I'm trying to get the Pulse cloudwatch app to work using boto and dateutil, but splunkd.log shows this: 04-09-2013 22:56:32.711 +0000 INFO ExecProcessor - Ran script: python /opt/splunk/etc/apps/pulse_for_aws_cloudwatch-master/bin/ELB_Metrics.py us-east-1 300, took 146.2 milliseconds to run, 0 bytes read, exited with code 1 So the python script is erroring out but I don't know why. How do I run it under the same environment Splunk does so I can find out exactly what's going on? ... View more

Can someone verify that this kind of deployment would work? I'm deploying Splunk in a small environment of around 10 servers. Rather than manage Splunk on each one I want to use deployment server. The environment is made up of 3 different smaller environments (Dev, QA, Prod), with 3 classes of servers within each (Web, Batch, DB). Server naming convention example is: Dev-Web-1a1 (1a1 is a location code) What I want to do is plan my serverclass.conf so I can say ALL DEV servers get this app. ALL DEV WEB servers get all of the above + these web-specific apps. Given the naming convention and deployment model would the approach below work? Would there be any conflict with nesting groups based on hostname like this? Also, does deployment server go by the name set in server.conf? These servers are actually using random hostnames, but I want to inject a friendly name in server.conf. ###################### # QA Environment # ###################### [serverClass:QA] restartSplunkd = true whitelist.0 = *qa* ############ # QA-Web # ############ [serverClass:QAWeb] restartSplunkd = true whitelist.0 = *qa-web* ... View more

Trying to compare numbers of events that have come in from 12AM until NOW, with yesterday's data 12AM until NOW(Yesterday). How would I specify that in a search? I know yesterday is just @d-1, but can't seem to get the right latest time. ... View more

For enterprise customers, what are your strategies for keeping a handle on the volume of data being logged to Splunk to avoid going over your license? Aside from finding the heavy hitters and seeing what changed, then filtering data or stopping splunkd on that forwarder, is there a way to automatically shut off an input after a certain amount of data has passed through it, or just drop events on the floor at the indexer level? Seems the only way to manage this is on a reactive basis.. there has to be a more proactive approach. ... View more

Has anyone seen or written a concise indexing volume stats app that shows things like indexing volume trends, projected volume, etc? Not really seeing much in Apps, and the daily report takes a long time and is rather static. ... View more

Has anyone mastered the art of scaling the Forwarding Appliance for the VMWare app? Say I want to put 100 hosts on one appliance and have sufficient CPU\MEM\DISK resources. Has anyone worked through the requirements and accomplished this reliably in production? I'm looking for some sort of chart which gives a rough idea of the resources required to accommodate x number of ESX hosts. ... View more

So say I have an index that's got data in it back 120 Days, and I want to delete events older than 90 days, keeping the indexes trimmed to 90 days going forward. Would the below process accomplish this? Set indexes.conf: [indexname] frozenTimePeriodInSecs = 7776000 restart splunk I'm assuming that if I restart splunk, it will automatically go through and start deleting stuff older than 90 days on its own. Is this correct? ... View more