So the account name that you want to extract in the sample event is SAM-Account-Name? Also, Is it always preceded by /Provider-Type in all your events?
... View more
You need to extract fields during search. For more info: http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Addfieldsatsearchtime
Also, If you could post sample event data, I'm sure we can help you with that too.
... View more
Have you tried piping it to a search command like so:
index=myindex sourcetype="mysource" ""$token$"" ""$token2$"" | rex "(?i)(?P[^<]+)" | search tracktrace | rex "(?i)(?P[^<]+)" | table myvalue
... View more
You could also use rex on your email address field to capture domain in a separate field. This way you do not have to list out all possible domain cases in an eval statement.
For example:
index=<your index> sourcetype=<your sourcetype> | rex field=<email_address_field> "\w+@(?<domain>\w+)\.\w+" | ...
This captures your domains in a separate field (domain). Hope this helps.
... View more
Do you need them to be included as the same event at index time? You could always club them as a single event at search time using the transaction command like so:
| transaction _time
... View more
As extracted by your regex, Time has spaces in it. May be that's why sum fails.
Try this instead:
*HttpRequestProcessor | rex field=LogLine "\s(?<Time>\d+)\s" | rex field=TimeStamp_Thread "(?<dt2>[\d]{4}-[\d]{2}-[\d]{2} [\d]{1,2}:[\d]{1,2}[\d]{1,2}:[\d]{2}.[\d]{3})" | convert num(Time) | eval time5=strptime(dt2,"%Y-%m-%d %H") | eval _time=time5 | bucket _time span=1h | stats sum(Time) by _time
... View more
Yes, It is expensive. You could try using transaction, like so:
sourcetype=uag user=bigrichie90 | transaction session
If you need more information on event grouping and correlation:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Search/Abouteventcorrelation
Also, this flowchart when in doubt! 🙂
http://docs.splunk.com/File:Search_event_grouping_flowchart.png
... View more
Use "join" command like so:
sourcetype=uag user=bigrichie90 action=added | eval sessionAdded=session | head 1
| join session [search sourcetype=uag user=bigrichie90 action=removed | eval sessionRemoved=session |head 1 ]
| where sessionAdded==sessionRemoved
Since you can specify the exact field to join on, you don't even need the eval statements. The following statement should do just fine.
sourcetype=uag user=bigrichie90 action=added | join session [search sourcetype=uag user=bigrichie90 action=removed ]
For more information: http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Join
... View more
unless I read the question wrong, eval creates a field which you can use directly without enclosing them within %. (like you did in the eval stbGenSNRVAL statement)
... View more
In that case, you can replace that with REGEX = SET timestamp=\d+;((?s).+?;)
FORMAT = sql_query::$1
(if SET timestamp line and SQL Query are not in the same line, please include a '\n' at the end of the timestamp statement in the regex)
... View more
Try this in your transforms.conf:
[sql-log-times]
REGEX = Query_time:\s(\d+.\d+)\s+Lock_time:\s(\d+.\d+)\s+Rows_sent:\s(\d+)\s+Rows_examined:\s(\d+)
FORMAT = query_time::$1 lock_time::$2 rows_sent::$3 rows_examined::$4
[sql-queries]
REGEX = ((SELECT|INSERT|UPDATE)(?s).+?;)
FORMAT = sql_query::$1
Mention these two stanzas in the corresponding props.conf entry.
... View more
Try using the delta command like so:
index=<index_name> sourcetype=<sourcetype_name> | convert timeformat="%Y-%m-%d %H:%M:%S:%3N" ctime(_time) AS c_time |delta c_time as time_difference | table c_time time_difference
For more information: http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Delta
... View more
You can configure the inputs.conf file on the splunk forwarders for this purpose.
Add an additional entry for index, sourcetype for each log type like so:
[<stanza associated with the logs>]
index=fireeye
sourcetype=fireeye_logs
You need to have those indexes created on the splunk indexer before you begin forwarding data.
... View more
try this: [your search query] | rex _raw "15=(?P<currency_a>\w+)" | rex _raw "55=(?P<currency_b>\w+)" | eval return_value = if( isnull(currency_a), currency_b, currency_a)
assuming the 'a' field is always preceded by '15=' and 'b' field is always preceded by '55='
... View more
Assuming those two files are indexed in splunk and the fields are extracted:
You could try this:
sourcetype=remedy | fields [include fields that you want] | join IP_Addr [search sourcetype=nmap | stats list(portid) as Ports by IP_Addr] | table IP_Addr DNS USER Status Ports
... View more