This is confirmed in the latest docs https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.3/deploy-search-head-clustering/system-requirements-and-other-deployment-considerations-for-search-head-clusters#maximum-number-of-instances-0 ... View more

This command will check both init-d and systemd on unix. Without the sudo should work on windows. sudo ./splunk display boot-start ... View more

This command will check both init-d and systemd on unix. Without the sudo should work on windows. sudo ./splunk display boot-start   ... View more

The underlying code for both is the same so the performance won't be much different.  The difference is when do you want these fields extracted and when don't you.  KV_MODE=xml will be always done for that sourcetype.  xmlkv will only be done when you use it in a search string.  So if you always want all of the fields to be extracted use KV_MODE but if you only want the fields to be occasionally extracted use xmlkv in your search string. If you only want one or two fields from a big xml file, it might be better to extract them using normal regex extraction Another use for xmlkv is when not all of your event is clean xml. KV_MODE would fail and not give you the fields. In a search, you can use an eval or rex to extract and clean the xml portion and then run xmlkv on that.  ... View more

There is good news. Since version 8.1, this is not only supported but encouraged. See https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/MigrateKVstore for instructions. ... View more

I define WorkWeek as the week number in the year, so week 1 is the first week  in Jan and 52  is the last full week in Dec. ... View more

You can use strftime to create the field.   | makeresults | eval WorkWeek = strftime(_time,"%U") ... View more

I would add this append pipe immediately before your table command. | append [stats values(Month_Year) as Month_Year sum(TotalCount) as TotalCount avg(SLA) as SLA sum(WorkingDays) as WorkingDays avg(DailyCount) as DailyCount | eval Analyst = "Total" ]   ... View more

The url you give in your question prompts the browser to look for that file on the users h drive and not on the splunk server. For security reasons you can not just point to any folder on the splunk server. There is a way round this by uploading a file inside an app and then using its correct link. Let's say you have created an app called documentation. Go to manage apps > Click Edit Properties for your app. Upload your file with Upload asset and save Once it is there, you can link to it with. "/static/app/documentation/MyFile.pdf" so you can make your html.. <a href="/static/app/documentation/MyFile.pdf" target="_blank">help with data</a> ... View more

I have been informed this endpoint (/static/app-packages/APPNAME.spl) is now deprecated and may disappear in future versions. If you are relying on this, now is the time to look for an alternative. ... View more

This is a complex issue but there is a way round it although is is a bit manual to set up. First I hope you are following best practices and are using an external syslog receiver (kiwi syslog, rsyslog, syslogng etc.) and not taking it directly into splunk. If not, please read this http://wiki.splunk.com/index.php?title=Community:Best_Practice_For_Configuring_Syslog_Input&r=searchtip Set up your syslog receiver to save each host to a separate folder like below. log/syslog |________server1 | |______server.log | |________server2 | |______server.log ... Then setup your inputs.conf to collect it. Something like this. [monitor:///log/syslog] index = mysyslogIndex host_segment = 3 sourcetype = syslog The secret to time zones is the props.conf on the forwarder which should look something like this. [source::/log/syslog/server1/*] TZ = US/EASTERN [source::/log/syslog/server2/*] TZ = GMT [source::/log/syslog/server3/*] TZ = UTC +1 You will have to set a stanza with a TZ for every server that isn't in the same TZ as your server, but this is a one off setup and should work going forward. Remember both of these files belong on the forwarder. ... View more

As reported in other answers you should fix this in your props.conf at index time but if the data is already indexed you can break it as follows. Note you need the new line character after delim=" and can type it using shift-enter. |eval raw=_raw |makemv delim=" " raw | mvexpand raw | eval _raw=raw Any other fields the original event had will now be in all part events. i.e. If line3 had a user field, all 3 lines will have that user field. So you may want to delete them and re-extract for the lines with something like this. | fields - user | rex "user=\"(?<user>[^\"]+)\"" ... View more

I would question why you want it done at index time. It rarely makes a performance improvement (In fact more often makes things worse) and takes more disk space. But if you are sure you want to try this on your development system use the above linked answer but replace the REPORT-xyz in props.conf with TRANSFORMS-xyz and add WRITE_META = true to the transforms.conf stanza. ... View more

This is an old answer and only works prior to V7.1. For all other versions read cbreshears_splunk Answer Yes. Just rename it with a .bak extension, restart and use the default password of "changeme" ... View more

Advanced xml is now depreciated. HTML is now possible in simple xml as stated above ... View more

Actually that isn't complete. This would show 1234.56 as 1.234.56 when it is expected to see 1.234,56 Add an extra 2 lines to fix it. | eval count=tostring(count,"commas") | rex field=count mode=sed "s/\./#/g" | rex field=count mode=sed "s/,/./g" | rex field=count mode=sed "s/#/,/g" make it into a macro if you need it a lot. ... View more

My first question is why are you trying to create a new TA for access combined? It is in our “ List of pretrained source types ” that is defined in the file system/default/props.conf Add-On Builder is detecting this and preventing you because of the layering of apps and the rules of Precedence. If config is in a location with a higher precedence, your new TA will not be able to overrule it. If your data differs from access combined, it should have a different sourcetype name. If it is the same but you want to add a couple of field extractions you can just create a new app and build those extractions whilst in it. If you want to normalise it to a data model, (which one/’s?) then it is a little more complex. Best practice is to create new apps on a development system where you can move any existing config to your new app without risking making a mistake in production. Only move to prod when you are happy. If you have to do this in production, I would :- First create a new sourcetype I called it ac2 Under advanced delete the category line and replace it with REPORT-access = access-extractions Then click next Upload sample data and continue as normal. Once you have built your app, edit the app’s props.conf from the command line. Replacing ac2 with access_combined reboot splunk for it to take effect. But this takes away most of the advantage of the Add-On Builder being GUI. ... View more

The time format is not fixed in log4j so spunk can not assume one format. If your company has standardised on a date format, it would be good practice to add TIME_FORMAT to save splunk having to test all possibilities. In general It is good practice to use or clone splunk pre trained source types and as always the more you tell splunk, the less it has to "guess" which reduces indexing load. For ref this link shows some of the date possibilities. http://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout Look for date{pattern} ... View more

This seems to be a recent change that came in with v6.4. I have found if you add the following to the beginning of your search it will include the search head and all other servers. splunk_server=* ... View more

You need to tell splunk that it is using a diferent line breaker. On your indexer, create a props.conf stanza something like this [source::my/source/file.log] LINE_BREAKER = [\x02\x03]+ you may want to replace the source with your sourcetype. See http://docs.splunk.com/Documentation/Splunk/latest/Data/Indexmulti-lineevents for more details. ... View more

If there are items missing, you probably have them set as private. Go to settings All configurations chose your app from the dropdown and check on Show only objects created in this app context . Click on the word sharing twice so it has a down arrow next to it. Anything that has private in that column will not be packaged in your app so click on Permissions , change it to This app only and save Repeat for all the private items. Then package using either of the above methods. ... View more