Hello,
I just started evaluating Splunk. So please apologize if I should ask for the obvious.
My test case is a post-mortem analysis of three interacting Linux applications. Each writes its own log files. I have just installed Splunk on a Windows machine, created a test index, and indexed excerpts from those three files that cover the time interval I'm interested in (about half an hour).
Does Splunk offer a split view of the events from the three different sources? I would like to see events that occurred at the "same" time, e.g. within a specific second, side by side.
One application's timestamps do not contain the date. I can't modify the application. Can I "suggest" a date to Splunk?
Can I delete all data from just one of those three sources?
How do I delete all the test data I've indexed?
Looking at Manager > Indexes, there are event in _audit and _internal. Where do these come from?
Thanks in advance,
Malte
... View more