i think i am stuck on this certain for some reason that my head isn't working right when thinking about this problem i have a bunch of web logs that i need to sort out with a certain field (lets say XID) that is only inserted in 1 or 2 lines out of the xxx lines in a complete web transaction this web transaction can be defined with an SID for our transaction command however, i need to find all the transactions that includes n numbers of XID that i have created in a list of XID lookup table my original search sourcetype="web_log" [inputlookup xid_lookup.csv | fields XID] | transaction SID the problem of this search is that it will only given the result of the lines that has the XID in my lookup table but what i really want to do is to list out all the lines in transaction by the SID that includes XID in my lookup table only is it possible to do so? ... View more

I know many people had asked this questions, but I still can't seem to find a good way to solve this problem I have setup my splunk to monitor several folders this my inputs.conf sample [monitor:///opt/splunk/etc/apps/app_name/logs/folder/logfile*] index = myindex sourcetype = my.log I even put crcSalt = to try but it is still not indexing my logs correctly and when i look at the data inputs monitoring page http://localhost:8000/en-US/manager/app_name/data/inputs/monitor I found that the number of file counts are incorrect anyone!!! please enlighten me ... View more

has anyone ever work with polling system information using snmpget and write it into files or using a scripted data input to poll them using snmpget? this is critical for my client who can only offer snmp as the only way to get data from the devices ... View more

is there anyways to show a whole month of graph with a time span of 5 min window splunk has reduce the chart to 4 days instead of showing the whole month (i would think its to reduce the complexity when showing every little bit in the graph) but just for the heck of wanting to show everything on it... possible? ... View more

Aug 3 23:35:01 192.168.11.11 Forwarded from 192.168.11.30: ash: [Wed Aug 03 23:35:01 2011] [error] [client 114.24.189.86] File does not exist: /WEB/roomi/public_html/img, referer: http://www.roomi.com.tw/web/album/index.php?PA=album_photo&photo_id=3997548 Aug 3 23:35:00 192.168.11.11 Forwarded from 192.168.11.44: root: [Wed Aug 03 23:35:00 2011] [error] [client 118.169.76.35] File does not exist: /WEB/roomi/public_html/img, referer: http://www.roomi.com.tw/web/album/index.php?PA=album_photo&photo_id=4018842 Aug 3 23:35:12 192.168.11.11 Forwarded from 192.168.11.36: ash: [Wed Aug 03 23:35:12 2011] [error] [client 113.61.193.153] Directory index forbidden by Options directive: /WEB/roomi/public_html/upload/family/, referer: http://www.roomi.com.tw/obj/swf/avatar/avatar_buchafarm.swf?ver=2.0.0 Aug 3 23:35:12 192.168.11.11 Forwarded from 192.168.11.57: root: [Wed Aug 03 23:35:12 2011] [error] [client 118.171.233.64] File does not exist: /WEB/roomi/public_html/img, referer: http://www.roomi.com.tw/web/album/index.php?PA=album_photo&photo_id=4004079 with the above example logs, I want to filter out the unnecessary log in bold so that it will not show up in my search results or to be clear on this question is that result must showed up as [Wed Aug 03 23:35:01 2011] [error] [client 114.24.189.76] File does not exist: /WEB/roomi/public*html/img, referer: http://www.roomi.com.tw/web/album/index.php?PA=album*photo&photo_id=3997548 how am i suppose to filter out those unwanted logs? I would try using nullFilter on this, is there any other ways to do it? ... View more