cgilbert_splunk's link should probably work for you too. Something like this: sourcetype=whatever | transaction endswith="Send failed" maxevents=5 ... View more

If you look at the raw scan results in splunk and they contain proper OS signatures, then the field extraction isn't catching it. You can modify the extraction in that case. If the raw results don't contain signatures it's an issue with nmap itself. ... View more

What user is the scan running as? What does the raw data look like? Is the OS string included? A single result should look something like this sample (notice the "OS: Linux ..." portion at the end). Host: 192.168.1.2 () Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/, 80/open/tcp//http//Apache httpd/, 111/open/tcp//rpcbind//2 (rpc #100000)/, 443/open/tcp//ssl|http//Apache httpd/, 8089/open/tcp//ssl|http//Splunkd httpd/, 9001/open/tcp//vnc//VNC (protocol 3.8)/, 9002/open/tcp//vnc//VNC (protocol 3.8)/ Ignored State: closed (993) OS: Linux 2.6.17 - 2.6.31 Seq Index: 205 IP ID Seq: All zeros Finally, nmap isn't always successful in matching a fingerprint to the OS. In those cases, please consult nmap.org: http://nmap.org/book/osdetect-unidentified.html#osdetect-contrib Regarding the scan time, 15 minutes for a subnet sounds fairly reasonable to me. The scan time will really depend on the characteristics of the network itself -- how many hosts are online, for instance. Fortunately, with this app you can distribute scanners out to multiple subnets and scan many subnets in roughly that same amount of time. ... View more

You can configure an fschange input stanza to monitor changes to the directory. That would probably be the easiest. Look for "fschange" on this page: http://www.splunk.com/base/Documentation/latest/admin/Inputsconf ... View more

Does this work for you? \s+(?<myfield>\d+:\d+)\'\d+$ ... View more

How about something like this: sourcetype=access_combined | eval chars=mvcount(split(uri, "=")) - 1 | table uri, chars ... View more

Try setting your variable in $SPLUNK_HOME/etc/splunk-launch.conf and restarting. That may do it. ... View more

Are you sure that the server accepts credentials? What happens if you clear them out (because the server appears to be telling you that it won't take them)? ... View more

Do you mean within the context of an input? # inputs.conf [monitor://$SPLUNK_HOME/etc/apps/cisco/logs/cisco_firewall.log] ... View more

It sounds like you just want to specify the coldToFrozenDir. If you're signing the data already, that should be preserved during the migration. http://www.splunk.com/base/Documentation/latest/admin/Automatearchiving#Let_Splunk_archive_the_data_for_you If you do need a script, it doesn't have to be python, but the example coldToFrozenExample.py is a good start. ... View more

Did you enter a username and password on the email setup page, or leave those empty? ... View more

Many cell providers allow sending of SMS through an email address such as 1234567890@vtext.com I thought there was a twilio connector somewhere as well, but you could certainly tie into a script that utilizes an SMS service like that as well (DIY). ... View more

What output are you getting? You may need to run a convert on rtime if you're not already, but something like this should work: ... | eval now = now() | eval tdelta = now - rtime | table ... ... View more

It actually does explain the arguments, which are 6 separate strings: Optional arguments <string> Syntax: "<string>" Description: These six optional string arguments correspond to: ["<row prefix>" "<column prefix>" "<column separator>" "<column end>" "<row separator>" "<row end>"]. By default, when you don't specify any strings, the format output defaults to: "(" "(" "AND" ")" "OR" ")" The format command is really used in the creation of a search, which is why it will join all rows and columns to create a valid search string. Is that what you're doing here, or are you just looking to get a string to output on a dashboard? If it's the latter, something like this would probably work better. I don't see any reason to use that append subsearch either: searchsourcetype="tvs-a9-request" | stats dc(TextQuery) as Query count(MAC) as Number | strcat "Query Number " Query " " Number my_new_string ... View more

It's ultimately the same code base, so there are some annoying items like that which may mislead you. ... View more

Can you explain more about the use-case? There isn't a single file once it's indexed within Splunk. But, you can conduct an appropriate search and then click on the little down arrow to the left of the timestamp and click "View Source" to see the raw events. ... View more

These should work. I think that your shell is attempting to interpret the pipe symbol or quotes improperly. What happens if you use single quotes instead of double? ... View more

If you're not already, you'll probably want to utilize a temporal lookup for this as well. That way, you can get the exchange rate at the time of the event, rather than always getting the current exchange rate. ... View more

Splunk does retain the original event. You can configure block signing to verify the integrity of those events (as they were stored in the Splunk index): http://www.splunk.com/base/Documentation/latest/admin/ITDataSigning ... View more

What is your search that renders the table? I've never experienced this, but my searches tend to be something like "... | table field1, field2". Are you using the table command or something else? ... View more

I believe the answer to this is going to be: turn on OS level auditing. That will tell you as much as is possible to know. You could probably splunk user's .bash_history, etc files as well, but of course, they can modify their HISTFILE if they want to. ... View more

If you're doing this from the "Build Report" link, once you click that the resulting popup window will have this link on the bottom of the page: Set span for time axis intervals (for example: every 10 minutes) You can configure it there. In the end, it will do something like: ... | timechart span=1h count by host ... View more

I'm not sure you're understanding. You want to cut and paste this: crcSalt=<SOURCE> We're not telling you to replace <SOURCE> with the "source" of the data. Literally put that string in there. It will work if you do this correctly. ... View more