I'll try again http://answers.splunk.com/storage/attachments/28619-flow_02_09_15.zip ... View more

File attached - please try this ... View more

My bad - wasn't seeing the upload option when replying to a message. Needed to add an answer to see the option. Screenshot below: ... View more

Missed that first eval statement - thx New search query: | eval Bandwidth="Inbound Traffic _bps" + "Outbound Traffic _bps"| timechart span=1m values("Inbound Traffic _bps") as "Inbound" ,values("Outbound Traffic _bps") as "Outbound" values(Bandwidth) as "Total Bandwidth (bps)" What do I enter for the image URL? Thx again ... View more

Thx for the great info. That is exactly what I wanted, however, I had to modify my search as such: | eval Bandwidth=Inbound+Outbound | timechart span=1m values("Inbound Traffic _bps") as "Inbound" ,values("Outbound Traffic _bps") as "Outbound" With that, I'm seeing a different result than you got. How can I post a screenshot? Thx ... View more

Thx for the info ... View more

Found the answer (fix worked for me on the same issue) here - http://answers.splunk.com/answers/203979/splunk-app-for-microsoft-exchange-how-to-get-the-t.html ... View more

johd and somesoni2, thx for the information and recommendations... Much appreciated. ... View more

Thx for the reply and info. Added various sourcetypes in different queries and sometimes I see no results for the avg count, yet I see events. For one particular query I see 373k events, yet nothing is returned in the statistics tab even though the the days are being listed for the following query: index=myindex sourcetype=myindex | timechart span=1d avg(count) Thx ... View more

When I run the | timechart span=1h avg(count) query, no stats are being returned and I can't figure out why ... View more

Thx Rich. Worked except for the angle brackets which it strips out. Regex is: index=myidex sourcetype="unixs1" | head 10000 | rex "\\.info\\] Accepted keyboard-interactive for\\s+(?P(anglebracket)authuser(anglebracket)[^ ]+)" ... View more

After some fiddling around, I fixed the regex. For some reason, it needed two back slashes (apologize as earlier I said forward slashes) in front of .info, behind .info, and two back slashes before s+. Once I made those modification, the authuser field was extracted. I'd like to post the regex for others, but every time I try and post it the back slash is causing problems. Any one know how to override the tags here? Thx ... View more

Apologizes as the copy of the actual string failed because of the forward slashes and angle brackets in the regex. It should be: index=unixs| rex "(forwardslash).info(forwardslash)] Accepted keyboard-interactive for(forwardslash)s+(?P(anglebracket)authuser(anglebracket)[^ ]+)" When I enter that search string in, the authuser field name doesn't not appear Thx ... View more

Kyle, Did you modify the props.conf and transforms.conf files before you added the Infoblox data, or did you add the Infoblox data first and then modify the props.conf and transforms.conf files to split up by log type? Thx ... View more

Improved search when I drop the field=priority. I am seeing unique usernames, but also getting some non-usernames, such as: Timeout before authentication for x.x.x.x the word "for" log files other than the ones listed in original message: Accepted keyboard-interactive for Accepted password for Failed keyboard-interactive for That's where the frustration comes in as the regex is getting a majority of the valid usernames, but it's still grabbing some values that aren't usernames. And for edification on my part, the ?: is a non-capturing subpattern that is looking for "for|user|superuser" as a starting point, and then matches on everything after up untila nd including the space, correct? Thx again ... View more

Rich, Thx for the reply. 1) Tried the rex and it's not returning the username field 2) Unfortunately, the username doesn't always follow "for" (which adds to the frustration) 3) Sample info below: Dec 19 14:14:27 sshd[5977]: [ID 800047 auth.notice] Failed password for root from x.x.x.x port 1055 ssh2 Dec 19 14:14:27 sshd[5977]: [ID 649047 auth.info] AFS Ignoring superuser root Dec 19 14:14:27 sshd[5977]: [ID 800047 auth.notice] Failed password for root from x.x.x.x port 1055 ssh2 Dec 19 14:14:28 sshd[5977]: [ID 800047 auth.notice] Failed password for root from x.x.x.x port 1055 ssh2 Dec 19 14:14:28 sshd[5977]: [ID 800047 auth.info] Disconnecting: Too many authentication failures for root Dec 19 14:14:28 sshd[5980]: [ID 800047 auth.info] Illegal user admin from x.x.x.x Dec 19 14:14:28 sshd[5980]: [ID 800047 auth.info] input_userauth_request: illegal user admin Dec 19 14:14:28 sshd[5980]: [ID 800047 auth.info] Failed none for from x.x.x.x port 1188 ssh2 Dec 19 14:14:29 sshd[5983]: [ID 818691 auth.error] AFS Authentication failed for user admin. user doesn't exist Dec 19 14:14:29 sshd[5980]: [ID 800047 auth.info] Failed password for from x.x.x.x port 1188 ssh2 Dec 19 14:14:29 sshd[5984]: [ID 818691 auth.error] AFS Authentication failed for user admin. user doesn't exist Dec 19 14:14:29 sshd[5980]: [ID 800047 auth.info] Failed password for from x.x.x.x port 1188 ssh2 Dec 19 14:14:29 sshd[5985]: [ID 818691 auth.error] AFS Authentication failed for user admin. user doesn't exist Dec 19 14:14:29 sshd[5980]: [ID 800047 auth.info] Failed password for from x.x.x.x port 1188 ssh2 Dec 19 14:14:29 sshd[5986]: [ID 818691 auth.error] AFS Authentication failed for user admin. user doesn't exist Dec 19 14:14:29 sshd[5980]: [ID 800047 auth.info] Failed password for from x.x.x.x port 1188 ssh2 Dec 19 14:14:30 sshd[5987]: [ID 818691 auth.error] AFS Authentication failed for user admin. user doesn't exist Dec 19 14:14:30 sshd[5980]: [ID 800047 auth.info] Failed password for from x.x.x.x port 1188 ssh2 Dec 19 14:14:30 sshd[5988]: [ID 818691 auth.error] AFS Authentication failed for user admin. user doesn't exist Dec 19 14:14:30 sshd[5980]: [ID 800047 auth.info] Failed password for from x.x.x.x port 1188 ssh2 Dec 19 14:14:30 sshd[5980]: [ID 800047 auth.info] Failed password for from x.x.x.x port 1188 ssh2 Dec 19 14:14:30 sshd[5980]: [ID 800047 auth.info] Disconnecting: Too many authentication failures for admin Dec 19 14:14:33 sshd[5989]: [ID 800047 auth.info] Illegal user admin from x.x.x.x Dec 19 14:14:33 sshd[5989]: [ID 800047 auth.info] input_userauth_request: illegal user admin Dec 19 14:14:33 sshd[5989]: [ID 800047 auth.info] Failed none for from x.x.x.x port 2441 ssh2 Dec 19 14:14:33 sshd[5992]: [ID 818691 auth.error] AFS Authentication failed for user admin. user doesn't exist Dec 19 14:14:33 sshd[5989]: [ID 800047 auth.info] Failed password for from x.x.x.x port 2441 ssh2 Dec 19 14:14:33 sshd[5993]: [ID 818691 auth.error] AFS Authentication failed for user admin. user doesn't exist Dec 19 14:14:33 sshd[5989]: [ID 800047 auth.info] Failed password for from x.x.x.x port 2441 ssh2 Dec 19 14:14:33 sshd[5994]: [ID 818691 auth.error] AFS Authentication failed for user admin. user doesn't exist Dec 19 14:14:33 sshd[5989]: [ID 800047 auth.info] Failed password for from x.x.x.x port 2441 ssh2 Dec 19 14:14:34 sshd[5995]: [ID 818691 auth.error] AFS Authentication failed for user admin. user doesn't exist Dec 19 14:14:34 sshd[5989]: [ID 800047 auth.info] Failed password for from x.x.x.x port 2441 ssh2 Dec 19 14:14:34 sshd[5996]: [ID 818691 auth.error] AFS Authentication failed for user admin. user doesn't exist Dec 19 14:14:34 sshd[5989]: [ID 800047 auth.info] Failed password for from x.x.x.x port 2441 ssh2 Dec 19 14:14:34 sshd[5997]: [ID 818691 auth.error] AFS Authentication failed for user admin. user doesn't exist Dec 19 14:14:34 sshd[5989]: [ID 800047 auth.info] Failed password for from x.x.x.x port 2441 ssh2 Dec 19 14:14:35 sshd[5989]: [ID 800047 auth.info] Failed password for from x.x.x.x port 2441 ssh2 ... View more

You should be able to go to Manage Apps and select Set up and change the index to symantec. Make sure you're sending your Symantec logs to that index. ... View more

Thx for that explanation as that really helps me to understand what the true function of the add data process is as I was under the assumption it was in addition to setting the time stamp and event breaking functions, was to extract fields as well. So basically as long as time stamps and event breaking is correct when adding data, I can then work on field extraction during searches, correct? ... View more