Blogs

iIf you only ever care about the last few hours or the last day of your data, this simple change will speed up your search results tremendously. Until our next big release which will basically be this way by default, here’s how you can do this in 2.1 code.

This is a change in three places, but fortunately very fast to make, and all in the same file.
$SPLUNK_HOME/share/splunk/search/dynamic/main_ui.html

Note: The example here will set your UI to search only the past 6 hours by default. After doing this it should be easy to see how to change it to search 1 day, or 45 minutes etc…

Note: Also you dont need to restart the front end to see these changes, but you DO…

Gotta love this blog post from Jason, who attended the RSA Conference in SF yesterday:

(here’s the snippet)

“I also met the guys (and gals) from Splunk. The coolest shirt ever. I’m posting pics when I get back. It involves ninjas…”

http://www.likertland.com/blog/2007/02/05/monday-at-the-rsa/

SplunkNinja loves this guy!

Matt Sacks from Reunion.com wrote a great article in SysAdmin magazine’s current issue with lots of technical detail about setting up Splunk as a central log host for syslog and SNMP. Unfortunately it looks like it’s only available in print. Maybe they’ll put it online once a newer issue comes out.