http://docs.splunk.com/Documentation/Splunk/6.0.1/Installation/InstallonMacOS Command line install directions are incomplete and incorrect. hdid splunk_package_name.dmg installer -pkg splunk.pkg -target / Should be: hdid splunk_package_name.dmg cd /Volumes/SplunkForwarder\ 6.0.1/ installer -pkg .payload/Splunk\ Universal\ Forwarder.pkg -target / Tested this on Mavericks 10.9.1 It might also be good to mention you need root or to execute all commands with sudo. But it notifies you of that fairly quickly. ... View more

I see that 5.0.3 was released. Was SPL-58292 resolved? Am I supposed to infer that by virtue of it not being listed in the known issues? Usually when new versions of software are released they say what they fixed. I think Splunk should do the same with their release notes. This bug was particularly nasty as it looked like an upgrade from 4.3 to 5.0.2 worked then later broke everything. ... View more

Are there any recommendations for settings on the vmware indexes? Extra storage isn't a big deal but app performance is. Additionally as as our cluster changes and grows, I don't want old virtual machines and hosts information hanging around forever. The changes I made to the vmware index was an attempt to remove an old vcenter server with a different name from populating the drop-downs along with an old datastore names. 1 Cluster 5 Hosts 300 VMs Current: [vmware] maxTotalDataSizeMB = 30000 coldPath = $SPLUNK_DB/vmware/colddb homePath = $SPLUNK_DB/vmware/db thawedPath = $SPLUNK_DB/vmware/thaweddb frozenTimePeriodInSecs = 7776000 [summary_vmware] homePath = $SPLUNK_DB/summary_vmware/db coldPath = $SPLUNK_DB/summary_vmware/colddb thawedPath = $SPLUNK_DB/summary_vmware/thaweddb ... View more

This plus the rest of the script work as expected !/usr/bin/env python import splunk.Intersplunk I need to use the pgdb module so: !/usr/bin/env python import splunk.Intersplunk import pgdb Returns errorcode 1 I tried puttying pgdb in the same folder [root@splunk2 bin]# ls -lah pgdb.py -rwxr--r-- 1 splunk splunk 11K Aug 15 12:10 pgdb.py [root@splunk2 bin]# ls -lah customcommand.py -rwxr--r-- 1 splunk splunk 11K Aug 15 12:10 customcommand.py I also tried: `import sys import splunk.Intersplunk sys.path.append("/usr/lib64/python2.4/site-packages/") import pgdb' Any ideas on what I need to put in my script to use the pgdb module? ... View more

957978 11:23:33 (INTEL) IN: "IFBFE4F44" user@hostlx8.domain $ 957979 11:24:07 (MLM) IN: "MATLAB" user@hostlx1.domain $ 957980 11:24:07 (MLM) IN: "Statistics_Toolbox" user@hostx1.domain $ 957981 11:24:17 (MLM) DENIED: "MATLAB" user@hostx1.domain (User/host on EXCLUDE list for feature. (-38,348))$ 957982 11:24:17 (MLM) OUT: "MATLAB" user@hostx1.domain $ 957983 11:27:05 (MLM) DENIED: "Statistics_Toolbox" user@hostx1.domain (User/host on EXCLUDE list for feature. (-38,348))$ 957984 11:27:05 (MLM) OUT: "Statistics_Toolbox" user@hostx1.domain $ 957985 11:27:14 (INTEL) OUT: "IFBFE4F44" user@hostlx36.domain $ 957986 11:27:14 (INTEL) OUT: "FCompL" user@hostlx36.domain $ 957987 11:27:14 (INTEL) IN: "FCompL" user@hostlx36.domain $ 957988 11:27:14 (INTEL) IN: "IFBFE4F44" user@hostlx36.domain $ Using the list mode of vim to display hidden characters hence the $. :set list /splunk/etc/system/local/props.conf [license-logs] SHOULD_LINEMERGE = false LINE_BREAKER = (\n) (We also tried, (\s*\n) ) Results in events in splunk being indexed as: 957978 11:23:33 (INTEL) IN: "IFBFE4F44" user@hostlx8.domain $ 957979 11:24:07 (MLM) IN: "MATLAB" user@hostlx1.domain $ 957980 11:24:07 (MLM) IN: "Statistics_Toolbox" user@hostx1.domain $ 957981 11:24:17 (MLM) DENIED: "MATLAB" user@hostx1.domain (User/host on EXCLUDE list for feature. (-38,348))$ 957982 11:24:17 (MLM) OUT: "MATLAB" user@hostx1.domain $ 957983 11:27:05 (MLM) DENIED: "Statistics_Toolbox" user@hostx1.domain (User/host on EXCLUDE list for feature. (-38,348))$ 957984 11:27:05 (MLM) OUT: "Statistics_Toolbox" user@hostx1.domain $ 957985 11:27:14 (INTEL) OUT: "IFBFE4F44" user@hostlx36.domain $ 957986 11:27:14 (INTEL) OUT: "FCompL" user@hostlx36.domain $ 957987 11:27:14 (INTEL) IN: "FCompL" user@hostlx36.domain $ 957988 11:27:14 (INTEL) IN: "IFBFE4F44" user@hostlx36.domain $ EDIT:The events are being grouped on timestamp. I want each line to always be its own event. EDIT2: As suggested I put LINE_BREAKER = ([\r\n]+) this still didn't put each line in its own event. Splunk was restarted ... View more

index=os source=df host=host1 | multikv | rex mode=sed "s/%//" | search Filesystem="/dev/mapper/host1.work" | delta UsePct | table * Without looking at the table it appears the rex command worked. However, no values are shown for the field delta(UsePct) and the '%' remains in the table output index=os source=df host=host1 | multikv | rex mode=sed field=UsePct "s/%//" | search Filesystem="/dev/mapper/host1.work" | delta UsePct | table * Values are shown for the field delta(UsePct). No percent remains in the output. It just seems odd to me that I need to specify the field option for the rex command to get the delta command to actually get a non % based number. ... View more

I was wondering what happens to data from scripts and logs if and when a machine is either so heavily loaded it can't get enough cycles to run the process or machine lost network connectivity. We are HPC shop, and our machine will sometime become unresponsive when running high load jobs. Will log data just que up somewhere and get sent to the index eventually? ... View more

Hello fellow Splunkers! ipc=ipc1-r6c10 Intake-Temperature=70 Exhaust-Temperature=82 Humidity=44% Amps=6 Voltage=351 Watts=2106 ipc=ipc1-r6c11 Intake-Temperature=64 Exhaust-Temperature=81 Humidity=55% Amps=14 Voltage=349 Watts=4886 ipc=ipc1-r6c4 Not responding Given the preceding with many more ipc(power controllers) each as it own event, how do I generate the total Wattage across all IPC's for a given polling period? The script that generates these events runs every 10 minutes. So far I have figured out how to group the events for a given polling period as one event with transactions: index="datacenter-stats" | transaction maxspan=350s Now I want to sum Watts for each event in its own column; However, when I try to add up the Watts totals the resulting table always has nothing in the TotalPower column. index="datacenter-stats" | transaction maxspan=350s | addtotals fieldname=TotalPower Watts | table * Interestingly If I change the maxspan value to something like 10s which combines the source events into some events with a few lines each, the events with one value in the Watts column are displaying the correct TotalPower. This isn't all that useful because it only gets me the one power controller total which I already have. index="datacenter-stats" | transaction maxspan=10s | addtotals fieldname=TotalPower Watts | table * Screen Shot In summary, How do I sum the value of fields in one event into a new field within that same event or another event, such that I eventually can then graph that fields change over time. ... View more