Those lists aren't in a table, they are gathered from searching your existing indexed data. If you are not ingesting the same sources and source types from the same hosts, the lists will be different. Those three items are simply fields like any other from your data in Splunk. If you want to replicate your entire Splunk ES instance, copy the whole $SPLUNK_HOME folder, then change configs as needed for the new hostname or other items needed. This will copy your existing data and the lookups needed to match your current installation. ... View more

This no longer works with 5.x. ... View more

You can't without re-writing fundamental pieces that would break things for admin users. One could pull data via API/REST and provide a custom UI via another system, but those menus can't be removed otherwise. ... View more

Start with http://docs.splunk.com/Documentation/Splunk/6.4.1/Troubleshooting/Cantfinddata and https://answers.splunk.com/answers/221885/how-to-troubleshoot-why-i-can-see-network-traffic.html just in case something there helps. I would try a combination of the splunkd logs and using strace on the Splunk process. Also, enable debug and sifting through the results may be useful. ... View more

You can adjust this, but the primary calculation is a practical limit on performance. This is controlled in limits.conf. The maximum number of concurrent searches is calculated based on max_searches_per_cpu times the number of CPU cores in the system (as reported by the OS, which means VMs often lie when given multiple vCPUs but are running on a small number of hardware cores thanks to threading and shady hypervisor oversubscription models) + base_max_searches . max_searches_per_cpu defaults to 1 base_max_searches defaults to 6 Therefore, in a reference system with 12 cores, you have 1 x 12 + 6 = 18 . If you need to crank this up, you can linearly scale this by core count using max_searches_per_cpu by setting it to 2 or more. This changes the math to be 2 x 12 + 6 = 30 or 3 x 12 + 6 = 42 . If you just want to tweak it up by a fixed amount, adjust base_max_searches to a higher value. All of the above comes with the caveat that generally these are bad ideas to implement in a production setting unless you have a highly underutilized system performing large numbers of extremely low memory and low CPU usage searches. ... View more

Can you show examples of the source event data? ... View more

mikelanghorst, that prevents you from getting the % 408 codes of the whole. ... View more

Yes, you are setting yourself up for potential performance problems at that ingest rate. ... View more

This worked perfectly! I set it to 20px size to force it a bit bigger but not so it felt overstuffed in the cells (which avoids changing the cell sizes). ... View more

In current implementation, any changes made to the environment will not likely be logged within Splunk, certainly not in _internal et al. If you make changes via config files outside the UI or API, those things actions and changes can't be logged within Splunk. You can ingest the files themselves to compare _raw or even single line values, depending on your parsing preferences. However, it might be useful to have an external tool create hashes of all the files and store a log entry into Splunk with the hash, full path, and other metadata about the files. Then you can more easily report on changes to any of these files, including users. ... View more

You can do this in a variety of ways, but using the REST API is likely your best approach. Read http://docs.splunk.com/Documentation/Splunk/6.2.3/RESTUM/RESTusing#Authentication and http://docs.splunk.com/Documentation/Splunk/6.2.3/RESTTUT/RESTsearches. ... View more

I like your commentary and suggestions about how to use answer vs. comments, as well. It is easy to edit an answer, so why not put multiples together? ... View more