Why has this page been removed? ... View more

Please note that id!=1 and NOT id=1 are NOT equal. If you have the following events id=1 someotherfield=a someotherfield=a id=1 someotherfield=a id=2 someotherfield=b searching for someotherfield=a NOT id=1 leads to someotherfield=a id=2 someotherfield=b whereas searching for someotherfield=a id!=1 leads to id=2 someotherfield=b as id!=1 only returns events that contain field id, but not value 1, whereas NOT id=1 removes events with id=1 from the previous event set. ... View more

The question was asked the other way around and is still not answered anywhere. I.e. yes FWD 7.x can connect to DS 8.x but can FWD 8.x connect to DS 7.x? ... View more

No, I don't have any information. ... View more

As I understand * priority only works for whole stanzas, not single entries * having multiple TRANSFORMS for one stanza, they are executed in alphabetical order ... View more

Check whether your mgmt_uri is correct. It needs to point to the local system (whereas conf_deploy_fetch_url points to the Deployer). ... View more

This would help me as well ... View more

For the backfill case you can just use fill_summary_index.py and tell it over which timerange it should run the searches. See http://docs.splunk.com/Documentation/Splunk/7.1.3/Knowledge/Managesummaryindexgapsandoverlaps#Use_the_backfill_script_to_add_other_data_or_fill_summary_index_gaps ... View more

Yes, this is very performant and I like it as well. The drawback is that it gives all indexes, not only the ones the user is allowed to see. ... View more

I understand that you don't want to reload everything everytime. But why has extract reload=t stopped to work? That's something I would only add to the search when I need the configs to be reloaded! ... View more

You can find the answer in the documentation: http://docs.splunk.com/Documentation/Splunk/6.1/Viz/Chartcontrols#Chart_overlay_example_.28single_axis.29 key for it to work is choosing "View as Axis" to be "Off" ... View more

Using the option syslogSourceType you can tell Splunk which source types are already in syslog format. For these source types the syslog header will then contain the hostname of the original log (and not the hostname of the intermediate forwarder). Unfortunately the option doesn't accept regex, so multiple output stanzas are needed (see example) if your syslog source types have no common subset. Further it seems that this option has no influence on facility.priority, i.e. facility.priority will always be user.notice instead of the original one. --> I filed an enhancement request to change syslogSourceType to accept regex. ===inputs.conf=== [splunktcp-ssl://9997] connection_host = ip _SYSLOG_ROUTING = tacLOG_1515a [monitor:///data/Logweiche/mmm] index=nnn sourcetype=ooo _SYSLOG_ROUTING = tacLOG_1515a [monitor:///data/Logweiche/xxx] index=yyy sourcetype=zzz _SYSLOG_ROUTING = tacLOG_1515b ===outputs.conf=== [syslog] [syslog:tacLOG_1515a] type = tcp set no additional syslog header for sourcetype ooo* syslogSourceType = ooo [syslog:tacLOG_1515b] type = tcp no additional header for sourcetype zzz syslogSourceType = sourcetype::zzz ... View more

Lisa, I think you misunderstood the question. The question wasn't about setting the host field correctly in splunk, but about changing the syslog header when forwarding the data. I have the same problem and haven't yet found a solution... ...let me make an example. Setting: Maschine Forwarder ---> Indexer --> syslog host Log / Event (1) (2) (3) During its travel from (1) to (3), a log line looks as follows: (1) Oct 30 08:25:43 xxxx yyyy.zzzz aaaa (2) Oct 30 08:25:43 xxxx yyyy.zzzz aaaa _time=Oct 30 08:25:43 host=xxxx sourcetype=syslog ... (3) Oct 30 08:25:45 mmm nnn.ooo Oct 30 08:25:43 xxxx yyyy.zzzz aaaa xxxx: original host mmm: Indexer hostname yyyy.zzzz: original facility.priority nnn.ooo: facility.priority set in outputs.conf of mmm for syslog forwarding aaaa: original message This means that all data being received by the syslog host seems to be originating from the Splunk Indexer and has the same facility.priority (if one is not using different stanzas in outputs.conf, e.g. for different source types). In the case of (1) being syslog, the syslog host can parse the message and take the original hostname (xxxx) and facility.priority (yyyy.zzzz) out of the message. But if (1) is not containing a hostname, the original host cannot be induced from (3). For this it would be needed that the Splunk Indexer, when forwarding data by syslog, adds a syslog header which contains the value of the host field (per event) instead of its own hostname. ... View more

@ mattness: Where in the documentation did you add that? I'm searching how to use filters with OR, for being able to use checkboxes to drive my dashboard panel (pivot searches) ... View more

I fully agree with dabbank! ... View more

There actually is the possibility of using wildcards in lookups. See answer 28566 ... View more

Try with another span: Probably splunk cannot show more than 1 hour with a 5 minute span. ... View more

And here's the general description on which config has to go where: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F ... View more