Hi all, I'm using numerous perl scripts as data inputs - mostly for reading logs from different databases. I've recently tried to set up another input for Oracle database. For this I've installed perl DBD::Oracle driver. Everything works fine when I run the script from the console (using the same user which is running splunk process). The problem is the script won't work when it's run by splunk scheduler (just as every scripted input is). I've checked with index="_internal" logs and this is what I'm getting: ERROR ExecProcessor - message from "/opt/splunk/etc/system/bin/get_AZP.pl" Can't load '/usr/local/lib64/perl5/auto/DBD/Oracle/Oracle.so' for module DBD::Oracle: libocci.so.11.1: cannot open shared object file: No such file or directory at /usr/lib64/perl5/DynaLoader.pm line 200. I've exported export ORACLE_HOME, PATH and LD_LIBRARY_PATH. I've also added appropriate .conf file in /etc/ld.so.conf.d/. What am I missing? ... View more

Hi, I've assigned custom syles to certain eventtypes following this blog entry: Colorize your world... As usual I've built my app on top of the 'sample_app' template distributed with Splunk. Everything works fine when I use the 'Search views'->'Sample search' to list the events. The problem is that color styles don't work when I list same event types in another dashboard which uses dropdown list (lister) to narrow down search results. How can I force event (color) highlighting when using dropdown lists? I have the following code in my lister dashboard: <form> <label>Vulnerabilities by host</label> <!-- define master search template, with replacement tokens delimited with $ --> <searchTemplate>index=scs | eval time=_time | search [search index=scs hostIP="$hostIP$" | stats latest(_time) as time2 | eval time=time2 | fields time]</searchTemplate> <fieldset> <!-- Define a simple dropdown form driven by a search --> <input type="dropdown" token="hostIP"> <label>Select to address</label> <choice value="*">Any</choice> <populatingSearch fieldForValue="hostIP" fieldForLabel="hostIP"><![CDATA[index=scs | stats count by hostIP]]></populatingSearch> </input> </fieldset> <row> <!-- output the results as a 50 row events view --> <event> <title>Vulnerabilities for the selected host</title> <option name="count">50</option> </event> </row> ... View more

Hi, so I've been trying to split falsely merged (separate) events: 10:42:08 Checkpoint Completed: duration was 0 seconds. 10:42:08 Checkpoint loguniq 4227, logpos 0x4ca7018, timestamp: 0x7f8d03be 10:42:08 Maximum server connections 1414 An obvious thing to do is to use BREAK_ONLY_BEFORE attribute - or is it? So here's what I tried in /local/props.conf [host::some_host_name] SHOULD_LINEMERGE = True BREAK_ONLY_BEFORE = ^/d/d:/d/d:/d/d Surprisingly this didn't work. Needless to say I've tried countles variations of BREAK_ONLY_BEFORE and tried othe attributes. Finally I tried the TIME_FORMAT attribute: [host::some_host_name] SHOULD_LINEMERGE = True TIME_FORMAT = %H:%M:%S ...and it worked like a charm. Can someone explain why this worked while the latter didn't? And how should the proper BRAK\ONLY_BRFORE atrribute look like for this to work? I didn't find anything satysfying on the forums. ... View more