Updated link: http://docs.splunk.com/Documentation/SplunkCloud/6.4.1/User/Overview ... View more

How Splunk DB Connect works - v 2.0.2: Download the Splunk DB Connect add-on, and then follow the instructions in either the single-server or distributed deployment installation topics. You can use Splunk DB Connect on a heavy forwarder to support continual data gathering or output. For more interactive use, including lookups, you should install the add-on on a search head. ... View more

Can we use Where condition here, so that we can get the results based on condition.??? if we can get that, can you please post the answer to https://answers.splunk.com/answers/256185/drill-down-in-dashboard-with-r-integration-based-o.html?minQuestionBodyLength=80 ... View more

Could you add a bit more context? I'm specifically wondering about your use of the word target and whether that is implying a lot of context that I am missing. I've strictly worked with Splunk in the last couple of years and am at a disadvantage in recognizing some of the terminology assumed by users of the other platforms. Splunk can create a single search job that returns many events across multiple indexes. When it is reasonable to create custom fields at index time, these are very efficient to search at very high scale but come with lots of advisory notices since poor decisions on deploying these can be very troublesome to recover from. The most efficient such statistical search would be based on tstats, which works great for statistics assuming you do not require the search output to contain the full event text but just a summary of counts of events matching various conditions and the like. tstats can not be run using a Splunk real-time search so you would likely use a scheduled job with a historic search across a recent time frame that is within your tolerance level for processing latency. Configure index time field extractions: http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction tstats: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats ... View more

@clyde772 Where may I find your Splunk + R integration app. Thanks. ... View more

I was under the impression that the same named file would be imported if the file size change if you implement the Monitor technique. This would retain history, as long as each record has a timestamp. An alternate solution would be to create a file w/ a timestamp on the end (and timestamp for each record), monitor the file using a wildcard (myfile*.csv), setup the file as a csv file and set that file to a particular sourcetype for easy reporting in Splunk. If you can't put a timestamp on each record I think Splunk uses the imported time as the _time if I recall correctly. If that will work for you that may be an option as well. 1) Generate csv file w/ timestamp on end and each record. Technique will vary based on source system etc. I implemented this command line on the crontab to measure disk usage once per day. This command line will create file w/ a timestamp on the end, add a header lne and add a timestamp to the front of each row. echo "Timestamp,Filesystem,Used,Available" >> //apps/wcm-splunk/work/crd/log/prod/diskWatcher_"$(date +'%Y%m%d')".log; df -P | grep -vE '^Filesystem|tmpfs|cdrom' | awk '{ print","$1","$3","$4 }' | gawk '{ print strftime("%Y-%m-%d %H:%M:%S"), $0 }' >> //apps/wcm-splunk/work/crd/log/prod/diskWatcher_"$(date +'%Y%m%d')".log 2) Monitor the file in inputs.conf: [monitor:///apps/wcm-splunk/work/crd/prod/*myFile*csv] sourcetype = mySourcetype disabled = false index = myIndex 3) Set the file up as csv and specific sourcetype in props.config: [mySourcetype] NO_BINARY_CHECK = 1 pulldown_type = 1 HEADER_MODE = firstline FIELD_DELIMITER=, FIELD_QUOTE=" TIME_FORMAT=%b %d %Y %H:%M%p TIMESTAMP_FIELDS=TimeStamp ... View more