The dojo of Splunk. Learn, share, teach, mentor.
Upgraded to 4.0
OK so I have finally upgraded to version 4.0 and now I am kicking myself that I didn't do it sooner! I mean I should have known that if someone known as the splunk ninja recommends you to upgrade your Splunk install then you REALLY should listen to him!
It would seem that the event segmentation works much better and now it is behaving how I would expect. I must admit that I was getting a little confused with the field allocation seemingly changing all the time but 4 seems to be solid as a rock.
It would seem that the event segmentation works much better and now it is behaving how I would expect. I must admit that I was getting a little confused with the field allocation seemingly changing all the time but 4 seems to be solid as a rock.
Comment
-
Comment by Ben Corbett on September 4, 2009 at 12:50am -
After your comment on pulling out the src_ip I was ripping my hair out trying to find the field. I nthe end I did a sort of mash up with the rhost field that kind of did what I wanted but not exactly. It was confusing me becasue I wasn't exactly sure where the rhost was coming from. e.g. If i looked on one of the servers for the past 3 hours, the rhost field would not be present but then if I changed this to say 24 hours it would then appear.
I'm not going to worry about it too much though because everything is behaving as I would expect in version 4. Woop Woop!
-
Comment by Michael Wilde on September 4, 2009 at 12:15am - Ben... What do you find confusing about field allocation? Is the "Other Interesting Fields" concept that shows up in the blue sidebar?
-
Comment by Michael Wilde on September 4, 2009 at 12:13am
- Next up.... Make your own app.... I'll do a video on it, and you'll see why :)
Videos
Latest Splunk Community Postings
© 2010 Created by Michael Wilde.
Powered by 
.
You need to be a member of splunkninja to add comments!
Join splunkninja