Hello, I would like to try using Splunk to calculate the difference in numbers from one sample to the next. Here is some theoretical log entries. The data indexed will look like this: yesterday_timeStamp clusterId=abc, topicName=mytopic, partition=0, lastOffset=100 yesterday_timeStamp clusterId=abc, topicName=mytopic, partition=1, lastOffset=200 today_timeStamp clusterId=abc, topicName=mytopic, partition=0, lastOffset=355 today_timeStamp clusterId=abc, topicName=mytopic, partition=1, lastOffset=401 The number of events in the last 24 hours would be partition 0(355-200=155), partition 1(401-200=201) Sum of partitions for topic(mytopic) = 155+201=356 There will be many topicName(s) and possible different numbers of partition(s) per topicName. Can I use splunk to calculate the numbers of events per partition and topic  since yesterday? ... View more

Hello, As most large companies do these days, I've been placed on a naughty list for my lab instance of Splunk, running on winServer. I've tracked it down to the mgmtHostPort. How do I secure that port to use SSL/TLS? FYI, my web interface is secured and using port 8000, it's this darn internal mgmt port. Per the doc, I disable it via service.conf, Splunk basically is not usable for searching. ... View more

Hello, I currently have alerts based on the count of services performed in the last hour. We see that < 40 indicates an issue we need to address, so I constructed a simple alert, run every hour and sends a page to support when results are less than 40. If the count of results form (sourcetype=services History Service) < 40 per hour, alert: index=stats (sourcetype=services History Service) OR (sourcetype=logs_sl "org.apache.coyote.AbstractProtocol start") But if the server restarts, the alert condition is usually met and we get alerted which we do not want because the server restarted likely explains the lack of results. So I want to construct a search that meets the conditions if History < 40 and no server restart, then alert (could be stated, if the server restarted, do not alert) sourcetype=services History Service < 40 AND sourcetype=logs_sl "org.apache.coyote.AbstractProtocol start" = 0 ^ This is the restart statement I feel like I'm overthinking this, but how do I construct a search from 2 sources, that have a conditional test like this, which can be used as an alert? ... View more

Hello, I use HTML panels to provide simple navigation to commonly used reports, dashboards and views. None of my links to reports are working after migrating from v6.2.0 to v6.2.2. This is a snippet of what I use. <li> <p>This is a link to a report <a href="@go?s=$MY Log Search" target="_blank">Search my Log</a> </p> </li> The report "$MY Log Search" is fine, the report is listed in reports and I can open it. Clicking in the link in 6.2.2. returns "The view you requested could not be found." I still have 6.2.0 in my prod system. I can see the URL's are different. The resulting URL for the working system ends in /search?s=%MY%20Log%20Search After upgrading to 6.2.2 I the URL ends in /@go?s=QMGR%20Log%20Search I don't really know CSS nor HTML, this is just something I located ages ago and I can't locate a good reference. Did 6.2.2 close a loophole, or is something broken by 6.2.2? Can someone point me to doc on how I should refer to a report via HTML panels? ... View more