I developed the following app to address change management and environment analysis issues: https://splunkbase.splunk.com/app/3295/ ... View more

I like this solution using transforms.conf [views_std] MV_ADD = 1 REGEX = \<(\w+[^\n\/\>]+)\/?\>([^\<\n][^\<]*)\< FORMAT = $1::$2 CLEAN_KEYS = true [views_param] MV_ADD = 1 REGEX = \<(\w+ [^\n\/\>]+)\/?\> FORMAT = param::$1 CLEAN_KEYS = true [views_option] MV_ADD = 1 SOURCE_KEY = param REGEX = (\w+(?: \w+)*)="(?!host|source|sourcetype|index|splunk_server)(\w+)" FORMAT = $1::$2 CLEAN_KEYS = true ... View more

I like this solution using transforms.conf [views_std] MV_ADD = 1 REGEX = \<(\w+[^\n\/\>]+)\/?\>([^\<\n][^\<]*)\< FORMAT = $1::$2 CLEAN_KEYS = true [views_param] MV_ADD = 1 REGEX = \<(\w+ [^\n\/\>]+)\/?\> FORMAT = param::$1 CLEAN_KEYS = true [views_option] MV_ADD = 1 SOURCE_KEY = param REGEX = (\w+(?: \w+)*)="(?!host|source|sourcetype|index|splunk_server)(\w+)" FORMAT = $1::$2 CLEAN_KEYS = true ... View more

very interesting perspective. thank you. ... View more

The key lines that you need are: LINE_BREAKER = ([^\x00-\x7F]) TRUNCATE = 0 ... View more

To clarify, it should be on the heavy forwarder, not the universal forwarder. ... View more

Your answer inspires me to think that we could just use cron (at the os level) or task manager (windows) to run a command line splunk API call to run the search. ... View more

Separate the data into lines (events): | rex max_match=0 "(?<line>[^\)]+\)\n\N+)" | mvexpand line | table line [https://regex101.com/r/qN6tG2/1] Next, do your extractions: | rex field=line "quota list --verbose (?<fs>[A-Z0-9_]+) " | rex field=line max_match=1000 "ViVol: (?<vivol>(?!user)[A-Za-z0-9]+)\nUsage\s+:\s+(?<usage>[0-9. A-Za-z]+)\n\s*Limit\s+:\s+(?<limit>[0-9A-Z. ]+)" | table fs, vivol, usage, limit Use the SPL command filldown: | filldown fs to get: fs vivol usage limit FIRST_FS VOL_ABC 100 300 FIRST_FS VOL_XYZ 320 800 FIRST_FS VOL_123 50 150 then take it from there. ... View more

The SPL command filldown is your friend. sourcetype=access_combined | filldown kbps | eventstats avg(kbps) as avgkbps by host http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Filldown ... View more

| filldown ... View more

The much more elegant solution uses the SPL command filldown: ... | bucket _time span=1hour | filldown value | stats sum(value) as total by _time,category | streamstats global=f current=t sum(total) as accu_total by category ... View more

SET HOMEDRIVE=C: SET HOMEPATH=\Users\Andrew Clears the error for: splunk reload deploy-server And enables the authentication to proceed. C:\Program Files\Splunk\bin>splunk reload deploy-server Reloading serverclass(es). ... View more

You may use the savedsearch function: http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Savedsearch ... View more

From the data I am seeing, the fields are not separated by commas and need regex that looks for things other than commas: name1-name2-Uptime N. California [RealBrowser] 8419 100 0 23 name1-name2-Uptime N. Virginia [RealBrowser] 10062 100 0 25 name1-name2-Uptime Chicago, IL [RealBrowser] 6882 95.83300018 1 24 name1-name2-Uptime Dallas, TX [RealBrowser] 9558 100 0 23 Based on the form of your regex for the value patterns for each field, I suggest this regex: (?<check_name>[A-Za-z]\S+)\s+(?<location>[^\]]+\])\s+(?<avg_response_time>\d+) But I recommend breaking the fields out a little more: (?<check_name1>[A-Za-z]\w+)\-(?<check_name2>[A-Za-z]\w+)\-(?<state>\w+)\s+(?<location>[^\[]+) \[(?<browser>[^\]]+)\]\s+(?<avg_response_time>\d+) https://regex101.com/r/zK5yT5/1 ... View more

"*" is zero or more allowing the possibility of no matches for the pattern. But your data lacks the commas for those regex to work so I don't think it should work. As if you and Gregg are seeing different data than what myself and others are seeing. I'll post mine below, just in case. ... View more

This looks just like mine with a few very small differences. I think that the big takeaway was escaping the brackets in the regex. If a good answer already exists, it makes sense to simply add a comment to the answer with any small changes or recommendation. No need for anyone to read through a dozen answers saying exactly the same thing. ... View more

I expect that this should work: TZ=America/New_York TIME_FORMAT=%m/%d/%Y][%H:%M:%S.%3N You only need those two lines. If it doesn't work, try escaping the brackets and let us know. Added: If you want to add the other lines, these ones are default and are not required/useful: SHOULD_LINEMERGE=false NO_BINARY_CHECK=true disabled=false For the other lines, I would suggest (the brackets need to be escaped): LINE_BREAKER=^\[\d+\]\[\d+ TIME_PREFIX =^(\[\d+\]){2}\[ MAX_TIMESTAMP_LOOKAHEAD=75 KV_MODE = none ... View more

Count gives the number of events with the ooid field. DC is the correct function. ... View more

Base searches should be rendered in reporting format. To the first base search, I recommend adding | stats count by sourcetype _time possibly with bucket _time span=30m ... View more

MuS made a good catch by adding \s to capture multiple words in the pattern, including "BLD". I meant to do that originally, but I was only looking at two full events when I created the regex. Addressing the problems question, in general, regex works best by matching patterns from left to right. Look-aheads, etc. are not that efficient and they require the pattern to exist or to not exist (less flexibility). Since this is Splunk, I assumed large datasets, and even small datasets can become large over time. Also, it is best to match as generally as possible in case the logs deviate from your test data. ... View more

Good catch. I agree. ... View more

The formatting for that regex did not come come through right, but if it is doing what it looks like, that approach will give you problems and will take much more time than it should to complete the task even if it works right. Check out my answer below.. ... View more