I need to index several hundred gigs of historical logs. i have a machine that is dedicated for this purpose. i installed the universal forwarder and have used the [monitor] stanza in inputs.conf to start the indexing. it is working, but it seems REALLY slow. since this server is dedicated to this purpose is there any way i can force the forwarder to use more system resources to chug through the logs at a faster pace? I'm also open to alternative solutions to this problem. ... View more

I've added an index time field extraction which overlaps with a delimiter based search time extraction. i think i've got the settings right, but i can't use the fact that the field is available from the search app as proof that my field was extracted at index time. what tools can i use to verify that my field was indeed added to the index? ... View more

For a particular sourcetype I need to have two fields extracted at index time and also 10+ fields extracted at search time. what is the syntax to do this? should I have multiple sourcetype stanzas in props.conf for the same sourcetype or can i combine index and search time extraction into the same stanza? ... View more

on tuesday i upgraded my deployment server, my searchhead and my 3 indexers from 4.1.6 to 4.2. I have not updated my LWFs. on my searchhead, indexers and LWF i now see the following error: 03-22-2011 16:28:50.591 WARN DeploymentClient - Unable to send phonehome message to deployment server. Error status is: rejected the servers can connect to the deployment server listening port so it doesn't appear to be a network issue: [splunk@indexer01~]$ telnet search01 8090 Trying x.x.x.x... Connected to search01 (x.x.x.x). Escape character is '^]'. ^] how do I fix this? are there any debug logs i can turn on/look at to get a better idea of what exactly is failing? ... View more

Hi all, I recently upgraded to 4.2 from 4.1.6 and I'm trying to set my indexers to use a license pool that i've configured on my search head. The documentation that I can find only references how to do this via the splunk web GUI on each indexer. I don't have the GUI enabled and plus would like to push the change out with a change management system (chef/puppet/etc). what config files do i need to update on my indexers to have them become a license slave to my search head? or what splunk CLI commands can i use? ... View more

I have a handful of different sourcetypes that all get written to log files in /var/log/app. I also have more than one index that the files can be sent to depending on their type. From my testing, and from what I can understand from the documentation I can't have multiple [monitor] stanzas with whitelist/blacklists for logs that live in the same directory. Therefore in order to assign sourcetype and index based on some filename regex it would seem my choices are limited to the following: don't use wildcards or whitelist|blacklists in inputs.conf. Instead on the LWF inputs.conf create a monitor stanza for each possible logfile name and assign the sourcetype and index in the monitor stanza. This is highly undesirable for me because i have about 300-400 different log file names and it also means i have to update the list each time a new log name is created in my LWF inputs.conf create a single monitor stanza that captures all the logs in the directory. On my indexers create a props.conf with multiple source statments, use the priority option to order similar wildcard source stanzas and also define a transform to assign the index. In this option I'm most concerned about the performance of assigning the index via a transform. Is this intensive? an example of option 2 would be as follows: example Log files: coolservice.log (sourcetype: log4j, index:main) coolservice-web.log (sourcetype:access_common, index:main) coolservice-req.log (sourcetype:access_common, index:main) coolservice-billing.log (sourcetype:custom-billing, index:billing) radservice.log (sourcetype: log4j, index:main) radservice-web.log (sourcetype:access_common, index:main) radservice-req.log (sourcetype:access_common, index:main) radservice-billing.log (sourcetype:custom-billing, index:billing) ... (with 50 different service names) inputs.conf (on the LWF) [monitor:///var/log/app/] whitelist = \w+\.(?:\d{4}-\d{2}-\d{2}|log)$ # i want to ignore zipped files blacklist = \.(gz|bz2|z|zip)$ **props.conf (on my indexers)** # billing logs # eg coolservice-billing.log or coolservice-billing.2011-03-03 # or coolservice-billing.2011-03-03.log [source::\w+-billing\.(?:\d{4}-\d{2}-\d{2}|log)$ sourcetype = custom-billing TRANSFORMS-index = billingindex priority = 200 # web logs [source::\w+-(?:web|req)\.(?:\d{4}-\d{2}-\d{2}|log)$ sourcetype = log4j TRANSFORMS-index = mainindex # log4j service logs [source::\w+\.(?:\d{4}-\d{2}-\d{2}|log)$ sourcetype = log4j TRANSFORMS-index = mainindex transforms.conf (on my indexers) [billingindex] REGEX = .* DEST_KEY = _MetaData:Index FORMAT = billingindex [mainindex] REGEX = .* DEST_KEY = _MetaData:Index FORMAT = mainindex so my questions are: Is this the best/only way to do it? Will I suffer any indexing perf problems doing it this way? ... View more