http://docs.splunk.com/Documentation/Splunk/4.3.4/User/RealtimeSearch ... View more

why not just build a realtime dashboard in splunk? ... View more

Is splunk installed as root? In *nix land you need to have root in order to access ports below 1024.. ... View more

If you use a Universal Forwarder you will have to install Python libraries as it is a small footprint distribution and does not include any of the libs. ... View more

I have a number of customers running 100% in virtual environments, and if you adhere to the Splunk recommendations regarding sizing for VM (and nuances) you should be fine.. Your assessment for storage is correct (minimum 800 IOPS) however in shared storage environments these need to be meticulously "locked in" As for search-heads needing "big storage" typically not, unless you will be creating lots of summary indexes. ... View more

Here is an earlier thread on doing a subsearch to pull out the "latest event time" and inserting that value into your search which you can then use to modify a custom time range. http://splunk-base.splunk.com/answers/10157/custom-time-range-based-on-most-recent-event-time ... View more

When using batch mode you may also want to enable TCP acknowledgements so that the data isn't purged from source until the receiver (either intermediate forwarder or indexer) acknowledges receipt of the data.. ... View more

Here is the link for TZ settings in the Splunk Docs http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/ApplyTimezoneOffsetstotimestamps ... View more