Not really trivial question, but I can't see a simple answer. I had a 4.3 just collect logs and didn't realize (since I just got the setup working), but regardless traffic grew and it tripped the 500MB 5 times and the person using it didn't need it until a few weeks alter. With that, I cut the server logging in 1/2 and put things back so the daily is around 200M. I still get the same error while searching and wondering how to just say "hey things are fine now". The errors were mid Dec 2012 and this fix has been in place a week or two now. I also upgraded to version 5 thinking that may help but still nothing. I have a few custom searches, dashboards, etc. what is the easiest way to get this back working. Tnx ... View more

We had a hard drive failure on a development server but I didn't know people were actually using it pretty hard. One of the developers did some dashboards, scripts, etc. which I didn't know but my question is we have a data recovery service get us the data, but is the resotre as simple as copying over the opt folder, or is there something simple that needs to be done? As long as they verify the /opt/splunk folder is good, should I proceed with the restore? Thanks ... View more

Just got the splunk pdf guide, moved it to the iPad for some weekend reading, still trying to understand how | separates what, hopefully that will help but I will say it's so confusing, really need to grasp this as the requests from people are coming in all over. So, I have users hitting our site via an API. The API has 4 different tokens so I know which application was used (website, iphone, etc.). I would like to know in the past x time each person and the # of times they hit each one, for example; username - website - iphone - android - website2 usera 0 2 0 5 Now, my query currently looks like this; memberLevel="1" AND ApiKey = "123" OR ApiKey = "456" OR ApiKey = "789" OR ApiKey = "000" | top username limit="100" application and the results look like this; username - application - count - percentage usera web2 2132 51.232132 application is a lookup to the apikey field so they see web2 instead of 000, but i am trying to basically count BY application and username. Any help on this is appreciated. ************************************************ Updated Comments due to limited reply size ******************************************************** the results is what's not working. The OP showed both what I wanted vs the output. The application has a unique API key by type. I would like to know each user and count each way he accesses the site. So I could get username Joe, then 3 logins by a website, 10 by an iphone. The query provided shows one field application with what I would guess was the last one as opposed to counting each one. I have a separate query that gives me what I want (broken out) but total by day, not by user but maybe the better example. memberLevel="1" AND (ApiKey = "123" OR ApiKey = "456" OR ApiKey = "789" OR ApiKey = "000") | timechart span=1d count BY application. That output looks like; _time -- web1 -- iphone -- android -- web2 date -- 1200 -- 800 -- 982 -- 430 I can look at that and say ok, most people came from web1. Now I want to remove the date, and just say for the last 7 day's, tell me the top users of the site, broken out; username -- web1 -- iphone -- android -- web2 joe -- 200 -- 5 -- 0 -- 0 sam -- 110 -- 0 -- 5 -- 0 Does it make more sense when I explain it like that? ... View more

Same as some others trying to grasp my understanding on how the language works. Well I have a bunch of data based on specific points. I want the user to enter a number, have it return the following; the member of the user that hit it (grouped by this) along with the apikey, nothing else right now. I have my form that prompts for an ID, when hit, I get ALL the data, but nothing grouped, and I did try a bunch of ways; here is the form; <form> <label>Unique Users by Spot</label> <searchTemplate> member !=-1 AND (ApiKey="123" OR ApiKey="456" OR ApiKey="789" OR ApiKey="abc") spotId=$Spot Id$ | fields memberId ApiKey </searchTemplate> <fieldset> <input type="text" token="Spot Id" /> <input type="time" /> </fieldset> <row> <table> <option name="showpager">false</option> <option name="count">50</option> </table> </row> </form> Sample results is; 1 8/6/12 9:55:00.826 PM 229424 abc 2 8/5/12 7:30:51.661 PM 273755 123 3 8/5/12 3:44:17.216 PM 229424 abc the _raw is also displayed, but row's 1 and 3 are the same user (229424) so I would like to group on that. Tnx ... View more

I had a crash the past day so I am setting up a watchdog, but I have splunk monitoring 2 directories. I confirmed the files are there (they get copied hourly), but when I search, say past 7 day's, there not there. I am trying to learn as I go, Index overview looks fine; main 129447925 splunk2 16308102022 Index health shows just one box warm-5 (I am not sure on this, but there are no events near this weeks date) Index Volume last 24 hours shows no results found, past week shows 536M, but from my memory, the free version is 500 per day so I don't think that is an issue either. There is some data from today once I restarted, but I am not sure is there something that runs at night that will fill in the missing), or another way to tell splunk, hey', there are files you didn't index here. The fact that the past 24 hours shows no results is the disturbing part also. So any help on that is appreciated, I am getting back into the app so looking forward to more intelligent questions soon! ... View more