In order to be a selected field , doest that field must exist in every events ? Now host, source, sourcetype are the only three fields that exist by default when i fire a search query. Is this due to that all the events indexed in splunk has/assigned with these 3 fields ? I see viewstates.conf files to set the seleted fields . Is the below file in the mentioned path is responsible for this ? Path : opt/splunk/share/splunk/app_templates/sample_app/default/viewstates.conf [flashtimeline:fwk4471e] Count_0_7_1.count = 10 DataOverlay_0_12_0.dataOverlayMode = none DataOverlay_1_13_0.dataOverlayMode = none FieldPicker_0_6_1.fields = host sourcetype source FieldPicker_0_6_1.sidebarDisplay = True MaxLines_0_13_0.maxLines = 10 RowNumbers_0_12_0.displayRowNumbers = true RowNumbers_1_11_0.displayRowNumbers = true RowNumbers_2_12_0.displayRowNumbers = true Segmentation_0_14_0.segmentation = inner SoftWrap_0_11_0.enable = True ... View more

Configured Cisco router to send traps to my Splunk, via port 162; Installed SNMP add-on; Downloaded SNMPv2-SMI,SNMPv2-TC,IANAifType-MIB,RFC1213-MIB,SNMPv2-MIB,SNMPv2-CONF,IF-MIB MIBs from Ciscowebsite and converted them to Python files by 'build-pysnmp-mib'- (Eg : SNMPv2-CONF.py,IF-MIB.py) Does this fine or needed compiled code ? Moved the .py files to $SPLUNK_ROOT/etc/apps/snmp_ta/bin/mibs/ directory; Created and configured a new SNMPinput. (inputs.conf) [snmp://read_snmp] do_bulk_get = 0 host = 10.0.255.46 listen_traps = 1 ipv6 = 0 snmp_mode = traps snmp_version = 2C sourcetype = read_snmp split_bulk_output = 0 trap_host = 10.0.255.247 trap_port = 162 v3_authProtocol = usmHMACMD5AuthProtocol v3_privProtocol = usmDESPrivProtocol mib_names = SNMPv2-SMI,SNMPv2-TC,IANAifType-MIB,RFC1213-MIB,SNMPv2-MIB,SNMPv2-CONF,IF-MIB Corrections made with splunk answers help : Corrected the host name (localhost) to proper Ip address of the splunk host , as i set in the cisco router. Updated the conf file with listen_traps = 1 Checked for errors with query : "index=_internal ExecProcessor error snmp.py" Results: (from this error - should i need to correct something ? please advise !) 10.0.255.103 - admin [23/Oct/2014:14:37:56.321 +0000] "GET /en-US/api/shelper?snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+ExecProcessor+error+snmp.py+&useTypeahead=true&useAssistant=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&_=1414075022892 HTTP/1.1" 200 748 "http://10.0.255.247:8000/en-US/app/search/search?q=search%20index%3D*%20host%3D%2210.0.255.46%22&earliest=&latest=&sid=1414075069.31" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36" - 544912c4527fa79c57c0d0 130ms 10.0.255.103 - admin [23/Oct/2014:14:12:39.735 +0000] "GET /en-US/api/shelper?snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+ExecProcessor+error+snmp.py+&useTypeahead=true&useAssistant=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&_=1414070887398 HTTP/1.1" 200 750 "http://10.0.255.247:8000/en-US/app/search/search?q=search%20index%20%3D*%20host%3D%2210.0.255.46%22&earliest=&latest=&sid=1414073547.86" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36" - 54490cd7bc7f539012ba50 262ms Still I could see any traps in search app 😞 Does any other thing to setup ? Please help. ... View more

I wanted to make a search - report accelerated. Search query : index=*| chart count over host by tag::action usenull=false Summary span i set is 1 day I get 81k events results for this search. So, wont this be accelerated , since it fails to meet 100K events . Conditions: The number of events in the hot bucket covered by the chosen Summary Range must be equal to or greater than 100k. You will see a Summary Status warning that says Not enough data to summarize when this condition exists. Please advise. ... View more

I do index an unstructured log file , where i want to extract email_id in that. Since, email ids are present in different location of the log entry , Splunk's field extraction method doesn't help me. Is there any trick to resolve this ? ... View more

Sample log: Oct 14 04:26:40 localhost kernel: : pci 0000:00:16.6: PCI bridge to [bus 11-11] Oct 14 04:26:40 localhost kernel: : pci 0000:00:16.6: bridge window [io 0xf000-0x0000] (disabled) Oct 14 04:26:40 localhost kernel: : pci 0000:00:16.6: bridge window [mem 0xd3d00000-0xd3dfffff] Oct 14 04:26:40 localhost kernel: : pci 0000:00:16.6: bridge window [mem 0xd5300000-0xd53fffff 64bit pref] Oct 14 04:26:40 localhost kernel: : pci 0000:00:16.7: PCI bridge to [bus 12-12] props.conf: [my_custom] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = true I set the above property to break that single event , but it seems it doesnt work, since the Timestamp is same in all the events does it always consider this as a single event ? or any other settings to include in my props ? Please help Source : http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Indexmulti-lineevents ... View more

I want to extract fields from a customized log (no pre-defined/standard log structure) I do need to extract a field name "Description" where it has its appropriate values at different locations in various events. Using multilple REGEX alone I can able to locate the values. Can i use multiple REGEX to extract a single field ? My config files: props.conf [myprops] REPORT-Description = extract_desc transforms.conf [extract_desc] REGEX = (,DESC,) REGEX = (\((\d|)\)) FORMAT = Description::$1 FORMAT = Description::$2 I am trying to achieve as above , Is this correct way ? ... View more

I wanted to upgrade Splunk version 5.0.4 to 6.04. Splunk Instance: License Master Server Platform : CentOS Please Suggest whether i can directly install the new rpm on top of the existing instance? Does it require a downtime (restart)? I have several Indexers connecting with these master license servers. (indexers are already running v6.0.4) Please advise. ... View more

Is there any online regex tool to create regular expressions for given sample data ? ... View more