http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Streamstats#Basic_examples ... View more

To configure or update the DMC in automated fashion, it seems like you have to fully populate all of these files correctly (for Distributed mode): splunk_monitoring_console/local/app.conf splunk_monitoring_console/local/assets.csv splunk_monitoring_console/local/splunk_monitoring_console_assets.conf splunk_monitoring_console/local/savedsearches.conf etc/system/local/distsearch.conf You can copy aside the files after your config management tool (e.g. SaltStack) has generated them and then diff with the version Splunk has modified once you "Apply Changes". Any major changes will tell you what you still need to do 'manually'. Once you have it all, clicking "Apply Changes" (or enabling Distributed mode or 'Enable Monitoring') is no longer needed. ... View more

Watch out, reader! In the second, very useful, snippet, the backslash has been lost and is needed in front of each 'r', 'n', and 'd': LINE_BREAKER = ([\r\n]+)(?=\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2},\d{3}) ... View more