Thanks for expanding. My issue is not the number of bad sourcetypes (I have a total of 8 bad) it's an issue of this 7 of these are custom sourcetypes and fine... ck_csv_0X. However, my wanted sourcetype is ck_csv_09 and I also have the default splunk sourcetype csv2 used for most of the data. The issue is that if I rename my csv2 sourcetype to ck_csv_09 it will destroy (well rename) ALL of my data across multiple indexes where the csv2 sourcetype is used, not to mention if the csv2 sourcetype is even able to be renamed since it's default. ... View more

You would need to use javascript to do this. If you are familiar with JS, this might get you on the right track: http://splunk-base.splunk.com/answers/11110/how-do-i-disable-the-free-versions-reminder-that-the-search-scheduler-is-disabled http://splunk-base.splunk.com/answers/13012/does-42-have-any-capabilities-to-set-a-row-color-based-on-a-field-example ... View more

Splunk will look at the first few bytes (256 I think) to compute a CRC for the file (unless you disable this with a CRCSALT ) to determine the "instance" of a logfile. I would suspect that the 10,000 line export would frequently not begin with the same 256 bytes - because all it takes it appending 5 or 6 lines at the bottom to change the first 256 bytes. That would cause you to have potentially 9990+ duplicated lines. This could be a good use of Splunk's "batch mode" inputs - basically configure a spool directory for Splunk to read-from and discard. The whole file would be read each time, indexed, and deleted. The trick then is to only send whole files of "new" events to Splunk. I've not worked on Z/OS in a long time, but I assume you have Websphere configured to write to the system SPOOL. This Websphere technote appears to describe a way to have Websphere "rotate" its SPOOL occasionally - possibly making all of this easier. http://www-01.ibm.com/support/docview.wss?uid=swg1PK26722 This technote looks useful/relates as well.. http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/TD103695 Hope this helps If Z/OS forwarder support is important to you, please make sure to file an Enhancement Request with Splunk support. ... View more

Ah, that makes sense, thanks for the explanation. ... View more

Thanks for the responses guys, both solutions work well. ... View more

Method to bump the value on a chart basis for simpleXML on 6.2 < option name="charting.data.count" >9999 </ option > see http://docs.splunk.com/Documentation/Splunk/6.2.1/AdvancedDev/AdvChartingConfig-LayoutData#Timeline_data_table_properties ... View more

Yes. I have corrected the searches, but basically there is a special case with time modifiers in subsearches, so you have to add | format "(" "(" "" ")" "OR" ")" to the subsearch results. ... View more

I have not yet combined overlay charts with post-processing, but just a few hints: Have you tested this post-processing with a standard chart without overlay technique? From a gutt feeling I would say that the base search is not defined properly to fill the post-processing search. I have worked a bit with the post-processing in sideview, and from this brilliant documentation I learned how to use post-processing. From my understanding you need a reporting command like stats in your base search and list the fields, which you want to use in the post-processing search later on. ... View more

hostnames were not properly configured on alerts_actions.conf file that failed to display results for email link results, This was corrected by adding stanza in /opt/splunk/etc/system/local/alert_action.conf: [email] hostname = ... View more