Hi, Does the Perfmon inputs record data when the value is zero? It would seem that it doesn't and that differs from WMI inputs. Example Perfmon Stanza: [PERFMON:System] counters = Processor Queue Length disabled = 0 instances = interval = 5 object = System index = main Thanks. ... View more

Hi, I have a log that contains large multiline events such as: ---- DS log entry made at 08/29/2011 11:03:00 *** Log is continued from intermediate LogID [15cc1510] *** Message E:\FILES\SPOOL\DOMAINS\TEST.COM\B0391744043.RCP queued for remote delivery to domain TEST.COM (.LCK). Message E:\FILES\SPOOL\DOMAINS\TEST.COM\B0391744045.RCP queued for remote delivery to domain TEST.COM (.LCK). Message E:\FILES\SPOOL\DOMAINS\TEST.COM\B0391744047.RCP queued for remote delivery to domain TEST.COM (.LCK). Message E:\FILES\SPOOL\DOMAINS\TEST.COM\B0391744051.RCP queued for remote delivery to domain TEST.COM (.LCK). Message E:\FILES\SPOOL\DOMAINS\TEST.COM\B0391744053.RCP queued for remote delivery to domain TEST.COM (.LCK). Message E:\FILES\SPOOL\DOMAINS\TEST.COM\B0391744054.RCP queued for remote delivery to domain TEST.COM (.LCK). Message E:\FILES\SPOOL\DOMAINS\TEST.COM\B0391744056.RCP queued for remote delivery to domain TEST.COM (.LCK). Message E:\FILES\SPOOL\DOMAINS\TEST.COM\B0391744062.RCP queued for remote delivery to domain TEST.COM (.LCK). *** Intermediate LogID [15cc03e0] will be continued later. *** I would like each line that starts with "Message" to be its own event so that I can search and manipulate related events. But the induvidual lines when I break them don't have a timestamp and so I get errors like: DateParserVerbose - Failed to parse timestamp for event. Context="source::/opt/logs/OPR20110829-7.LOG|host::server1|mysourcetype|" Text="Message E:\FILES\SPOOL\DOMAINS\TEST.COM\B0391744043.RCP queued for remote delivery to domain" Using props.conf of: [mysourcetype] LINE_BREAKER = ([\r\n]+)((----)|(***\s)|(Message\s)) SHOULD_LINEMERGE = false When I look at the events in the search app they end up appearing in the correct order with a timestamp that based on precedence would seem like it's getting it from the previous events based on the documentation. The source is /opt/logs/OPR20110829-7.LOG and I also tried a custom file name timestamp to with luck. How can I supress the warnings in the splunkd logs if the timestamp precedence is working ok for me? ... View more

Hi, I've struggled with this log file for a while and can't seem to come up with a way to make it very usable. I have a log file that contains these types of events (examples): ---- SMTPR log entry made at 12/29/2010 17:37:37 Incoming SMTP call from A.B.C.D at 17:37:37. Message [email protected] received at 17:37:37 from external.server.com (unverified [A.B.C.D]). Size: 1943 bytes Return-path: [email protected] Recipients: [email protected], Incoming SMTP call from A.B.C.D completed at 17:37:37. ---- SMTPD log entry made at 12/29/2010 13:59:34 *** Log is continued from intermediate LogID [13b014c8] *** Message E:\PROGRAM FILES\SPOOL\DOMAINS\CUSTOMERA.COM\B0288541202.RCP queued for remote delivery to domain customera.com (.LCK). Message E:\PROGRAM FILES\SPOOL\DOMAINS\CUSTOMERA.COM\B0288541209.RCP queued for remote delivery to domain customera.com (.LCK). Message E:\PROGRAM FILES\SPOOL\DOMAINS\CUSTOMERA.COM\B0288541210.RCP queued for remote delivery to domain customera.com (.LCK). Message E:\PROGRAM FILES\SPOOL\DOMAINS\CUSTOMERB.COM\B0288541215.RCP queued for remote delivery to domain customerb.com (.LCK). Message E:\PROGRAM FILES\SPOOL\DOMAINS\CUSTOMERC.COM\B0288541211.RCP sent to 1 out of 1 recipient(s) in domain customerc.com: 250 2.0.0 oBTIxERa017308 Message accepted for delivery\r\n Message E:\PROGRAM FILES\SPOOL\DOMAINS\CUSTOMERC.COM\B0288541211.RCP delivered to recipient [email protected]. Message E:\PROGRAM FILES\SPOOL\DOMAINS\CUSTOMERC.COM\B0288541211.RCP deleted for recipient(s) in domain customerc.com. Message E:\PROGRAM FILES\SPOOL\DOMAINS\CUSTOMERB.COM\B0288541215.RCP sent to 1 out of 1 recipient(s) in domain customerb.com: 250 2.0.0 oBTIxE5C020605 Message accepted for delivery\r\n Message E:\PROGRAM FILES\SPOOL\DOMAINS\CUSTOMERB.COM\B0288541215.RCP delivered to recipient [email protected]. Message E:\PROGRAM FILES\SPOOL\DOMAINS\CUSTOMERB.COM\B0288541215.RCP deleted for recipient(s) in domain customerb.com. Message E:\PROGRAM FILES\SPOOL\DOMAINS\CUSTOMERD.COM\B0288541229.RCP queued for remote delivery to domain customerd.com (.LCK). Message E:\PROGRAM FILES\SPOOL\DOMAINS\CUSTOMERD.COM\B0288541230.RCP queued for remote delivery to domain customerd.com (.LCK). Message E:\PROGRAM FILES\SPOOL\DOMAINS\CUSTOMERD.COM\B0288541243.RCP queued for remote delivery to domain customerd.com (.LCK). *** Intermediate LogID [13b00aec] will be continued later. *** The SMTPR events are easy to handle as I can just treat it as a multiline event and get what I need out of it. The SMTPD events are harder as in theory I would want to break each line in the entire event up into its own event. Can I use Line Breaking to break up the one event type and not the other if they are both coming from the same source/sourcetype? Thanks! ... View more

Hi! Probably a simple question, but I have a forwarder that is mointoring an entire directory all with all the files being set with a common sourcetype. There are several formats/sources of files in the directory and I want to change my inputs.conf to break them out into different sourcetypes so that I can get more granular in some of my field extractions and searches. I know that Splunk has many built-in mechanisms that will keep it from re-indexing the same file and I want to make sure that's done at the raw file level and not based on any meta-data such as sourcetype etc. Thanks! ... View more

Hi, Is there a search that can return the list of indexes configured on a Splunk Indexer? Or is the only way to look at the _internal index and work it out based on data that exists in that index from performance metrics etc.. Thanks! ... View more

I have a user who did something that is now prompting for a splunk restart. Is there any way to determine what config change they made? I've looked through the _internal index but with no luck. Thanks! ... View more

Does anyone have a good way (or am I missing the something obvious?) of calculating for a defined time range the average frequency of the events logged? Such as eventtype A appeared every X minutes. Thanks! ... View more

Ok. Not having a spectacular regex day... I have this: Recipients: [email protected], [email protected], [email protected], In props.conf I have: [mySource] EXTRACT-recipients = (?i)Recipients: (?P<recipients>.*, ) REPORT-to = myTo and in transforms.conf I have: [myTo] REGEX = (?P<to>.*?[,]) SOURCE_KEY = recipients MV_ADD = true It sorta works, but I'm getting each to value twice, and how do I drop the trailing ',' at the end. Thanks!! ... View more

I have an event that is coming from a Windows forwarder. When you view the event in the log file on the server it looks like this: ---- log entry made at 07/02/2010 09:15:00 Incoming SMTP call from a.b.c.d at 09:15:00. Message [email protected] received at 09:15:00 from mail1.outsidedomain.com (unverified [a.b.c.d]). Size: 18842 bytes Return-path: [email protected] Recipients: [email protected], Incoming SMTP (SSL/TLS) call from a.b.c.d completed at 09:15:00. When you search for the event in splunk web it looks the same. If I use rex in search to get the Return-path using: (?i)\-path: (?P<from>.*) I get the proper values '[email protected]', but if I put the regex into props.conf for that field I'm getting '[email protected]: [email protected], Incoming SMTP (SSL/TLS) call from a.b.c.d completed at 09:15:00.' Is it possible for splunk web to be putting a newline in or something like that? ... View more