You can also do something like this: | eval has_asterisks=if(like(field, "%*%"), 1, 0) | where has_asterisks=1 ... View more

From what I'm seeing the setHost() argument should be the hostname or IP address only. I'm attempting to use the SDK to connect to HEC for the first time, I'll report back my success. ... View more

Were you able to get this resolved? We're having the same problem and have hundreds of endpoints in different time zones. ... View more

This link is now dead, found updated link: http://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutsecuringdatafromforwarders ... View more

It is now possible to use fields from the results of a search, here is an example subject for an e-mail alert: Splunk Alert: $result.host$ has failed $result.failure_count$ times in $result.time_range$ ... View more

Is there a way to log what IP was resolved from a DNS request? ... View more

I'm experimenting with ramdisks myself. You can't use tmpfs as Splunk throws an error but you can increase the possible ramdisk size via kernel options and use mkfs on a /dev/ramX device. In grub just edit your kernel line and append ramdisk_size=X kernel /vmlinuz-2.6.32.24 ro root=LABEL=/ rhgb quiet ramdisk_size=4000000 This is for a max ramdisk size of 4gb. Then: mkfs /dev/ram0 4000000 mkdir /mnt/ramdisk0 mount /dev/ram0 /mnt/ramdisk0 Interested to hear your results with the search head pool, I'm currently testing on an indexer and I am observing what appears to be blazing speed but the verdict is still out on total improvement. Will report back with more. ... View more

Setting that interval didn't work, it's still running some database monitors every 5 seconds. In default/inputs.conf there is a script stanza: [script] interval = 60.0 I noticed that it was obeying the interval for the first monitor entry in dbx/local/inputs.conf the 2nd entry was a disabled entry and the rest were enabled but the interval wasn't being obeyed. I deleted the disabled entry and now different monitors are obeying the interval... going to troubleshoot some more. ... View more

As a temporary fix is there a way I can change the default interval to 60 seconds? ... View more

btool: search query = select * from table_name {{WHERE $rising_column$ > ?}} dbx sourcetype = table_name dbx table = table_name dbx tail.rising.column = DATE dbx [dbmon-tail://DATABASE/TABLE] dbx disabled = 0 dbx host = db.domain.com dbx index = index_name dbx interval = * * * * * dbx output.format = kv dbx output.timestamp = 1 dbx output.timestamp.column = DATE status.py: [dbmon-tail://DATABASE/TABLE: valid=true disabled=false scheduleType=FIXED interval=5 running=false ... View more

I have tried cron format, 60s, etc and sporadically different input monitors don't obey the interval... other configured inputs with the same cron interval are currently working. inputs.conf: [dbmon-tail://DATABASE/TABLE] host = db.domain.com index = index_name interval = * * * * * output.format = kv output.timestamp = 1 sourcetype = table_name table = table_name tail.rising.column = DATE disabled = 0 output.timestamp.column = DATE ... View more

And one more discovery, the nextExecution for the inputs that are obeying the interval show the date and not a value: Interval not working: 2013-01-24 20:27:58.911 main:DEBUG:Scheduler - Timer for input=[dbmon-tail://DATABASE/TABLE] nextExecution=5000 state=WAITING expired. Executing it now... Interval working: 2013-01-24 20:28:00.000 main:DEBUG:Scheduler - Timer for input=[dbmon-tail://DATABASE2/TABLE] nextExecution=Thu Jan 24 20:28:00 CST 2013 state=WAITING expired. Executing it now... ... View more

Found a clue after turning on debugging, the nextExecution=5000, I'm tending to think this is 5 seconds. I initially configured the inputs for 5 seconds but later changed them to 60 seconds. Value being cached somewhere? 2013-01-24 20:24:27.722 main:DEBUG:Scheduler - Timer for input=[dbmon-tail://DATABASE/TABLE] nextExecution=5000 state=WAITING expired. Executing it now... ... View more

It's also sporadic, I updated to 1.0.7, restarted Splunk and now different databases are ignoring the interval. ... View more

Yes, "splunk remove app " is ran from the splunk bin directory. ... View more

$SPLUNK_HOME/bin/splunk remove app ... View more

Note, after you create the new database monitor immediately disable it and go and edit the state.xml file. I have been copying the state.xml from previously configured monitors, makes it fairly easy. ... View more