I've been messing with this all morning and still can't get the results I want. Why is this so difficult to achieve? I have a list of how long it took to load an index for some "users". Like this: 00:15:27 aaa 00:15:07 bbb 00:10:56 ccc 00:29:36 ddd 00:24:13 eee 02:58:51 fff 00:38:33 ggg 00:21:29 hhh 00:17:44 iii I want to create a bar or line graph for this data spanning over a few days. I'd like to show how much time it took for say "aaa" to load this index over the course of 4 days. I'm having issues having splunk understand time formats and to display a scale of "time" based on the results, say like every 30 minutes on a chart....Do I have to convert the time to seconds, then back to a readable time for this to happen? I tried this search. I thought "eh, this is easy!" apparently not: sourcetype=edr daysago=4 | dedup LoadTime, users | timechart per_day(LoadTime) by users My results are not what i'm looking for . For example, one of the times is: 00:21:29 hhh Splunk graphs it as: 50424.000000 hhh How can I make a graph of this data for each user across a span of time in a format of time readable??? ... View more

I'm trying to use the field extractor for this to prevent having to do a restart and putting in props.conf 2012-11-26 05:39:35.933549-> Finished CREATE_IDX for REPLICA->[{'dbs': 'edr', 'host': 'boo-bee-db1.he1.booberry-boo.eeek', 'port': 5492, 'user': 'etl_user'}]. Time: 01:27:12.449 2012-11-26 13:49:51.935960-> Finished CREATE_IDX for BOOBERRY->[{'dbs': 'edr', 'host': 'boo-bee-db1.he1.booberry-boo.eeek', 'port': '5491', 'user': 'etl_user'}]. Time: 02:16:58.666 I'm interested in pulling out the Time in both lines and for each Time, putting it into a separate field. Example: Time in first line would be called "replicaend" field. Time in second line would be called "booberryend" field. When Using the field extractor, i gave it the time and it generated results. I narrowed it down to the time I wanted. After testing it appeared it was still giving me additional results I didn't want. Here's the regex the field extractor made: (?i)^(?:[^:]*:){7}\\s+(?P*FIELDNAME>[^\\.]+) NOTE: I put a * instead of a less than symbol because it wasn't showing up if i used a less than symbol! From this regex, is there a way to include the Finished CREATE_IDX for REPLICA-> pattern in the regex when extracting as well? I tried but wasn't able to get it to match anything. Using the search bar, this search gives me exactly what I want. I could put something like this in props.conf but I'm trying to use the field extractor, avoid a restart and see my old data extracted right away. sourcetype="BOO" | rex "Finished CREATE_IDX for AFILIAS.*Time: (?P*Finished>[0-9:]*)" | top 50 Finished NOTE: I put a * instead of a less than symbol because it wasn't showing up if i used a less than symbol! Any ideas? ... View more

I know this question appears to have been answered in here before but I'd like to know if this type of functionality will be available with the splunk 5.0 version. My main search head is mybox1.domain.com:8000. I can access it by https://mybox1.domain.com:8000 I can also get here by typing in https://splunk.domain.com:8000 I'd like to have it where mybox1 or splunk.domain.com will always just show up as https://splunk.domain.com in a browser. This is only internal. I know you can install a 3rd party webserver like apache, but is there any other way to do this OR is this possibly a new feature on 5.0? ... View more

I have a question. I've been trying to figure this out for a while. I have a search I'm using to calculate the number of times users looked at specific reports. I have the number of all users per location in a lookup file. I then calculate the number of times a file was actually accessed per user and calculate a percentage to get an idea of which files are the most popular. However, I'm looking to get away from the lookup file as it's not always an accurate count of the active users. I've created a script that will query a database and dump the number of users into a file each day. This file is logged by splunk. Here's the problem. The logs now generated by the script are under a different sourcetype then the main search. This was my search using a lookup file. The fields the lookup used were registry and registrarcount: sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" OR source="/opt/log/*/*/web_server/info.log" WAT | dedup registrar,description,registry | stats count(registrar) as numviewed,max(registrarcount) as registrarcount by description,registry | eval percent=numviewed/registrarcount*100| fields registry, description, numviewed, registrarcount, percent This is the search I now use to just get the count of how many users there are and also the name for each user. This is the information this is being called by the script and dumped in a log now. This isn't using a lookup file: sourcetype=registrarcount | stats max(registrarcount) by registry I need to somehow combine them. I tried doing "what i thought" was a subsearch but this didn't seem to work. I got the error "subsearches are only valid as arguments to commands: sourcetype="EPPWEB" source="/opt/log/dotinfo/web_server/info.log" OR source="/opt/log/dotinfo/*/web_server/info.log" WAT | [ search sourcetype="registrarcount" ] | dedup registrar,description,registry | stats count(registrar) as numviewed,max(registrarcount) as registrarcount by description,registry | eval percent=numviewed/registrarcount*100| fields registry, description, numviewed, registrarcount, percent Anyone have any ideas how to combine these searches? Should I use transaction? ... View more

I've been going around in circles on this all day and at this point figured I would post my question here: sourcetype="EPPWEB" source="/opt/log/dotblah/web_server/info.log" OR source="/opt/log/dotblah/*/web_server/info.log" WAT | dedup registrar | stats count(registrar) as numviewed by description,registry This search produces a small table that looks kinda like this: Description Registry numviewed Billing Invoice dotblah 3 Daily Auto Renewals dotblah 3 Billing Text dotblah 14 Annual Report dotblah 10 What I'm trying to do is create a percentage based on the numviewed values and a number displayed in a field. The field is: actualcount 424 So I want to basically have a percent column showing the percent. So 3 out of 424 would be how many percent? Description Registry numviewed actualcount percent Billing Invoice dotblah 3 424 Daily Auto Renewals dotblah 3 424 Billing Text dotblah 14 424 Annual Report dotblah 10 424 I tried using eval at the end of this but it didn't do anything and showed no results: sourcetype="EPPWEB" source="/opt/log/dotblah/web_server/info.log" OR source="/opt/log/dotblah/*/web_server/info.log" WAT | search description="*" | dedup registrar | stats count(registrar) as numviewed by description,registry | eval percent=(numviewed/registrycount)*100 How can i get the percentage I want? ... View more