Yes, the code I posted above worked exactly as posted. %Z properly translates both the short and long TZ codes. (At least on my system.) https://en.wikipedia.org/wiki/List_of_tz_database_time_zones ... View more

Thank you both for your suggestions! alemarzu, fillnull worked great for this! ... View more

Good correction, thank you! ... View more

Hi pil321, I usually use sourcetype in filters to be sure that it runs! So try something like this: in props.conf [your_sourcetype] TRANSFORMS-set-exclude=set_exclude,set_nullqueue in transforms.conf [set_exclude] REGEX=. DEST_KEY = queue FORMAT = indexQueue [set_nullqueue] REGEX=(192\.168\.1\.1)|(,123,) DEST_KEY=queue FORMAT=nullQueue Bye. Giuseppe ... View more

Oh I see. Good job! ... View more

Remember that parsin changes will only be apply to new events. ... View more

This is "future-proof". ... View more

blacklist5 = EventCode="4625" ComputerName="server-name" Message="\sAccount Name:\s_USER_NAME_\s" In windows events, there are lot many spaces, which we need to tackle. ... View more

hmm,so for each successful login we go and execute? isn’t more normal to search only when I see a fail, which are not so often as successful logins? thanks ... View more

@brent_weaver just wanted to follow-up and see if you were able to get this working? ... View more

sorry for repost, maybe that's a better place, same problem on my side with AWS: @DEngineer did you solve your problem, because I am trying to establish a similar set up and have the same problem? Help would be very much appreciated. ... View more

Hello there, This will extract both lines from both keyworkds (RefillService, ProcessResponse): | rex "(?:RefillService|ProcessResponse)\s-\s(?<my_custom_field1>[^\n]+)" This will work only for RefillService line: | rex "RefillService\s-\s(?<RefillService>[^\n]+)" Hope it helps. ... View more

This looks exactly as it should; I've got nothing else. You should open a support case (be sure to upload a diag immediately). ... View more

Hi@all, registry monitor is not the way to get this done. Try using scheduled Batch skript: reg query and pipe it to a Textfile , then monitor this file ... View more

Hey there, This should grab all the errors per event into one single field. | rex "Transitioned\sto\sError\sState\s+(?<ALL_ERROR_LINES>[\n\r\s\S\d]+)" If you want to extract those errors individually. | rex max_match=10 "^(?<AA>[A-Z]+\sError:\s[^\n]+)" Or something more granular like field=value (ie: error_type=NECU msg="[0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83"), something like this should work. props.conf [your_sourcetype] REPORT-multi_errors = multi_error_values transforms.conf [multi_error_values] REGEX = ^(?<_KEY_1>[A-Z]+\sError):\s(?<_VAL_1>[^\n]+) REPEAT_MATCH = true CLEAN_KEYS = 1 Hope it helps. ... View more

"You stated you setup syslog-ng on your UF, the .conf is usually in either /etc or /use/local/etc, run a find" Are you referring to inputs.conf and outputs.conf? ... View more

Indexes I created (through deployment server app) where disabled after creation (if the app was not configured to restart). After adding the line "disabled = false" - the new indexes are enabled without restart. Thanks! ... View more

Splunk must have extract field msg_body with some values as it's in classic kv format. What value do you get as part of msg_body field? Will the msg_body always going to contain "valid" or it may be something else? ... View more

Just one thing to be aware of, each role or user may have different results when they search for index=* due to what indexes they are able to see and what they search as default. E.g. Admin role set to see all internal and external indexes searches index=* gets everything. User role configured to only see main index searches index=* only sees main index results. ... View more

Nice, happy Splunking! ... View more

I think you'll have to use gentimes to dynamically call an earliest and a latest timerange for your timechart. And then also do your timechart by CODE in order to seperate it out by country. Other than that you have it pretty much complete. ... View more

Glad it worked out, happy splunking! ... View more

It is difficult to say cause of the issue. But, according to your description, One of the six indexers we have were unresponsive today. I couldn't login through the web interface and ssh'ing to the server was very slow. I figured it's an OS problem, rebooted the server, and things seem to be clear. I believe splunk processes also got affected by the system resource/performance issue. Potentially main splunkd and child splunkd processes could not communicated at all and died. ... View more

"The easiest play [way?] is to just install it everywhere they recommend it." Indeed, and that may be what the http://docs.splunk.com/Documentation/UnixAddOn/5.2.4/User/DeploytheSplunkAdd-onforUnixandLinuxinadistributedSplunkenvironment page indicates, but this is undermined by e.g. http://docs.splunk.com/Documentation/UnixApp/5.2.3/User/WhataSplunkAppforUnixandLinuxdeploymentlookslike which clearly shows a supposedly working deployment with no Splunk_TA_nix on the indexer/search head. On the other hand, http://docs.splunk.com/Documentation/UnixApp/5.2.3/User/DeploytheSplunkAppforUnixandLinuxinadistributedSplunkenvironment , under "Steps to building a Splunk App for Unix and Linux deployment", step 6 states the add-on is to be installed on the search heads. The http://docs.splunk.com/Documentation/UnixAddOn/5.2.4/User/Platformandhardwarerequirements page is not about "compatibility", it's about requirements. If the add-on were not required on the search head, the app would work without it. It does not. When Splunk_TA_nix is installed on a forwarder, it uses index=os, right? And the App, on its Settings page, clearly shows Unix Index(es) = "index=os" (by default). So it does not appear (to me , at least) that it's a matter of index naming. It appears to be some sort of data conversion or labelling black magic that the add-on does. Keep in mind that a newbie like me considers Splunk as a big black box: installation instructions and application advisories should be written appropriately. It was very frustrating to install the app (without Splunk_TA_nix on the search head) and have absolutely no clue as to what was broken. Splunk was not telling me what needed fixing. ... View more

What date and time are on the events when you use the "All Time" search? My guess is one of your 5 firewalls has the time off. ... View more