You can either use the splunk add oneshot command, or if you are using the Splunk file monitor, you can perform a clean of the fishbucket index on the input instance. ... View more

You can use a lookup table with tags for your different host names. For example, if you had a CSV table like this: host,host_tag HostA,webserver HostB,webserver HostC,sqlserver HostD,domaincontroller You could then create a lookup in splunk like the following: transforms.conf: [hostlookup] filename = mylookupfile.csv and props.conf: [host::*] lookup_hostlookup = hostlookup host OUTPUTNEW host_tag Now what this will do, is that every search you run, for every event's host field splunk will look in your CSV table for the corresponding host_tag and output it as a new field. This also means that you could do a search like the following: host_tag=webserver and it would return events from HostA and HostB. The lookup table is easy to update and keep current, a lot easier than working with a lot of Splunk tags. Post a comment if you have any questions. ... View more

Hi, I am trying to setup disk space alert for few servers but I am not getting any results with sourcetype="df". As I am very new splunk user, could you please let me know is there any other source type available for disk space or how can I set up alert on those servers where sourcetype=df not available? Thanks in advance. ... View more