Fairly soon, but there is no firm date yet. ... View more

@southeringtonp can you please help in modifying the sendemail.py python script so that job.earliestTime token will display date and time differently with proper timezone as well ... View more

Hi everyone, Just in case, I found the following article on setting up Microsoft URL Rewrite to act as a reverse proxy server for Splunk very helpful. http://blogs.msdn.com/b/chiranth/archive/2014/08/03/application-request-routing-part-2-reverse-proxy-and-troubleshooting-arr-urlrewrite-issues.aspx ... View more

Experiencing the same issue on win2003 x64. However there is such file and permissions are ok. Any ideas? Search over the problematic index is very slow. ... View more

Have you tried setting the time format for that sourcetype explicitly in props.conf? I think the TIME_FORMAT would be %m/%d/%y %H:%M:%S,%3N Not sure, but there may be a difference in how Splunk examines your data when coming via lightforwarder, and the props.conf setting should force the same behavior. ... View more

Oh of course. Cause the "matchthis" values are all the same. Good point. ... View more

Thank you for the response! ... View more

Thank you for your help Nick!! ... View more

Thank you for you answer Nick ... View more

Just for completeness I'm adding what splunk support came back to me with.. "Hi Chico, Some digging around with the Dev team has turned up that there is supposed to be a 'silent' option on the .pkg installation package but it looks like there is currently a bug in there that's preventing it from working correctly. The target time-frame for this to be fixed is our next major release, 4.2, which is still some ways out" - Mick | Support Manager ... View more

The original post by Jaci was done on my behalf. I have additional information that hopefully will give further clues to identify the issue. The large volumes of data is accumulating in “C:\Program Files\Splunk\var\lib\splunk\fishbucket\db” and not in the …\fishbucket\splunk_private_db folder. Three days ago after identifying the fishbucket accumulation problem I used the clean command and deleted several Gigs of data on our domain controllers, but the data keeps accumulating (note: I use the example of our domain controllers because they generate the most events for Splunk to consume, but most or all of our Splunk clients have the problem). On one of the domain controllers there is already 1.75 Gigs in the …\fishbucket\db folder after being cleaned 3 days ago. What I believe is occurring is all of the events normally shipped off the indexer are still being shipped off, but additionally are ending up in the …\fishbucket\db folder. The question is why? I disabled the local app SplunkLightForwarder and deployed and enabled a new app called wsu-lightforwarder. As discussed in the first post wsu-lightforwarder is an exact copy of SplunkLightForwarder with the exception default-mode.conf. There must be a setting in default-mode.conf that is causing the problem, but I don’t know what. As a test, on one of the domain controllers I disabled wsu-lightforwarder, re-enabled SplunkLightForwarder and used the clean command. This essentially reverted the Splunk client back to the original state before the problem started. I found the …\fishbucket\db folder did not grow. Then I went back to using my wsu-lightforwarder app and the problem started back up again. The problem is definitely with wsu-lightforwarder, and again the only difference with SplunkLightForwarder is default-mode.conf (see first post). What could be causing this? Can I just disable the fishbucket in index.conf? I need to keep the small footprint of a light forwarder, but must be able to output syslog, so I need find a way to make my wsu-lightforwarder app to work. Thank you gkanapathy and mick for your posts. Any further help would be greatly appreciated. ... View more

I assume that your cp command it to essentially to truncate your log file because you don't want to restart your server? Any chance that you could use logrotate (with copytruncate mode) or use a pipe-based file rotator like rotatelogs (comes with apache I believe) instead? ... View more

Thank you for the answer and the python script. ... View more

Are you using an udp input? Try adding connection_host = dns to your UDP input stanza. See the following post: Lookups - using them to replace the host field ... View more

tried this on splunk4.2.2, and got the following error in CLI ppang-mbp-2:bin paulpang$ ./splunk search "| debug cmd=roll index=main" FATAL: Error in 'DebugCommand': command=roll issued successfully to index=main, but debug command is deprecated, try the CLI command instead ... View more

Thank you for the answer, this is helpful. ... View more

No and no, once data has been indexed, that's the state it's going to stay in. An export/import capability has been requested on a number of occasions, but it's not built yet. If you want to change the 'sourcetype' value, all you can really do is re-index the data If that's not possible, then the next best solution is to just use tags - http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Defineandusetags ... View more

We are running 2500 + on a single DPL, never goes above 5% CPU / 3gb ram phoneHomeIntervalInSecs = 600 ... View more