I hit the same problem recently.  At the end I resolved the problem by using the -auth CLI parameter instead of inputing the password at the "Password:" prompt. ... View more

Thanks, I knew it would turn out to be something simple I was missing ... View more

I'm using Chrome in Win7 and Ctrl-Clicking elements of search results doesn't open a new tab, nor does shift-clicking open a new window. These mechanisms do work as expected outside of splunk. ... View more

Agreed. I think this is probably the only option. I would suggest that if you are going to sum up the bytes, you may as well also store a count of the events; to give you values more comparable to the builtin metrics. You could do something like: | stats eval(round(sum(size)/1024,2)) as total_kb, count as events you could from there calculate average rates too since you know the time span. ... View more

In order to receive RFC3164-compliant syslog output from Splunk (and namely, to include a time stamp in the sent event), you need to make sure to adequately set the timestampformat configuration key in the [syslog: ] stanza in outputs.conf, as per outputs.conf.spec: timestampformat = <format> * If specified, the formatted timestamps are added to the start of events forwarded to syslog. * As above, this logic is only applied when the data is not syslog, or the syslogSourceType. * The format is a strftime-style timestamp formatting string. This is the same implementation used in the 'eval' search command, splunk logging, and other places in splunkd. * For example: %b %e %H:%M:%S * %b - Abbreviated month name (Jan, Feb, ...) * %e - Day of month * %H - Hour * %M - Minute * %s - Second * For a more exhaustive list of the formatting specifiers, refer to the online documentation. * Note that the string is not quoted. * Defaults to unset, which means that no timestamp will be inserted into the front of events. Test configuration (tested with Splunk 4.3 only😞 outputs.conf: [syslog:syslog_out] server = syslog.splunk.com:514 type = tcp timestampformat = %b %e %H:%M:%S props.conf: [syslog_test] TRANSFORMS-routing = syslog_routing transforms.conf: [syslog_routing] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = syslog_out With this configuration, all events with sourcetype "syslog_test" will be routed to syslog host "syslog.splunk.com" on port TCP/514. The default priority code of "13" will be used, which is equivalent to "user.info", and a time stamp will be added as a prefix. Example: On the server hosting the Splunk instance: [root@beefysup01 43]# cat ../sources/test.log This is a sample syslog event [root@beefysup01 43]# $SPLUNK_HOME/bin/splunk add oneshot ../sources/test.log -sourcetype syslog_test Oneshot '/home/octavio/sources/test.log' added On the server recipient of the syslog forwarded messages, using netcat to receive the events: [root@syslog.splunk.com:/]# nc -kl 514 <13>Jan 25 19:52:07 beefysup01 This is a sample syslog event Note: I was unable to make this configuration work in versions earlier to Splunk 4.3. There are reports that this specific feature can fail in certain scenarios in 4.2.x. If you need this feature to work, please upgrade to Splunk 4.3. ... View more

Eventcreate sounds like what you might be looking for: More on eventcreate - yes, it's the XP docs, but it 100% works in 2003. ... View more

You'd mentioned that you have "a file with copies of [your] Windows Logs." Can't you just import that file to the new Splunk instance to test your white/black-lists? If you made a mistake you can use the "Splunk stop; splunk clean eventdata; splunk start" combination to re-index and re-test the same log file. Since this is on a separate server, you can do stop/clean/start combination as many times as you want until you have perfected the white/black list. ... View more

Found the sid as the last element in the url while the search was loaded/started. ... View more

oh, sure enough. I've never noticed that before. ... View more

Thanks for your quick help. I tried using fields, but when I did "fields - _raw, _time" I wound up with other fields that hadn't previously been in the email (e.g. index, process, source etc). ... View more

The transaction approach can work, but don't use maxpause=1s , use maxspan=1s instead. The difference being that maxpause is about time between events, and maxspan=1s means that the total duration of the transaction cannot exceed 1 second. ... View more

If, as pdevlin guesses, you have one lookup attached to the host, and one lookup attached to the sourcetype, then the intersection of these will only perform ONE of these two lookups. That is: data that matches the host will get the host lookup. data that matches the sourcetype will get the sourcetype lookup data that matches both will only get the host lookup This is by design. When you name your lookup "LOOKUP-table" you're essentially saying that this is the lookup which achieves some purpose or action described by "table". When you define it differently in different stanzas, this means that you wish the lookup to operate differently in different cases. Typically this is when you want the lookup to happen one way for most data (a default) but for some app, or some data source, etc you want to override how this is handled. In your case, these lookups achieve different goals. One seems to be intended to determine something about logs per day, while the other seems to be something about location. You might want: [host::machine_name] LOOKUP-logsperday = logs_per_day host OUTPUTNEW average_logs AS logs_per_day [sendmail] LOOKUP-location = location host OUTPUTNEW building AS location Now you have two different settings which are not intended to collide. You know more about what these lookups do, so you can probably give them more descriptive class names. ... View more

Have you tried using the charting view instead of the default flashtimeline search view?This might give you what you are looking for. I liked how you could temporarily change your shown fields using the fields command in Splunk 3.x, but it didn't seem possible in Splunk 4, at least until I discovered this trick... You can get to the "Advanced Charting" view from the menu or tack by tacking "charting" to the URL path. Once your in the Advanced Charting view, you can minimize the Chart and formatting areas, and to focus on the results area. Then you can tack on your fields command to your search (something like | fields + field1 field2 ... ). And now you should only see your fields in the "Events Table" results. So you can see only the fields you want, and in the order that you defined. (Unfortunately, it doesn't work for the fields shown in the "Events List" results pane, which is a pain.) ... View more

Thats a good point. I've updated the post to add a disclaimer. I certainly did not intend to present this as a reusable solution; I was simply pointing out a starting point that leverages the indexing metrics. Hopefully the post is clearer about that now. ... View more

There's also something I noticed if you're performing the search on SplunkWEB, the search tends to become slow when you're searching regex from raw log files, than searching indexed fields. ... View more

In splunk 6, "Jobs" is under the "Activity" heading. ... View more