Yes. Best way is to install in each DC a Universal Forwarder that sends its logs to one or (better) more indexers, eventually clustered (if you need to maintain logs). To search logs you can use an additional search head or (if clustered) one or more indexers. Instead,if you want to store logs on the DC, you have to configure an additional Splunk configured as a Search Head that uses all the DC Splunks as Search peers. To do this, install Splunk on a new machine and configure distributed search adding Search Peers: [Settings -- Distributed Search -- Enable Distributed Search -- Add Search Peers] and restart Splunk. Bye. Giuseppe ... View more

Thanks for prompt reply..!! ... View more

I copied your dbquery as-is from your example and it was missing a double-quote on the end. I have re-edited it; try it now. ... View more

http://answers.splunk.com/answers/25658/whats-the-point-of-custom-python-scripts.html This is what I did Put my custom python script in this folder /var/sky/splunk/etc/system/bin import csv import sys import splunk.Intersplunk import string (isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv) if len(sys.argv) < 2: splunk.Intersplunk.parseError("No arguments provided to custom script") results = splunk.Intersplunk.readResults(None, None, True) splunk.Intersplunk.outputResults(results) Modify commands.conf file in below folder /var/sky/splunk/etc/system/local defaults for all external commands, exceptions are below in individual stanzas type of script: 'python', 'perl' TYPE = python default FILENAME would be .py for python, .pl for perl and otherwise is command streamable? STREAMING = true maximum data that can be passed to command (0 = no limit) MAXINPUTS = 50000 end defaults [customtest] filename = customtest.py To reload the setting run this URL in your browser (Just in case, if required) https://SPLUNK_HOSTNAME:PORT/debug/refresh And this is how we can use custom command in splunk | customtest GETINFO [Inputparameters] ... View more

1) Create a lookup table in Splunk with sample_server and sample_disc 2) Run below command |inputlookup table.csv | fields sample_server sample_disc | python_pdc sample_server sample_disc | count(eval(percentage < 90%)) as count ... View more

Great thanks guys. i had a few errors in my lookup table that caused some weird results. All good now. I have used this before as my guide: search | lookup [lookup definition name] [fieldname1 in lookup table to check] as [fieldname2 in events] OUTPUT [ fieldname3 in lookuptable ] as [fieldname4 - you can create a new name] | search [fieldname4]=”*” couldn't understand why it wasn't working this time! ... View more

tested on another splunk instance and doesn't seem limited this time testcase * | stats dc(dest_ip) as countip,values(dest_ip) | sort limit=1 - countip have more than 8000 results csv file is two lines header one 123000 length line -> good the one with the pb has many parameters set -> still trying to find which one manage this ... View more

Thank you! ... View more

No prb. Let me know if it works ... View more

I'm getting exactly the same issue. From 2.7.10 not working, downgraded to 2.7.6, to a.py not working and c.py working. Ports and credentials checked. ... View more

it works.. thanks a lot... ... View more

Setting the cron schedule on an RT search will leave the search running in real-time. For RT searches, the cron schedule indicates how often Splunk will kick off the search if it is not already running. If your RT search fails, the cron schedule will indicate how often Splunk will check and restart it if needed. I usually set scheduled RT searches to have a cron schedule of */5 * * * * . ... View more