Splunk can do that. Please see: http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Forwarddatatothird-partysystemsd ... View more

Bug. SPL-81428 assigned. ... View more

This error appears when there was no migration or it failed during the upgrade process. Workaround is to force migration to correct the issue. From $SPLUNK_HOME : ./bin/splunk stop touch ftr ./bin/splunk start ... View more

More detailed command to use from the NFS location: touch var/run/splunk/dispatch/test ; ls -l --time-style=full var/run/splunk/dispatch/test ; date On Solaris it's: touch var/run/splunk/dispatch/test ; ls -l -E var/run/splunk/dispatch/test ; date ... View more

You'll need to use searchPostProcess module in order to push correct results to the second row. The second row and the first row doesn't have the same search results. Check the UI Examples app at: $SPLUNK_HOME/etc/apps/ui_examples/default/data/ui/views/form_inverted_flow_postprocess1.xml ... View more

This is the xml that adds the time drop down menu and execute the new search when changed: <form> <label>FOO</label> <title>Total Emails For All Registries</title> <fieldset autoRun="true" submitButton="false"> <input type="time" searchWhenChanged="true" /> <default>Last 24 hours</default> </fieldset> <row> <chart> <title>Matching events</title> <searchTemplate><![CDATA[ sourcetype="cron_BalanceEmail" (source="*asia*" OR source="*info*" OR source="*org*") BalanceEmail sent | rex field=_raw "\[BalanceEmail\] ?(?<TotalEmailsSent>[\d]+) of (?<TotalEmailsToSend>[\d]+) of email notification sent\." | search TotalEmailsToSend="*" OR TotalEmailsSent="*" | timechart sum(TotalEmailsToSend) as TotalEmailsToSend sum(TotalEmailsSent) as TotalEmailsSent ]]></searchTemplate> <option name="charting.chart">column</option> <option name="charting.primaryAxisTitle.text">Date</option> <option name="charting.secondaryAxisTitle.text">Number of Emails</option> <option name="charting.chart.useAbsoluteSpacing">true</option> <option name="charting.chart.columnSpacing">5</option> <option name="charting.legend.placement">top</option> <module name="TimeRangePicker"> <param name="selected">All time</param> <param name="searchWhenChanged">True</param> </module> </chart> ... View more

Please edit $SPLUNK_HOME/etc/datetime.xml in the hour extraction: Current: <define name="_hour" extract="hour"> <text><![CDATA[([01]?[1-9]|[012][0-3])(?!\d)]]></text> </define> Change to: <define name="_hour" extract="hour"> <text><![CDATA[([01]?[0-9]|[012][0-3])(?!\d)]]></text> </define> ... View more

Marcelo, Your file doesn't have new line, so you need to use the BREAK_ONLY_BEFORE to break it in the correct place. The the TIME_FORAMT will work. Correct configuration in props.conf will be: BREAK_ONLY_BEFORE = \d+\s-\s TIME_PREFIX = \d+\s-\s TIME_FORMAT = %m/%d/%Y %H:%M:%S ... View more

No. There is no way to tell splunk where to place the crash*.log files. You can control the location of some other log files from: $SPLUNK_HOME/etc/log.cfg More at: http://www.splunk.com/base/Documentation/latest/Admin/Splunklogfiles ... View more

In order to send the search results to another location, you can use the search command: outputcsv. Documented at: http://www.splunk.com/base/Documentation/latest/SearchReference/Outputcsv keeping the saved search artifact for longer in the $SPLUNK_HOME/var/run/splunk/dispatch dir, is done using the dispatch.ttl parameter in the saved search configuration. (It can get a bit complicated if there are actions that are triggered from the search). See: http://www.splunk.com/base/Documentation/latest/Admin/Savedsearchesconf The default value for keeping the saved searches results is twice the time period. ... View more