Hi, How do you display the earliest and latest dates of the searches in a dashboard that is later rendered into a PDF report? This report gets mailed out once a week and with no earliest and latest dates it is pretty tough to keep track of them. Thank you Joon ... View more

The 5.0 release documentation states that fschange is deprecated. We use this extensively for configuration change detection. Does anyone know of how to get the same functionality as fschange on Linux and Windows? Thx ... View more

Hi, I have a problem where batch input will not index files that was locked when Splunk first tried to index the file. The splunkd.log shows the following entries: 02-20-2012 21:15:43.145 +0200 WARN TailingProcessor - Will retry file='c:\data\data_20120220211543083.log' in 10000ms due to: The process cannot access the file because it is being used by another process. 02-20-2012 21:15:53.005 +0200 ERROR TailingProcessor - Ignoring path due to: failed to open for checksum: 'c:\data\data_20120220211543083.log' (The process cannot access the file because it is being used by another process.) The file remains in the directory even after it is no longer locked and no further entries are found in splunkd.log for the file 12 hours after the initial entries. Other files that are not locked get indexed and deleted. How can I get Splunk to index the previously locked files? inputs.conf [batch://c:\data] sourcetype=AuditData move_policy = sinkhole crcSalt = System: Windows 2008 R2 64-bit, Splunk 4.2.4 Thx Joon ... View more

Hi, In my cold to frozen script I copy the bucket to another server. The second server is used to access the older entries for forensic investigation. The buckets are copied from cold on the main server to cold on the secondary server. In order for Splunk to see the new buckets I need restart Splunk. Needless to say that this is less than optimal. Is there a REST API command that I can issue that will instruct Splunkd on the secondary server to load the new bucket? Thx Joon ... View more

This error keeps repeating in the error logs, but I have no idea what is causing it. 02-15-2011 14:55:31.161 ERROR TcpInputProc - Received unexpected 68021378 byte message! from hostname=tchuxxx.xxxx.com, ip=10.xx.xx.xx, port=50563 Is this related to the size of the message? Thx ... View more

I received the following errors when running the diag command on a SunOS 5.10 server: root@bunny # ./splunk version Splunk 4.1.3 (build 80534) root@bunny # root@bunny # ./splunk diag sh: btool: not found WARNING: couldn't find "mgmtHostPort" setting in web bundle! sh: btool: not found couldn't run "/opt/splunk/bin/python": No such file or directory root@bunny # Any hints would be much appreciated. ... View more

Is it possible to redirect the outputcsv so that the csv file get returned to the browers so that the brower will offer a “file save as dialog” and the user can save the result to the location he desires? The user that needs the results in csv format does not have access to the Splunk server and does not want to call the administrator every time he needs the information. Thx Joon ... View more

I am using fschange to monitor some gziped files. When the full event is loaded it is index as binary gzip and not ASCII. Is there a way to indexes the files as ASCII? Unfortunately the files are only in gzip and we cannot use monitor. ... View more

Hi, I am trying to determine the impact of using fschange on a large number of files. Does Splunk check the time stamp of each and every file in the subdirectory with every poll interval or does Splunk register callback functions with the OS for changes to the directory or files? thx Joon ... View more