I can't restart splunk. Neither CLI or web manager works. It just times out waiting for splunkd to shut down. Thing is, if I kill -9 everything splunk, it still thinks it needs to stop splunkd and splunkweb. And If I kill everything and try to start, it thinks splunkd is still running. This is really frustrating. ... View more

After reading the docs and looking in forums, I thought I had a understanding of monitor and what it does...I guess not. Is a monitor, set up to follow from tail, only supposed to index data that is written to a directory from the time of monitor creation? I manually made a monitor in my inputs.conf file after I saw that the monitor I set up in the manager was grabbing events that were pre-dated. [monitor:///dir/path] blacklist = dir/ followTail = 1 I didn't see events logging right away after restarting splunk, so I thought it was working properly...that is, only indexing events that are new. I came in today to find my license had exceeded limit over night and splunk has indexed events from last year. Someone tell me what is wrong with this. Is there a way to set up a monitor that only indexes new events? Why is my monitor indexing the whole file? ... View more

I installed splunk and the echo's from install script all looked good. I ran ./splunk start and the echo's all looked good, emphasis on port 8000: open 8089: open, and lastly, get to splunk at http://servername:8000. When I try to access http://servername:8000 it hangs. netstat -an | grep 8000 returns *.8000 ... LISTEN and servername.8000 ... ESTABLISHED. ps -ef | grep splunk shows a python script running and 2 splunkd's both running on 8089. I don't know what to do from here. Was an entry in /etc/inet/services supposed to be established with install script? I have no port 8000 entry in services. Tanks, Kenison. ... View more