Hi Tylerwebmail - The behaviour you are describing is expected. By running the command: host-name_of_host | delete You have instructed Splunk to not report previously indexed data in Splunk from that host. ... View more

Glad I could help 🙂 ... View more

Yep, that's exactly it 🙂 Happy Splunking! ... View more

Hi Chhayva - as far as I am aware, you cannot embed a scrollbar in a dashboard to scroll through the timelines. WHat you can do is start from a high level, and zoom in to areas of interest. ... View more

Ahhh... well in that case get rid of field=event_desc and you should be good. Also, seeing as you're dealing with ASA logs, you might find the "Splunk for Cisco Firewalls" and "Cisco Security Suite" apps worth a look. ... View more

Hi Thinksplunk - can you give a few more samples? Are you trying to extract: source=c:/documents/app/test1/test12/control*num*34/12.log or: source=c:/documents/app/test1/test12/controlnum*34*/12.log? ... View more

Yep this will work, but be aware that both events will have an identical timestamp according to Splunk (Sep 20 00:37:19) ... View more

It's not really clear what you're trying to do here I'm sorry. If the event that you provided is as you've posted, then data is not being brought into Splunk correctly and should be fixed. If you're trying to process a merged event after a | transaction command has been applied, then I think you might be walking down the wrong path. Ultimately it depends on: - The nature of your raw event logs (they may need to be sanitised) - What exactly you're trying to do. ... View more

To be honest, I think you may have answered your own question... if you have a look at the Palo Alto dashboard, and append ?showsource=1 to the end of the URL, you can see the code that was used to create that page. Also, check out the "Splunk Dashbaord Examples" app, as well as the following documentation. http://docs.splunk.com/Documentation/Splunk/5.0.4/Viz/Exampledashboard#Configure_a_single_value_panel Hope this helps 🙂 ... View more

Hi jrodriguezap, I think the issue here is with the configuration of your event breaking rather than using the split command. SHould the logs really be put together like that? If not, then you're going to need to play around with your props.conf to split them accordingly. Using your example: [your_sourcetype] LINE_BREAKER=([;\r\n]+\s?) NO_BINARY_CHECK=1 SHOULD_LINEMERGE=false This may not be the ideal way to do it (I'm a bit tired right now), but it gives me the following results: References: Splunk Docs: http://docs.splunk.com/Documentation/Splunk/5.0.4/Data/Indexmulti-lineevents ... View more

Hi Royimad, If you download the "Splunk UI Examples" app and examine the samples they give, this should put you on the right path (it has quite a few sample for the switcher components). References: Splunk UI examples app for 4.1+ Splunk Dashboard Examples (version 5+) ... View more

Hi Charlie, In this scenario, is my understanding correct that we will need to create a ton of custom code to get the basic web analytics: where people come from, where they went, how much time they spent, etc? Will we have to write queries from scratch? "Where people come from" - With the Google Maps app, the origin og a user can be determined from the client IP address in the logs, as simply as putting together a search such as the one below: sourcetype=web_logs | geoip client_ip This will give every event a tag of the country and city of origin, as well as the lattitude & longitude (as well as other things). No custom code required. "Where they went" - If it's in the logs, Splunk can report it. sourcetype=web_logs client_ip="123.123.123.123" | stats values(url) You might not event have to write this query... it may be possible just to click through the GUI to get to the reports you're after. No custom code required. "How long they spent" - Splunk has a built in transaction command which, once you define the start and end events or common field, will give you the duration of a transaction. A possible example... sourcetype=web_logs | transaction session_id | table client_ip, username, duration Once again, no custom code. RE: pulling in data from other sources... this is Splunks bread & butter. It doesn't care about the structure of the data, it just needs to know when the event was generated to allow it to be effectively used once it's indexed. I think you're overlooking the power & flexibility of Splunk, which may be because you've never really taken it for a spin. Splunk is a powerful platform... so a certain amount of complexity and an initial learning curve is to be expected. But once you've got your head around it, you'll find yourself getting far more out of it than what you can with a product like Omniture (IMHO) There's an excellent introductory tutorial here: http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunktutorial This will get your head around what Splunk is as well as (a little) or what it's capable of doing. EDIT: Replace the word "generic" in your question with "flexible", and you're getting there 🙂 ... View more

This isn't an answer per se, but have you tried using the job inspector to determine the efficiency of your searches? ... View more

Pointer #1: Upgrade Splunk 😉 ... View more

Hi Jrodriguez, To reload the search-time functions of props.conf and transforms.conf issue the following command in the search query bar: | extract reload=T Hope this helps 🙂 RT ... View more

Thanks for elaborating - good to know I was on the right path. ... View more

Hi Kscher, First I'll be honest... I did not read everything you wrote (sorry). Right... with that out of the way, I believe you'll find your issue is with the non-standard event boundaries in your data. I had something similar with some field extractions I did a while back where I had some entries like this: QBRILE9801 QBRMHE9831 QPTAAE2151 QWYNME9911 ... Where the string ranging from the 2nd to the 5th string would be the exchange_id field which I needed to extract (e.g. BRIL , BRMH , PTAA , etc.). "Regular expressions to the rescue!" I hear you say... well I said that too, except when I went to run searches & populate tables with my shiny new exchange_id field, I was getting zero results, while getting inconsistent results when I started throwing in asterisks into the equation like a ninja would throw shuriken... but that makes for a sloppy ninja. So along comes fields.conf . I had never used it before, and to be honest with you I'm probably not 100% on it's use, but when I made the following fields.conf ... [exchange_id] INDEXED_VALUE = false ...it miraculously started working the way I expected. So yeah... probably not much of an answer, but hopefully something to get you on the right track 🙂 Reference: http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Fieldsconf sloppyninja.com (Not really, but I just found out it exists) Cheers & Beers, RT ... View more

Hi Msmapper - Can you provide a few example events (obviously changing the CC numbers 🙂 ... View more

Hi Moonpixel - Can you share the search queries you used to generate your successful results? Knowing that will help get you an answer 🙂 ... View more