Splunk Search

Is Splunk 4.2.3 for Windows 64 buggy or is it just me?

luke_mitchell
New Member

Hi

I'm not sure if this is just me but, I'm running Splunk on Windows 7 Professional, 6 gig Ram, Intel i5 2.30 Ghz, and it seems like its as buggy as ... something really buggy.

I've only installed this on my laptop temporary in order to quickly index some old linux syslog files. Unfortunately it hasn't been quick its been quite painful.

To start with when import the syslog files:
- If imported individually the host of each entry is over written with the localhost name.
- So then I import via a directory, great host name is now correct, but the timestamp is almost random for about 20% of the logs imported (around 39 syslogs over the same number of days).

Trying to fix the timestamp issue:
- So I create a rex and covert the correct timestamp and try to use "chart count over new_time" and produce a line or area chart and instead of nice connected lines like the example I get broken up almost column looking chart, I guess the data is not contiguous.
- So then I do "eval _time=new_time | timechart ..." and everything worked great last tonight. Today trying to over write _time cause splunkd to crash.

What else:
- Oh yeah si commands don't create any summary index data. Yay!
- Plus the cycle redundancy check to stop it importing the same file, yeah that doesn't work either (in fact it doesn't work on our main linux installation of Splunk either, 3/4 of our licensing volume is Splunk re-ingested old "messages.[0-9]+.gz" logs, fun).

I love Splunk, in fact I introduced it to my current company, but this is driving me nuts.

If there a patch or something that magically fixes this then great, otherwise I guess I just need to vent.

Regards
Luke

Tags (1)
0 Karma

malberto
Explorer

Is ANY of this behavior than Splunk on any other platform?

1) What sourcetype are your syslog files classified as?
If they aren't syslog, you should add them as inputs and explicitly set the sourcetype to syslog.

2) This is probably a result of #1. Otherwise, you can explicitly specify the timestamp format in props.conf with TIMESTAMP_CONFIG

3) cycle redundancy check is not windows related it sounds.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...