Hi, I build a Splunk Free instance for my personal usage, and I wanted to install Lookup Editor to manage my csv files. but this app seem not compatible with Splunk free version, I could enter into this app , but it shows nothing when I open the csv file. Do I miss nothing ? It that possible to use Lookup Editor on Splunk Free ? Lookup File Editor ... View more

Hi, I have done some test using small set of data in my lab. It looks like the time-based lookup work correct when the records in csv file are not order by time. But I am curious that if the lookup table is large ( about 1~2 GB ) , is it still working correct ? Anyone has the experience ? ... View more

Hi, The "nmon2csv" script will generate some information like below and index it as sourcetype="nmon_processing" : 07-06-2017 18:35:12 Reading NMON data: 519 lines 29929 bytes Splunk Root Directory ($SPLUNK_HOME): /opt/splunk addon type: /opt/splunk/etc/apps/TA-nmon addon version: 1.3.21 nmon2csv version: 1.1.34 Guest Operating System: linux Python version: 2.7.13 NMON VERSION: 16f .... etc I know this information is useful when trouble shooting.... But if I am sure the TA-nmon is working well ,could I turn it off ? or just drop this information ? Because nmon2csv script runs every minutes, and if I want to monitor 100+ hosts.... It will costs me a lot of splunk license for such log I don't need. ( And I also believe it will impact the index performance.. ) ... View more

I know that AIX v5.3 is not on the support list of NMON Performance Monitor for Unix and Linux Systems app. But I have a lot of AIX v5.3 servers needed monitoring, so I did a try... On my testing , the nmon process will not trigger by TA-nmon - Technical Addon for Nmon Performance Monitor because of the argument " -yoverwrite" The "topas_nmon" command in AIX v5.3 is not supported this argument. How could I modify the nmon arguments ( AIX_options ) in nmon.conf? Or does it means we can't use TA-mon on AIX v5.3 and earlier? ... View more

I installed TA-nmon v1.3 on our AIX ( v7.1) server. ( Use the "fifo" mechanism to get nmon performance data ) But I notices the data input is not running smoothly... there are a lot of line break when I draw a timechart. After searching the splunkd.log , I found a lot of Error message like this : "Error ExecProcessor - message from "/opt/splunkforwarder/etc/apps/TA-nmon/bin/fifo_consumer.sh" Month '-1' out of range 0..11 at /opt/splunkforwarder/etc/apps/TA-nmon/bin/nmon2csv.pl line 2765" It looks like the script "nmon2csv.pl" got error when parsing the time string. It happened irregularly, not always happens .... But I thinks the nmon data format is correct, because it not happened when I used the "old way" to got nmon performance data.. ... View more

Hi , I have a lot of dashboards and has scheduled it as "pdf delivery" for our audit purpose. But sometimes , the pdf report is not correct because of data forwarding was broken, or our lookup files is not correct at that time... So I needed to re-generate those pdf report for our auditor after I fixed the data problem. ( For example : Re-generate the daily access report ( each day ) for the last whole month .......... WoW . ) Is it possible to generate the pdf report by script and change the time range dynamically ? So I can let my report re-generateing job more automatically and easily .. Thanks. ... View more

Hi , For some reason , I must forward the Windows Event Log to our syslog server. I configured the indexer server as document described, and it works successfully : http://docs.splunk.com/Documentation/Splunk/6.5.1/Forwarding/Forwarddatatothird-partysystemsd ( The "Forward syslog data to a third-party host" part ) But I don't know how to parse the Windows Event Log that Splunk forwarded to me. The attached screenshot is the example log I opened with "Sublime" ( Text Editor ). It looks like Splunk converted the multi-line logs to single lines, and uses some special characters to format the log. Anyone familiar with this format? How to parse it? OR what does the character "NUL" exactly mean? and I notice there is a number ( usually 012 , 015 ) follow by this character , I guess they have special meanings ( like \t , \n ... or some control characters.) ... View more

Hi , Our splunk servers has high CPU usage problem after upgrading to Splunk v6.5 It could related to my previous question : https://answers.splunk.com/answers/475114/is-there-any-way-to-downgrade-from-65-to-63.html And I noticed the abnormal high cpu-usage process is "/opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore" It is usually use more than 90% CPU all of the time... What is this process doing for ? How could I deal with this situation ? ... View more

Hi, I just have upgraded our splunk from v6.3 to v6.5.... But it seems this version of Splunk required more CPU power and Disk I/O than older version , our Splunk runs very slowly after upgrade... I am considering to downgrade Splunk to v6.3 , but unfortunately , I didn't backup our indexes files. ( And I can't , because there are 2TB of index data in our server....) It seems the data format of indexes files has been changed in this version , When I downgraded the splunk program to v6.3 , I found I lose the data that collect in these few days ( by splunk v6.5) ....... Any idea to downgrade Splunk safely ? ... View more

I built a dashboard which has two panels: a "table" on the top and follow a "map" The table has longitude / latitude fields and other detailed information. What I want to do is drilldown the longitude / latitude into the map and change the map center to the location of the selected data. Is that possible? I guess I should write some javascript code to get the tokens and then change the map center, but I don't know how to do that in detail... ... View more

Due to the question I posted before : http://answers.splunk.com/answers/291010/how-to-merge-a-multiline-event-correctly.html I have an idea that if the Splunk could monitor the files on a schedule (not always continuously monitoring the log), I could avoid the multiline event problem. Because our batch jobs will finish after AM 3:00, the logs will not grow after this time and the multiline event will group correctly. ... View more