I've been surfing the documentation for Splunk DB Connect, and can't find any indication that I need to install anything on my SQL server to utilize Splunk DB Connect. Is it the case that all installations for drivers, etc., need to take place on the Splunk infrastructure? It seems to me that all you need on the client (e.g., heavy forwarder) are the connection information, valid credentials, and the necessary database drivers. If a heavy forwarder has those things, it can connect to the SQL server directly, without any additional changes or installs on that SQL server - correct? ... View more

I am a horrible person: I use Windows, and know next to nothing about Linux. Please take a moment to judge me. Now, on to the question: I have a dashboard in a lower environment that I would like to make into an app in our (cloud-based - CLOUD-BASED, mind you) production environment. Rightly so, the files that make up this application need to be uploaded so they can be validated. I thoroughly understand this necessity, and don't begrudge Splunk wanting to keep things safe. I really do want to comply. The only thing currently failing is file permissions, which I can't modify to compliance in Windows. I have been forced to grow as a person on this journey: I downloaded Vagrant and Virtual Box and have now SSH'd into the resulting Linux box. I put the folder (containing other folders) that comprise my application's files into the common directory (in my case, C:\Program Files\cmder) for my computer and the virtual Linux box. I learned Linux commands! 'chmod' to alter the file permissions (see below, and note that this verbose response does list all files/folders, I just didn't want to bore anyone - everything is switched to 644): mode of ‘customer_service/bin’ changed from 0777 (rwxrwxrwx) to 0644 (rw-r--r--) ... and 'tar' to zip it up! I still resent the command line, and laugh at how much of an argument Linux users can get into when someone asks how to recursively modify permissions on a directory - but hey, based on what I see in the Linux 'user interface', all of the files permissions are set and the file is zipped. I jump over to Windows, visit the upload page, and navigate to the .tar.gz file and then upload it. Then I wait with breathless anticipation, because SURELY THIS TIME IT WILL WORK: This file has execute permissions for owners, groups, or others. File: default/app.conf File: default/app.conf I receive this message for each file in the directory. Can anyone explain this away? Is it evil Bill Gates jumping in to mess with file permissions when I browse to the .tar.gz file? Am I just another victim of the Windows conspiracy? How will we defeat the evil empire? Is there a Linux command that will let the file remain chaste and pure so I can upload it without exposing it to this horrible, evil experience? Do we have any hope at all for our future? ... View more

I've taken 30 minutes from my day to avoid spending over an hour modifying tag permissions, and have had no luck. I know you can edit tags.conf directly - unless, like us, you're on Splunk cloud. Our admin says that he's asked, and Splunk won't make the edit for us, citing security concerns...? Bottom line, the admin says, is that we have to do them manually. Are you guys not embarrassed yet? I'm seeing requests for changes to this process that date from 2011. Your clients have been asking for this for at least SIX YEARS. Why would you not a) add a means of setting permissions when you create the tag, or b) provide a bulk update option (i.e., the same column that's available on two of the three tag interfaces on the UI)? Is it really that hard? I am aware of the presence of the Tagger app, and am now trying to work out how to use REST to update the tags in question - but at the end of the day, this particular part of Splunk does not serve its users well at all. Can someone please invest a little time and just add the permissions column to the 'List by tag name' view? ... View more

I need to document a transaction that begins with a multithreaded process. The process creates multiple entries in an event log: Message: UseCaseX.ProcessData ItemID=5 Provider=123 ElapsedMilliseconds=230 timestamp=09/21/2017 10:16:33 AM Message: UseCaseX.ProcessData ItemID=5 Provider=333 ElapsedMilliseconds=130 timestamp=09/21/2017 10:16:38 AM Message: UseCaseX.ProcessData ItemID=5 Provider=999 ElapsedMilliseconds=780 timestamp=09/21/2017 10:16:41 AM The 'Provider' value will vary on every occasion; there's no telling which Provider may come first. The transaction ends with a single identifiable event log entry: Message: UseCaseY.CalculateScore ItemID=5 ElapsedMilliseconds=780 timestamp=09/21/2017 10:16:58 AM There are many other log entries and servers involved in the time between the beginning of the transaction and UseCaseY.CalculateScore. I'm trying to produce a transaction that will have its duration span from the first instance of UseCaseX.ProcessData to the instance of UseCaseY.CalculateScore. searchHere | transaction ItemID startswith="UseCaseX.ProcessData" endswith="CalculateScore" I'm getting a duration that starts with "10:16:41 AM", when I want my duration to start with "10:16:33 AM". ... View more

I have used the 'transaction' command to isolate transactions that are made up of roughly 45 events each. I have a regex that identifies a TaskName and the TotalMilliseconds for each event, producing 45 matches for each transaction. Questions: When I try to filter the transaction (TotalMilliseconds>500, for example), the criteria is applied only against the first match. How can I ensure ALL matches are considered when filtering? How can in insert a 'tab' character when formatting a concatenated field value? TotalMilliseconds."\t".TaskName and its derivatives do not work. How can I filter the results to show only matches where TotalMilliseconds<500 (for example)? Any attempt I've made so far has only applied the filter to the FIRST match in my list of 45 values. Is there any way to force a numeric sort on a string field? Thanks for looking! Appendix: Query: base search |rex "rex to find ClientID" |rex "long rex that finds TaskName and TotalMilliseconds" |transaction field1 field2 maxspan=5m unifyends=true startswith="beginning" endswith="ending" |search [[[or, 'where']]] TotalMilliseconds>500 <--neither meets my needs Results: ClientID TimeAndTaskName abc123 1127 (UseCaseA) 12 (UseCaseB) 21 (UseCaseY) Goal (filtering TotalMilliseconds>20): ClientID TimeAndTaskName abc123 21 UseCaseY 1127 UseCaseA ... View more