You'll have to download another Splunk version and install it in a different directory. Then copy over the application.css file from $SPLUNK_HOME/etc/apps/search/appserver/static. Once you're done, you can delete the extra version of Splunk. ... View more

Its a generic error, but the culprit is that you need to escape the & character - in xml it is &amp; Also remember that match is the name of the xml file, not the label. But if you don't get the match right, the menu just won't appear in the nav and no error will be issued. Lastly, when troubleshooting the nav it helps to use the endpoint: https://localhost:8089/servicesNS/admin/<app name>/data/ui/nav?refresh=1 ... View more

Gerald's answer will work, but if you're running this ad-hoc (not in an alert): | stats count,list(User_Name),list(Logon_Desc) by host You can also use values() instead of list(). The difference is described here: http://www.splunk.com/base/Documentation/4.1.5/SearchReference/CommonStatsFunctions ... View more

With the stats command, the only series that are created for the group-by clause are those that exist in the data. If you have continuous data, you may want to manually discretize it by using the bucket command before the stats command. If you use span=1d _time, there will be placeholder values created for empty days and all other _time values will be snapped to the day. All of this is done for you automatically in the timechart command. ... View more

There was a discussion about this here, which I will shamelessly cross-post: http://www.splunk.com/wiki/Receive_events_whenever_someone_plugs/unplugs_a_USB_device There are lots of places that track this information. The question is are you getting what you want? You can monitor HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB. That is the most direct way. However, it won't necessarily tell you in layman's terms what device was added, as you get a lot of binary keys with arbitrary and self-described terms (e.g. if a person used a purpose-built device that obfuscates it's function this won't tell you much) You can configure your audit policy to capture all system changes to the security event log. This is the pretty-print way, and probably the best. However you will capture all device changes (drive mappings at logon, etc) not strictly USB related changes. Finally, you can use WMI instrumentation to 'track' changes to the USB system. This isn't a bad way, though it doesn't maintain any state so you're really polling the current USB config over and over and de-duping at search time. Its documented here: http://www.splunk.com/base/Documentation/latest/admin/Wmiconf Receive events whenever someone plugs/unplugs a USB device to/from the computer [WMI:USBChanges] interval = 1 wql = select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device' disabled = 0 current_only = 1 ... View more

I don't know of a theoretical limit. The highest I've seen is 6,000 forwarders reporting to a single indexer. It was a subset of WinEventLogs, so in aggregate the volume was low - about 150GB/day. Splunk does a good job of managing connections, and the overhead is low so long as you don't require SSL. You will have to increase the file descriptor limit (ulimit -n) to allow for all those sockets to be referenced. Assuming there is a limit somewhere, you make a good point that auto-lb would not help. I'd recommend an intermediate forwarding tier. You would explicitly assign each client forwarder to one of multiple intermediate forwarders, and then have the intermediate forwarders LB amongst the indexing tier. Keep in mind that a forwarder will only be able to LB about 200GB/day of data. You'll also have to be careful which forwarders execute which parts of the parsing pipeline, which can get tricky. ... View more

Here is an example config that accomplishes this. I would recommend reading: http://www.splunk.com/base/Documentation/latest/Admin/Configureforwarderswithoutputs.conf outputs.conf [syslog] defaultGroup=nothing indexAndForward=true [syslog:serverX] server = beefysup01:514 [syslog:serverY] server = 10.1.12.10:514 Note: By default, all events will get sent to all configured target groups. To avoid this, you need to set defaultGroup=nothing ("nothing" can be any name that is not defined as a target group). Then you manually route data to the targets using props and transforms. props.conf [source::B] TRANSFORMS-routing=syslogRouting Note: This is an example of why you should receive different types of network inputs on different ports. If data feeds A and B were different kinds of syslog (say router data and proxy data), and if both were received on default syslog port 514, then you would have a hard time separating A from B. transforms.conf [syslogRouting] REGEX=. DEST_KEY=_SYSLOG_ROUTING FORMAT=serverX,serverY Note: FORMAT is a comma separated list of target groups, which results in cloning of the data. ... View more