Due to extensive lack of foresight, I am working in an environment with a Splunk instance that is ingesting Tomcat logs (supporting a Liferay instance) that are not in the standard index/sourcetype (i.e., not access_combined) with non-standard field extractions. Basically the field extractions line up more with IIS than with Apache access logs. Has anyone successfully managed to implement the Splunk App for Web Analytics in a similar scenario? After digging through the .conf files, I would think it would just require adjusting all of the sourcetypes and field references to use my environment's settings, but in some cases, I am not entirely able to tell which are standard fields, and which are fields being created by the app. So has any one had any success trying this? ... View more

I have a dashboard with two levels of drilldowns. The first dashboard is a list of servers. Click on a server name and it gives you a list of that server's clients. Click on a client name and it shows you information from that client. What I want to do is use a lookup to show a "friendly name" (like a business unit or division) instead of the actual server name. The problem I run into is that now the "friendly name" is what gets passed on as the $click.value$ to the client list. How can I display a "friendly name" but still have the drilldown use the original server name value on the drill down? ... View more

I'm supporting a system where we have deployed servers that are uploading their IIS logs to a central location. The indexer is configured to monitor the central location where each deployed server has its own uniquely named folder structure. The deployed servers are configured to upload their IIS logs every 12 hours. The IIS logs are configured to roll every day, but because the servers are uploading the logs twice a day, that means each log should be updated at least once. So far, we've not had any issues (that I'm aware of) with duplicate events. However, some logs are simply not being indexed, and checking the _internal log today, I noticed a lot of these entries for the "missing" logs: File will not be read, seekptr checksum did not match (file=\FILESERVER\SHARE\DEPT\UNIQUE_SVR_NAME\_admin\iislogs\u_ex170518.log). Last time we saw this initcrc, filename was different. You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source. And also some of these, which I assume just means the total log length was shorter than the default 256 byte initCrcLength value? File will not be read, is too small to match seekptr checksum (file=\FILESERVER\SHARE\DEPT\UNIQUE_SVR_NAME\_admin\iislogs\u_ex170515.log). Last time we saw this initcrc, filename was different. You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source. The vast majority of these logs are being indexed just fine. What need I do to cleaned up these outliers? Just set the initCrcLength to something longer? I don't want any duplication, but I do want to be sure all of the logs are being indexed. I'm reading the documentation, but not really grasping how the CrcSalt and initCrcLength work to know exactly what to do with them or if they would actually solve this problem. ... View more

I have a dashboard where the user selects options from a couple of drop downs which are driven by lookups. These drop-downs combine to construct a file path for the search. Menu 1 is a list of location codes ($location$) or a wildcard for All (*), Menu 2 is a list of data types ($dataype$). Unfortunately, two of the data types are at different folder levels, (\server\datatype\location vs \servername\folder\datatype\location), so I haven't been able to work out a consistent way to extract the location folder because it changes depending on data type. I ended up using an erex to extract the location field on the fly like this: erex jkreceive examples="tx,$location$,al,pa,colorado,ny,stl" My erex wasn't working 100% of the time, but if I included the $location$ variable in the examples it works great. However, at the end of the search I need to translate the location codes to a descriptive location name using another lookup. This is all fine if the user chooses a location from the menu, but if the user selects "All" from the location menu, which translates to "*", the erex fails and the location to description translations all fail except the locations specified as examples. I tried doing an eval with an if statement to create a conditional erex, but Splunk keeps terminiating the search saying I'm missing a ). No matter how many )'s I add, it ends the same. Here is the search (in my lookup, 'jkreceive' is the field containing the location codes and 'Site' is the descriptive name): index="jkr" sourcetype="jkr" file_path="*$datatype$\$location$\\*" | eval jkreceive=if(jkreceive="*",(erex jkreceive examples="tx,$location$,al,pa,colorado,ny,stl"),(erex jkreceive examples="tx,al,pa,colorado,ny,stl")) | eval MB=round(filesize/1024/1024, 2) `convertxfr` | eval "Creation Date"= strptime(timestamp,"%m/%d/%Y %H:%M:%S") | convert timeformat="%Y-%m-%d %T" ctime("Creation Date") AS "Creation Date (Local)" | lookup Locations.csv jkreceive OUTPUT Site | rename filename as File | appendpipe [ stats count | eval Site="There are no results to display" | where count==0] | table Site "Transfer Date (CT)" "Creation Date (Local)" File MB | sort +"Creation Date (Local)" Is a conditional erex possible? Or am I barking up the wrong tree? ... View more

I'm extracting a piece of a filename to create a field using makemv and a rex command. The extracted field should be formatted like 89-02687, but sometimes occurs as 8902687. I want all of my output to show the proper formatting, so all the results have the XX-XXXXX format. Could I use a tostring statement and a regex or a replace command to somehow insert the hyphen into any results that don't have it after the second digit? ... View more