as you probably already know IRC is good to learn things, here some URL I learn from the splunk channel:
http://host:webport/en-US/debug/refresh reload some parts of splunk, including applications’s views. Very useful when developing a new application. No need to restart each time!
https://host:8089/services/admin/inputstatus/TailingProcessor:FileStatus display the status of file monitorings. Note the port is the manager one, not the webone, so I guess this interface is available on agents even if splunkweb is not started. You can hit /services/admin/ to find another log of informations.
After few weeks trying to persuade my boss to buy Splunk, I start to put it in production. My first goal was to clone the search application’s dashboard using a dedicated index. Indeed, I have few splunks agent reading some tomcat’s logs and forward them to my splunk instance. All these logs are going to a dedicated index, named rtlnet. Our webdeveloppers want to use splunk to see the production’s logs. While it was easy to create the rtlnet index, I wanted to clone the search’s dashboard to give them an overview of logs by application, or by host. However, while it was easy to add index=rtlnet in the metadata search, I was not able to add the index in the search computed when you click on a result (for example the sourcetype).
Here the original code which produce one of the three panel:
As I said, adding index=rtlnet in the metadata search is trivial. However, when a user click on a result (in that case on a source), the computed search was only source=$target so there was no result, since it the index is not specified. After spending few hours trying to understand how to add the index in the existing intention, I finally understood I need to nest it into a new HiddenIntention. Here the new module definition: