Hi all, This morning, after some verification, I found some errors in my search headwith my SIP phones. I have 150 polycom phone. They send their syslog to Universal Forwarders. Config file is: [udp://172.16.72.70:514] source = sip_syslog sourcetype = polycom:siplab connection_host = none acceptFrom = 172.16.72.70 disabled = false index = ti-telephone I think it is correc,t but I found lots of errors like: Sep 1 14:47:13 172.16.86.70 Sep 1 10:47:21 172.16.86.70 0901104721|sys |*|03|0x9581bea0 (tPktProSys): memPartAlloc: block too big - 21848 in partition 0x94b6feec. date_hour = 14 date_mday = 1 date_minute = 47 date_month = september date_second = 13 date_wday = tuesday date_year = 2015 date_zone = local host = UniversalFowarders index = ti-telephone linecount = 1 punct = ___::_...____::_..._|__|*||_():_:____-____. source = sip_syslog sourcetype = polycom:sip splunk_server = IndexServer splunk_server_group = dmc_group_indexer timeendpos = 16 timestartpos = 0 unix_category = all_hosts unix_group = default All other equipment (257) is working fine except the new phones recently added. Do you have an idea of this error? Thank you a lot Best regards Rene R. ... View more

Hi all, I would like to know.... I have a functional index named "phone" I have 120 IP (with no host) defined in inputs.conf on Universal Forwarders with index=phone. Example: [udp://aaa.bbb.ccc.ddd:514] source = sip_syslog sourcetype = phone:siplab connection_host = none acceptFrom = aaa.bbb.ccc.ddd disabled = false index = phone I find data with search on the search head with index=phone and my index on the server grows (so it's functional), but when I run this command (Highest-usage indexes), I don't have my Phone index. Why? See my query: index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | stats sum(GB) as total by series date_mday | sort total | fields + date_mday,series,total | reverse However, with this query, I see my index: index=_internal source=license_usage.log type=Usage | stats sum(b) by idx | sort sum(b) |reverse I don't know why I don't have my index with the first query (made by Splunk)? I would like just 1 report with ALL index for one day (first query). Do you have an idea? Thanks in advance Best Regards Rene R. ... View more

Hi, I have not been able to find a good query with all my trying.... I need help please! Can anyone tell how I can: I would like to get a query that would give me the disk space since December 1, 2014 for each month until today (to see the progression). Splunk has sent me alert each day (email) about the status of our indexes (view and control our licenses). I use the same alert with these values "-198d@d to now" and it doesn't work, I only view 1 month of data and I don't know why. Here is my normal query: index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | stats sum(GB) as total by series date_mday | sort total | fields + date_mday,series,total | reverse I'm looking for the same query (or similar) for: - all space - all the indexes - all data entries ==> number of entry since December 1, 2014 until today for each month. Is it possible? Do you have an query idea? Thank you Regards ... View more

Hi, (Sorry for my English, I'm French) I send my logs via syslog on port 514 or 40514 and I have a problem with this new system. I send 10 tests (logger) and I receive only 9. If I send 5, I receive 4. If I send 19, I receive 18 (always missing the last one on this new system). When I use TCPDump, to see what is send and I have always 10 if test is 10, 5 is test is 5..... All my log is send but in the Splunk Search engine, I miss the last? I dont know why, its very strange.... I get more than 50 systems and the problem is only on this new system. It's the same system for another question here: http://answers.splunk.com/answers/230364/french-syslog.html (I have 2 UF with VIP, 1 indexer, 1 search engine and 1 for management) What you thought? Are there other tests that I could do? Do you have a track for help me to try to correct this problem? Thank you ... View more

Hi, (Sorry for my English, I'm French) I have new systems that send Syslog to Splunk UniversalFowarder via 40514 port. The UF listen and I receive Syslog (its ok). When I test (logger) and check configuration of all systems, we have LANG=en_CA.UTF8. My Charset parameter is set to AUTO and I dont understand why the systems replaces characters by .... see exemple. Example: root@SERVERX:/etc/rsyslog.d# logger -plocal0.info "Test logger 61" root@SERVERX:/etc/rsyslog.d# logger -plocal0.info "Test logger 62 with accent è é à" Apr 17 16:15:08 10.62.1.140 Apr 17 16:15:08 SERVERX root: Test logger 62 with accent \xE8 \xE9 \xE0 date_hour = 16 date_mday = 17 date_minute = 15 date_month = april date_second = 8 date_wday = friday date_year = 2015 date_zone = local host = 192.168.80.210 index = IndexLav linecount = 1 punct = ::_...:::______\ source = udp:40514 sourcetype = udp:40514 splunk_server = SERVERY splunk_server_group = dmc_group_indexer timeendpos = 16 timestartpos = 0 unix_category = all_hosts unix_group = default Anyone know how to fix this? Thank you in advance. ... View more