.2.2 : http://docs.splunk.com/Documentation/Splunk/4.2.2/Data/WhatSplunkcanmonitor . Splunk App for VMware, being a premium app, will need at least Splunk Enterprise 6.0.6 or later version. Here is the link to know platform and hardware requirements: http://docs.splunk.com/Documentation/VMW/3.1.4/Installation/Platformandhardwarerequirements . Hope this helps. Mitesh. ... View more

If every XML file is a single event, you may try this props settings: LINE_BREAKER = (?!) SHOULD_LINEMERGE = false #BREAK_ONLY_BEFORE = <OrderForm> DATETIME_CONFIG = NONE LEARN_MODEL = false #MAX_EVENTS = 200000 TRUNCATE = 0 Let us know what worked for you. Mitesh. ... View more

Here is the list of links for easy access: The main AWS app https://apps.splunk.com/app/1274/#/documentation Link for configuring AWS Services for the App & Add-On to work http://docs.splunk.com/Documentation/AddOns/latest/AWS/ConfigureAWS AWS Permissions required to be set http://docs.splunk.com/Documentation/AddOns/latest/AWS/ConfigureAWSpermissions Configuring inputs for the Add-On http://docs.splunk.com/Documentation/AddOns/latest/AWS/ConfigureInputs Hope this helps. Mitesh. ... View more

The list of prerequisites on Splunk Docs for OPSEC LEA http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Systemrequirements also mentions the list of support Check Point products and versions. ... View more

Splunk Enterprise 6.2.x would also give you details in the "Distributed Management Console". I call it a mini-S.o.S app embedded as part of the default package (though the actual S.o.S. app https://apps.splunk.com/app/748/ does much more). All the best for the new role and Happy Splunking !! Rgds, Mitesh. PS: Let us know how your experience as a Splunk Admin has been. ... View more

This is something what I am currently using for working on sample data in CSV format and is working great for the demo setup. [monitor://<path to csv>/*.csv] sourcetype = csv KV_MODE = csv index = name_your_index disabled = false crcSalt = <SOURCE> Would appreciate your feedback what worked for you. Regards, Mitesh. ... View more

Try this regular expression: (?!(http|https)(:\/\/))+([\w]+.){1}([\w]+.?)+ Will be happy to hear back if it worked or not. Mitesh. ... View more

Is there a way to "fieldformat" 'commas' in UK format (##,##,###) instead of US format (###,###,###)? ... View more

Splunk binary can be used to convert the instance into to Splunk Light Forwarder or Splunk Heavy Forwarder. Both these roles are different than Splunk Universal Forwarder. After installation of the instance, enabling any of the LF or SplkFwdr app, turns off the WebUI and converts the instance in to the role defined within these Apps. On the other hand, "sample_app" is used to create custom apps. While creating a custom app, Splunk UI Wizard prompts to select "barebones" or "sample_app" to choose from. Will dig more for 'legacy' app and update the post again. - Mitesh Vohra. ... View more

It will be better to clean the _thefishbucket also to reindex the same data again. ... View more

I guess, you are referring to Splunk's .conf2013 app. It seems to be meant for the annual event named ".conf2013" held last year and made available for registered participants and Splunk employees. ... View more

Yes. Here is the link for more details: http://www.splunk.com/view/SP-CAAAE8W ... View more

First 60-days of trial is not restricted of any functionality and hence should not be any different than an Enterprise commercial license during the trial period. Certain features get disabled after the 60-day trial period is over. ... View more

What is the arch of OS (32-bit or 64-bit)? This is to ensure you are using the right binary to install. What is the version of browser (IE/FF/Chrome)? This link might help (http://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#Supported_browsers). Mitesh. ... View more

Using "checkMethod" and "initCrcLength" is better than using "crcSalt". Be cautious about using attribute with rolling log files; it could lead to the log file being re-indexed after it has rolled over and in turn, consume your indexing license as well. ... View more

Have had a chance to read through the App Documentation on http://apps.splunk.com/app/525/#app-resources? ... View more

Add "CHECK_METHOD = entire_md5" to props.conf file and retry. Splunk, by default, check the first and last 256 bytes of the file. When it's finds matches, Splunk lists the file as already indexed and indexes only new data, or ignores it if there is no new data. http://docs.splunk.com/Documentation/Splunk/6.0.2/admin/Propsconf ... View more

Are you using the right build for your OS? I mean, 32-bit vs 64-bit binaries of Splunk. Just a thought, since many people miss that out. ... View more

Yes. You can add apps to Free version of Splunk. ... View more

No firewall, SearchHead, Indexer and UF all three on different Ubuntu Linux (64-bit) boxes. ... View more