Could you do something like this? | eval isLocal=if(cidrmatch("10.0.0.0/24",ip), "local", "not local") You could try 0.0.0.0/24 and see if that matches any IP address? http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions ... View more

You can also download this app, that gathers all the data about apps into Splunk! https://splunkbase.splunk.com/app/2919/ ... View more

Only Admins see the notifications, Power User and User do not. ... View more

the deploymentclient.conf will have the server:port in it and the outputs.conf will have the indexer server:port in it too. Additionally the indexer and DS are only listening on those same ports. http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Deploymentclientconf http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Outputsconf ... View more

Yes, When you install the forwarder just specify the DS server & Port like this: msiexec.exe /i Splunk.msi DEPLOYMENT_SERVER=host:port /quiet Then you should create an outputs App on your DS that will push just an outputs.conf to all your Forwarders. Make sense? http://docs.splunk.com/Documentation/Splunk/6.5.0/Installation/InstallonWindowsviathecommandline ... View more

sendCookedData=true in outputs.conf ... View more

According to http://docs.splunk.com/Documentation/Splunk/latest/admin/indexesconf you can define the following stanzas, so Yes you should be able to shutdown Splunk, move the files and make the change. tstatsHomePath = * Required. * Location where datamodel acceleration TSIDX data for this index should be stored * MUST be defined in terms of a volume definition (see volume section below) * Must restart splunkd after changing this parameter; index reload will not suffice. * CAUTION: Path must be writable. * Defaults to volume:_splunk_summaries/$_index_name/datamodel_summary, where $_index_name is runtime-expanded to the name of the index summaryHomePath = * An absolute path where transparent summarization results for data in this index should be stored. Must be different for each index and may be on any disk drive. * May contain a volume reference (see volume section below). * Volume reference must be used if data retention based on data size is desired. * If not specified, Splunk will use a directory 'summary' in the same location as homePath * For example, if homePath is "/opt/splunk/var/lib/splunk/index1/db", then summaryHomePath would be "/opt/splunk/var/lib/splunk/index1/summary". * CAUTION: Path must be writable. * Must restart splunkd after changing this parameter; index reload will not suffice. * Defaults to unset. ... View more

The web_input works really well for tailing a web page. It works in 6.0+ too. ... View more

try this: eval n=strptime(_time," %Y-%m-%d") ... View more

Your outputs.conf on the forwarder seem to be sending to itself as "localhost"? My forwarder looks like this, my indexer is .103 OUTPUTS: [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 192.168.1.103:9997 [tcpout-server://192.168.1.103:9997] I also suspect that you enabled the windows-TA when you installed the forwarder, those .conf files are inside C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\etc\apps\ That is why you are getting Windows data but not your datagateway log. ... View more

At home, I'm collecting firewall data with Splunk installed on a ESX server. This data I'm collecting is from Sonic and it has packet captures in it. My hope is to use the free version of NetWitness and use that for packet inspection. But right now I have it just capturing firewall traffic . The search I use is looking at all the images that anyone (kids) download. A link to some screenshots is unavailable . It's gonna be so cool when I have Splunk alerting on the kids wasting time and not doing homework. ... View more