I have a JSON feed that I would like to get into Splunk. It is not in a file, however. It is on a web server. Is it possible to set up Splunk to read a JSON feed from a URL, say every minute? ... View more

I am trying to do a db connect input bu the max rows that it will take is 1000000. My query is going to return more than that. Is there a way to up the max rows, or to just tell it to take whatever is returned by the query? ... View more

I'm trying to write an efficient search to find out the distinct days of events that I have in an index. Basically, I want to be able to see if I am missing data for any days. I could pipe the date in mm/dd/yyyy format to a table and then use dedup, but that is SLOW and my hunch is there is a better and faster way to do it. ... View more

So, the title says it all. I was looking in the db connect documentation and didn't see anything that answered this question. My hunch would be no as the data is not indexed, but I just thought I would ask those a bit wiser than me in Splunk. ... View more

What happens during indexing if my data were to have key value pairs where the key is the same as one of the default Splunk fields? For instance, say my data looked like this... _time="2014-01-09 12:15:15" host="myhost" source="mysource" sourcetype="mysourcetype" etc... ... View more

My data is already coming into splunk lat/lon encoded. I don't need to do any ip geo lookup or anything like that. Each event has a latitude and longitude field. I want to plot each event onto a map. I don't want to group them or do any fancy aggregation. I just pwant oints plottted to a map or maybe possibly a heat map. Is this possible? ... View more

We currently have a scripted input into Splunk that is a CSV and we are doing field extractions via regex. This is not super flexible as we want to add fields to the input, but if we change the regex it will work for the new data, but not the historical data. So, instead we want to change our input to be key/value pairs (key="value"). CSV is lean, but inflexible. The key value pairs are more robust, but obviously not very lean. Honestly, we don't care about disk space ... space is cheap. The question is will this affect our daily index license if the keys have the same names as the previous field extractions. Basically, is it file size, or the amount of data that is actually indexed (are these the same thing) that goes toward the daily license? Thanks. ... View more

I'm trying to write a report that will show me the 1 minute time spans from the last two days where a specific machine had a average CPU utilization (the field is called Value) of 75 or higher. This is what I have so far, but I'm having trouble finishing it. Thanks in advance for any help. index="perfmon" host="mymachine" collection="CPU Load" counter="% Processor Time" earliest="-2d@d" ... View more

I know that I ca get the event time using "_time". Does Splunk keep track of the time the event was loaded into Splunk in a field? We have some duplicate data that was loaded for a day, but it was loaded on a different day than the original day. So, if I were able to do a search like below I could easily find the duplicate values and remove them. index="epicdata" earliest="07/03/2013:00:00:00" latest="07/04/2013:00:00:00" load_time>="07/04/2013:00:00:00" | delete Update: Here is what I did ... worked great! Basically, I got all of the events for 7/3 that were indexed on 7/6 and up and deleted them. index = "myindex" _time >= "1372834800" _time < "1372921200" _indextime >= "1373094000" | delete 1372834800 epoch for 7/3/2013 1372921200 epoch for 7/4/2013 1373094000 epoch for 7/6/2013 ... View more