I put this app together as an example. Please only use it in a non-production environment. SA-null_queue.spl I noticed when building it, that getting the props.conf:source:: stanza was tricky, as it did not accept $SPLUNK_HOME I looked at the entries that match source:: for examples: ./splunk cmd btool props list source:: | grep \\[ [source::...((.(bak|old))|,v|~|#)] [source::....(0t|a|ali|asa|au|bmp|cg|cgi|class|d|dat|deb|del|dot|dvi|dylib|elc|eps|exe|ftn|gif|hlp|hqx|hs|icns|ico|inc|iso|jame|jin|jpeg|jpg|kml|la|lhs|lib|lo|lock|mcp|mid|mp3|mpg|msf|nib|o|obj|odt|ogg|ook|opt|os|pal|pbm|pdf|pem|pgm|plo|png|po|pod|pp|ppd|ppm|ppt|prc|ps|psd|psym|pyc|pyd|rast|rb|rde|rdf|rdr|rgb|ro|rpm|rsrc|so|ss|stg|strings|tdt|tif|tiff|tk|uue|vhd|xbm|xlb|xls|xlw)] [source::....(?<!tar.)gz(.\d+)?] [source::....(cache|class|cxx|dylib|jar|lo|xslt|md5|rpm|deb|iso|vim)] [source::....(css|htm|html|sgml|shtml|template)] [source::....(jar)(.\d+)?] [source::....(tar.gz|tgz)(.\d+)?] [source::....(tbz|tbz2)(.\d+)?] [source::....Z(.\d+)?] [source::....bz2?(.\d+)?] [source::....crash.log(.\d+)?] [source::....csv] [source::....tar(.\d+)?] [source::.../(apache|httpd).../error*] [source::.../(readme|README)...] [source::.../(u_|)ex(tend|\d{4,8})*?.log] ... I hope this example helps. Good Luck! ... View more

index=r0* sourcetype=WinEventLog* (Account_Name=* OR user=* OR User_Name=*) | lookup Server_IP_r0a ip as src_ip OUTPUT filter | search filter=0 | eval Local_Account_Name=upper(coalesce(Account_Name,user,User_Name)) | table Account_Name | eval Account_Name_0 = mvindex(Account_Name, 0) | eval Account_Name_1 = mvindex(Account_Name, 1) | eval Account_Name_2 = mvindex(Account_Name, 2) ... View more

I created the lookup using: | makeresults | eval data="#1/1/2015%Image%1#1/1/2015%Print%2#1/1/2015%Presort%3#1/1/2016%Image%5#1/1/2016%Print%15#1/1/2016%Presort%20" | rex max_match=0 field=data "(?<line>[^#]+)" | mvexpand line | rex field=line "(?<Effective_Date>[^%]+)%(?<Description>[^%]+)%(?<Value>[^%]+)" | rename Effective_Date as "Effective Date" | table "Effective Date" Description Value | outputlookup cost_lookup.csv Then I simulate your indexed data with this query (I changed the dates so they would match the lookup): | makeresults | eval data="Finance%1/1/2016#HR%1/1/2015" | rex max_match=0 field=data "(?<line>[^#]+)" | mvexpand line | rex field=line "(?<Business_Unit>[^%]+)%(?<Timestamp>[^%]+)" | rename Business_Unit as "Business Unit" | table "Business Unit" Timestamp Next, I bring in the lookup data: | makeresults | eval data="Finance%1/1/2016#HR%1/1/2015" | rex max_match=0 field=data "(?<line>[^#]+)" | mvexpand line | rex field=line "(?<Business_Unit>[^%]+)%(?<Timestamp>[^%]+)" | rename Business_Unit as "Business Unit" | table "Business Unit" Timestamp | lookup cost_lookup.csv "Effective Date" as Timestamp Finally, I use evals to create the 3 fields you need. The evals use mvfind to find the index in the multivalue field, and mvindex to return the correct value. | makeresults | eval data="Finance%1/1/2016#HR%1/1/2015" | rex max_match=0 field=data "(?<line>[^#]+)" | mvexpand line | rex field=line "(?<Business_Unit>[^%]+)%(?<Timestamp>[^%]+)" | rename Business_Unit as "Business Unit" | table "Business Unit" Timestamp | lookup cost_lookup.csv "Effective Date" as Timestamp | eval "Image Cost"=mvindex(Value, mvfind(Description, "Image")) | eval "Print Cost"=mvindex(Value, mvfind(Description, "Print")) | eval "Presort Cost"=mvindex(Value, mvfind(Description, "Presort")) | table "Business Unit" Timestamp "Image Cost" "Print Cost" "Presort Cost" ... View more

| makeresults | eval data="md5=99ed710da1d10b1cf8c4fb7c2549a9dc#allmd5={\"MD5\":\"99ed710da1d10b1cf8c4fb7c2549a9dc\". MD5:\"6ac349a75ff9e7cbc92cd68c5fc44eed\", \"MD5\":\"8ca9e5e0a7cdb058f6f33f60a2fde2ef\"}%md5=45c4a725006767124e21242670e7795f#allmd5={\"MD5\":\"99ed710da1d10b1cf8c4fb7c2549a9dc\". MD5:\"6ac349a75ff9e7cbc92cd68c5fc44eed\", \"MD5\":\"8ca9e5e0a7cdb058f6f33f60a2fde2ef\"}\"" | rex max_match=0 field=data "(?<line>[^%]+)" | mvexpand line | rex field=line "md5=(?<md5>[^#]+)#allmd5=(?<allmd5>[^#]+)" | table md5 allmd5 | where NOT match(allmd5, md5) ... View more

Have you tried http://localhost:8000/debug/refresh or ./splunk restart ... View more

Works for me fine. What version of Splunk Enterprise are you using? http://localhost:8000/en-US/app/Splunk_SA_CIM/cim_setup?action=edit I think you are looking at a bit of the undercovers. root@splunk_docker:/opt/splunk/etc/apps/Splunk_SA_CIM# find . -type f | xargs grep "I am Legend" ... View more

Generally, you can use | inputlookup foo to get your data from your lookup into the pipeline. I will be using | makeresults | eval data="10/01/2016 13:00:00,tomato,x-large,square,red,,%10/01/2016 13:00:00,apple,x-large,roundish,yellow,,%10/01/2016 13:00:00,grapes,x-large,rectangle,green,,%10/01/2016 11:00:00,tomato,large,square,red,,%10/01/2016 11:00:00,apple,large,roundish,yellow,,%10/01/2016 11:00:00,grapes,large,rectangle,green,,%09/15/2016 11:00:00,tomato,med,square,red,,%09/15/2016 11:00:00,apple,med,roundish,yellow,,%09/15/2016 11:00:00,grapes,med,rectangle,green,,%09/01/2016 11:00:00,tomato,small,square,red,,%09/01/2016 11:00:00,apple,small,roundish,yellow,,%09/01/2016 11:00:00,grapes,small,rectangle,green,," | rex field=data max_match=0 "(?<line>[^%]+)" | mvexpand line | table line | rex field=line "(?<date>[^,]+),(?<fruit>[^,]+),(?<size>[^,]+),(?<shape>[^,]+),(?<color>[^,]+)" | table date fruit size shape color This has the benefit of explicity showing you the data I am dealing with. Next I need to conver the date field to a date/time field and then show you how to query against it. | makeresults | eval data="10/01/2016 13:00:00,tomato,x-large,square,red,,%10/01/2016 13:00:00,apple,x-large,roundish,yellow,,%10/01/2016 13:00:00,grapes,x-large,rectangle,green,,%10/01/2016 11:00:00,tomato,large,square,red,,%10/01/2016 11:00:00,apple,large,roundish,yellow,,%10/01/2016 11:00:00,grapes,large,rectangle,green,,%09/15/2016 11:00:00,tomato,med,square,red,,%09/15/2016 11:00:00,apple,med,roundish,yellow,,%09/15/2016 11:00:00,grapes,med,rectangle,green,,%09/01/2016 11:00:00,tomato,small,square,red,,%09/01/2016 11:00:00,apple,small,roundish,yellow,,%09/01/2016 11:00:00,grapes,small,rectangle,green,," | rex field=data max_match=0 "(?<line>[^%]+)" | mvexpand line | table line | rex field=line "(?<date>[^,]+),(?<fruit>[^,]+),(?<size>[^,]+),(?<shape>[^,]+),(?<color>[^,]+)" | table date fruit size shape color | where strptime(date,"%m/%d/%Y %H:%M:%S") > relative_time(now(), "-30d@d") Notice here we use strptime to convert to a date/time and then used relative_time to get a time that was 30 days ago. These functions are documented here: http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions#Date_and_Time_functions So, for your use case it will be something like: | inputlookup foo | where strptime(date,"%m/%d/%Y %H:%M:%S") > relative_time(now(), "-2d@d") or | inputlookup foo | where strptime(date,"%m/%d/%Y %H:%M:%S") > relative_time(now(), "-90d@d") Depending on your date field name and the format of your date field. ... View more

I added my changes here: https://github.com/bshuler/TA-cefutils I'd love to fold these into your app if it meets with your approval. ... View more

|localop| stats count | eval data="USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED COMMAND ARGS root 1848 0 0.0 00:00:00 0.0 2128 476368 ? S 18:19:03 automount --pid-file_/var/run/autofs.pid apache 2082 0 0.1 00:00:37 0.4 17868 402748 ? S 06:26:57 httpd <noArgs> apache 2083 0 0.1 00:00:36 0.4 17872 402748 ? S 06:26:56 httpd <noArgs> apache 2084 0 0.1 00:00:37 0.4 17908 402932 ? S 06:26:56 httpd <noArgs> apache 2383 0 0.1 00:00:36 0.4 17872 402748 ? S 06:25:53 httpd <noArgs> root 4951 0 0.0 00:00:00 0.0 1300 79968 ? S 18:17:40 sshd <noArgs> root 5354 0 0.0 00:00:01 0.0 2696 91304 ? S 18:15:48 sendmail: accepting_connections smmsp 5361 0 0.0 00:00:00 0.0 2108 82756 ? S 18:15:48 sendmail: Queue_runner@01:00:00_for_/var/spool/clientmqueue" | rex max_match=9999 field=data "(?P<lines>[^\n]+)" | table lines | mvexpand lines | rex field=lines "^(?<USER>\S+)\s(?<PID>\S+)\s(?<PSR>\S+)\s(?<pctCPU>\S+)\s(?<CPUTIME>\S+)\s(?<pctMEM>\S+)\s(?<RSZ_KB>\S+)\s(?<VSZ_KB>\S+)\s(?<TTY>\S+)\s(?<S>\S+)\s(?<ELAPSED>\S+)\s(?<COMMAND>\S+)\s(?<ARGS>.*)" | fields - lines | search USER!="USER" ... View more

I am pretty sure it is broken. Screen shot here: https://www.dropbox.com/s/3f4rj7468qoilln/Screenshot%202015-04-16%2007.29.02.png?dl=0 Sample app here: http://d.pr/f/wF95 To replicate, import the sample data, ensure you are in the kvform_example app, and run this search: source="students.txt" | kvform form=students ... View more

SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)@ ... View more

This search shows the problem. | stats count | eval ips="2001:54FF:0000:ffff:ffff:ffff:ffff:ffff,2002:54FF:0000:ffff:ffff:ffff:ffff:ffff,2003:54FF:0000:ffff:ffff:ffff:ffff:ffff" | rex field=ips "(?P[^,]+)" max_match=0 | mvexpand ip | table ip | search ip=2001:54FF::/48 Splunk currently does not support ipv6 CIDR searching. BUT, because you are searching for a /48, these both work: | stats count | eval ips="2001:54FF:0000:ffff:ffff:ffff:ffff:ffff,2002:54FF:0000:ffff:ffff:ffff:ffff:ffff,2003:54FF:0000:ffff:ffff:ffff:ffff:ffff" | rex field=ips "(?P[^,]+)" max_match=0 | mvexpand ip | table ip | search ip=2001:54FF:* | stats count | eval ips="2001:54ff:0000:ffff:ffff:ffff:ffff:ffff,2002:54FF:0000:ffff:ffff:ffff:ffff:ffff,2003:54FF:0000:ffff:ffff:ffff:ffff:ffff" | rex field=ips "(?P[^,]+)" max_match=0 | mvexpand ip | table ip | search ip=2001:54FF:* As you can see, the capitalization does not matter. ... View more

Are you following these instructions? http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Defineper-resultalerts ... View more

If you could post 2 or 3 example events, we could help further. ... View more

Option 1: Put a timestamp in the filename: filename-01-19-2015-13-03-00.txt Be sure to script a clean up of the directory every week or so. Option 2: Use a scripted input. Have the script read out the file into splunk, then delete the file from the file system. Scripted inputs are covered here: http://docs.splunk.com/Documentation/Splunk/6.2.1/AdvancedDev/ScriptedInputsIntro ... View more

This modification at search time seems to give what you are looking for. If not, please give before and after examples of what you are looking for. | rex field=_raw mode=sed "s/(\w+\/)\d+( |\/)/\1byId\2/g" ... View more

I would extract the nanoseconds and then search based on them: | stats count | eval text="2013-02-13:22:09:43.687223" | rex field=text "\d+\-\d+\-\d+\:\d+\:\d+\:\d+\.(?<nanoseconds>\d+)" | search nanoseconds>687222 | stats count | eval text="2013-02-13:22:09:43.687223" | rex field=text "\d+\-\d+\-\d+\:\d+\:\d+\:\d+\.(?<nanoseconds>\d+)" | search nanoseconds>687223 ... View more

I know you said you wanted to sed the data at index time, but let me try and dissuade you. Once you lose that ID, you can't get it back. And you may want it later. This will extract the data you want at search time. | rex field=_raw "(GET|HEAD|POST|PUT|OPTIONS|CONNECT)\s(?.+)/\d+ HTTP" ... View more

I use this one. It rocks for SublimeText https://sublime.wbond.net/packages/Generic%20Config ... View more