inputcsv to restrict a search by a list of field values
A customer asked about a complicated search that could be vastly simplified by using inputcsv to input a list of values from a file, a feature added for 3.3.x. It’s documented as an internal search...
View ArticleGetting started with 4.0 apps
I’ve been working on some apps for 4.0 and finally I can talk details. Over the next couple posts I’ll walk though creating a simple app using the new UI tools and a little XML. This is all based off...
View ArticleList indexes on the main dashboard
If you are comfortable editing XML, here’s a handy hack to get the list of your default indexes in the “All indexed data” dashboard. It will show whatever the logged-in user has access to. If you are...
View ArticleSo you want to write an app
With the previous setup, here’s what I want for my app: A dashboard with a couple pretty pictures and some top N lists Saved searches for advanced users to explore further It should work for all my...
View ArticleOMG a Blog Post!
It’s been forever since I’ve posted anything, but since I’ll be speaking at .conf2012 there is additional material we couldn’t get into our presentation. The blog is a great way to get that online....
View ArticleSplunk internal logs: alerting
Here is what you will find if you go looking in Splunk’s internal logs when a scheduled search fires an alert. These actions don’t necessarily happen in exactly this order, but this is typically how I...
View ArticleTracking indexing status in splunkd.log and metrics.log
To continue the discussion of internal logs, here are some examples of indexing-related activity in splunkd.log and metrics.log splunkd.log This scripted input returned new events 09-03-2012...
View ArticleA quick tour of a dispatch directory
Each search has artifacts that need to be saved on disk This happens in $SPLUNK_HOME/var/run/splunk/dispatch. There is one directory for each search and it is deleted after the search expires. Here’s...
View ArticleHow long does my search live? Default search ttl
When talking about dispatch directories, it’s important to understand how long a search lives. After a search expires, its artifacts (contained in the dispatch directory) are deleted. Different types...
View ArticleDeciphering dispatch directory names
Another confusing part of working with dispatch directories is how they are named. You can see the SID value (which is used as the directory name) in the search job inspector and it seems it has some...
View Article
