answer by @vskoryk_splunk .. | stats latest(version) latest(_time) by user http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonstatsfunctions ... View more

alias the the _timestamp field to another name? ... View more

If magnitude is a field, which I assume it is, just include in your search magnitude > 2. As for the event "just prior" - is there any extrapolation, in terms of time of event, that you can make? ... View more

what are you trying to solve? you can also use FIELDS to specify only the fields you want to see. ... View more

KV_MODE is too useful to turn off for this case. Because lookups are executed after field aliases, you can alias your existing action field to some other name (like vendor_action) and then overwrite it with your lookup. This way you get both. ... View more

download SA-CIM: https://splunkbase.splunk.com/app/1621/ and your models will come to life ... View more

You need to look in the bluecoat console, reset the third log to bcreportmain_v1. ... View more

currently this add-on maps to the following data models: network traffic network sessions change analysis intrusion detection ... View more

The issue here is the fact that the 2 samples do not follow the same format. Things are breaking down at the category field extraction (because category is the first field enclosed in quotes, which requires a different capture than the rest of the fields). The extraction expects it to be the 9th field and it is in the 13th place in the broken message (we are splitting the fields by spaces). ... View more

if you have this entry in props, Splunk expects a lookup definition in transforms, something like this: [dnsLookup] filename = <>.csv ... View more

then try this sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS client_ip OUTPUTNEW hostname ... View more

of course the field name mattes. try sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS client_ip OUTPUTNEW host AS hostname (hopefully hostname is a field that exists for you) ... View more

Here is the breakdown: https://answers.splunk.com/answers/8051/dns-lookup-via-splunk.html reminder: please search first, before creating a duplicate question. ... View more

This format matches the proxySG logging format. You can try this TA: https://splunkbase.splunk.com/app/2758/ ... View more

The best practice for cases like this is setting up syslog aggregation like syslog-ng, forward your logs to that and install the UF on the syslog-ng server. ... View more

which bit9 app? link, please. ... View more

There is not enough information here to answer your question. Install instructions for what? Trust scores where - ES? If so, how was your ES configured? Which data sources do you have? ... View more

evals are interpreted before lookups, but if they are in separate queries, should be no problem. ... View more

ok, if you only have one server and one forwarder, it means that your search head is also your indexer, so any sort of interaction with the indexes happens on your server. under access controls -> roles, make sure that index is selected under "Indexes searched by default". if that still does not fix it, you should remove the definition of that index from your app's indexes.conf and restart. ... View more

What is your deployment client - an indexer or a forwarder? ... View more

Great to hear! Keep on Splunking! ... View more

Pete, The number of variables is growing with every message. Can you enable the old app before going to configure the new app? Can you ensure that new TA has global permissions? If none of this helped, how about this: Remove the old and new TAs and Apps and run through the install again. Once you do and if the problem is still there, we have a couple of options: - open a support case and send us a diag - if you don't have an enterprise license, just send us a diag - a screenshot of the problem would be useful as well ... View more