oh well...you are welcome! splunk is very well documented! ... View more

So the account name that you want to extract in the sample event is SAM-Account-Name? Also, Is it always preceded by /Provider-Type in all your events? ... View more

I still don't see the source_ip in your example data. If you could post data from multiple events, things will be clearer. ... View more

You need to extract fields during search. For more info: http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Addfieldsatsearchtime Also, If you could post sample event data, I'm sure we can help you with that too. ... View more

try using stats list(_raw) by _time. Would be faster. Hope it helps. ... View more

Have you tried piping it to a search command like so: index=myindex sourcetype="mysource" ""$token$"" ""$token2$"" | rex "(?i)(?P[^<]+)" | search tracktrace | rex "(?i)(?P[^<]+)" | table myvalue ... View more

You could also use rex on your email address field to capture domain in a separate field. This way you do not have to list out all possible domain cases in an eval statement. For example: index=<your index> sourcetype=<your sourcetype> | rex field=<email_address_field> "\w+@(?<domain>\w+)\.\w+" | ... This captures your domains in a separate field (domain). Hope this helps. ... View more

How are you trying to split it? ... View more

Is the sourcetype same for the first search and first join? Also, where does the last join end? ... View more

that was fast! didn't see it before I posted a somewhat similar regex!! ... View more

could you specify what would be the correct extraction in the last example (the one with [WEDT])? ... View more

Do you need them to be included as the same event at index time? You could always club them as a single event at search time using the transaction command like so: | transaction _time ... View more

Most likely reason - escaping slashes. Refer http://answers.splunk.com/answers/26703/extracting-a-field-at-search-time-rex-question.html ... View more

Yes, It is expensive. You could try using transaction, like so: sourcetype=uag user=bigrichie90 | transaction session If you need more information on event grouping and correlation: http://docs.splunk.com/Documentation/Splunk/6.1.3/Search/Abouteventcorrelation Also, this flowchart when in doubt! 🙂 http://docs.splunk.com/File:Search_event_grouping_flowchart.png ... View more

what is the output that you get with your current search query? ... View more

Use "join" command like so: sourcetype=uag user=bigrichie90 action=added | eval sessionAdded=session | head 1 | join session [search sourcetype=uag user=bigrichie90 action=removed | eval sessionRemoved=session |head 1 ] | where sessionAdded==sessionRemoved Since you can specify the exact field to join on, you don't even need the eval statements. The following statement should do just fine. sourcetype=uag user=bigrichie90 action=added | join session [search sourcetype=uag user=bigrichie90 action=removed ] For more information: http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Join ... View more

unless I read the question wrong, eval creates a field which you can use directly without enclosing them within %. (like you did in the eval stbGenSNRVAL statement) ... View more

In that case, you can replace that with REGEX = SET timestamp=\d+;((?s).+?;) FORMAT = sql_query::$1 (if SET timestamp line and SQL Query are not in the same line, please include a '\n' at the end of the timestamp statement in the regex) ... View more

Try this in your transforms.conf: [sql-log-times] REGEX = Query_time:\s(\d+.\d+)\s+Lock_time:\s(\d+.\d+)\s+Rows_sent:\s(\d+)\s+Rows_examined:\s(\d+) FORMAT = query_time::$1 lock_time::$2 rows_sent::$3 rows_examined::$4 [sql-queries] REGEX = ((SELECT|INSERT|UPDATE)(?s).+?;) FORMAT = sql_query::$1 Mention these two stanzas in the corresponding props.conf entry. ... View more

Yes. Exactly. I was too lazy to do that in my answer 😄 ... View more

You can configure the inputs.conf file on the splunk forwarders for this purpose. Add an additional entry for index, sourcetype for each log type like so: [<stanza associated with the logs>] index=fireeye sourcetype=fireeye_logs You need to have those indexes created on the splunk indexer before you begin forwarding data. ... View more

try this: [your search query] | rex _raw "15=(?P<currency_a>\w+)" | rex _raw "55=(?P<currency_b>\w+)" | eval return_value = if( isnull(currency_a), currency_b, currency_a) assuming the 'a' field is always preceded by '15=' and 'b' field is always preceded by '55=' ... View more

Assuming those two files are indexed in splunk and the fields are extracted: You could try this: sourcetype=remedy | fields [include fields that you want] | join IP_Addr [search sourcetype=nmap | stats list(portid) as Ports by IP_Addr] | table IP_Addr DNS USER Status Ports ... View more