This exists: https://splunkbase.splunk.com/app/2624/ That said, it is not specifically for Bluecoat, but is for any CIM-compliant proxy data. It also uses Accelerated Data Models for the reporting, so that is something to be aware of (check the docs) ... View more

You could certainly modify it to: | rest /services/search/jobs | search label="<saved search name>" | table label earliestTime latestTime ... View more

I understand that Splunk says that this bug is fixed, however, in my experience, that isn't true. I would open a case with Splunk support if the list in the roles view isn't the same as those available in the indexes view, as that sounds like a bug. ... View more

Not sure about using loadjob for this, but you can certainly use REST: | rest /services/search/jobs/<search id> | table earliestTime latestTime ... View more

The search head doesn't actually get a list of the indexes from the master, at least not one that it uses for populating this list (yeah, kinda lame). As such, we usually create "dummy" indexes on search heads, just to populate the list. As long as your search head is forwarding its events back to the index cluster (best practice), then the indexes really only get used for populating GUI stuff. ... View more

In most cases, yes you can, as they are saved searches. The Splunk Cloud User Manual is a great place to start, and there is also the Alerting Manual. ... View more

What version of Splunk are you running? ... View more

Just a note that props.conf can also contain search-time configurations, and as such, usually does not live on just the indexer. It contains index-time and search-time configurations, so it can be placed on both. ... View more

Just a note that lookups don't occur on indexing. They occur on search. This means that if you configure iplocation as an automatic lookup, then when a user searches the data, the iplocation will occur, which may have some search performance implications. ... View more

A regex like: Account\sName\:\s+(?<UserName>(?!-)\S+) Should get the account names, excluding "-". If you also wanted the "-": Account\sName\:\s+(?<UserName>\S+) Give those a shot and see what happens ... View more

Gotcha. Was this configured via the GUI? ... View more

Are you trying to extract both the "-" and the "ArnoldSchwarzenegger" or do you want to exclude an account name of "-"? ... View more

Given the sample data, you will most likely have to adjust the timestamping for your data to something like: [sc-kofax-ktm] TIME_PREFIX = ^\d+\s+ MAX_TIMESTAMP_LOOKAHEAD = 8 TIME_FORMAT = %H:%M:%S This should go in a props.conf on the first full Splunk Enterprise instance the data will hit, most likely your indexer(s). ... View more

Sure! Check it out: | tstats prestats=false local=false summariesonly=true sum(Web.bytes_in) AS bytes_in from datamodel=Web where nodename=Web.Proxy by Web.dest | rename Web.dest AS dest | replace *pandora* with www.pandora.com in dest | replace *facebook* with www.facebook.com in dest | stats sum(bytes_in) AS bytes_in by dest | eval MB=round(bytes_in/1024/1024,2) I think I missed what you were doing with the replace commands before. ... View more

If your data model is accelerated, try this: | tstats prestats=false local=false summariesonly=true sum(Web.bytes_in) AS bytes_in from datamodel=Web where (Web.dest = *facebook* OR Web.dest=*pandora*) AND nodename=Web.Proxy by Web.dest | rename Web.dest AS dest | eval parent_site=if(match(dest, "^.*facebook.*$"), "www.facebook.com", "www.pandora.com") | stats sum(bytes_in) AS bytes_in by parent_site | eval MB=round(bytes_in/1024/1024,2) | sort - MB ... View more

Can you provide a screenshot of the event from Splunk? I'm having trouble with the way Answers is formatting it. Also, what should the correct timestamp for this event be? ... View more

You can do this with a subsearch: index=* sourcetype=proxy [ inputlookup mydomains | table domain | rename domain AS search | format] If you specifically wanted to check the domain field for a match, you could use the following: index=* sourcetype=proxy [ inputlookup mydomains | fields domain] As long as the field name in the input matches the field name in the data (for example if you have a field in the lookup named "domain" and then the field in your proxy data is "domain" as well). If the field names do not match, you can use a rename command in the subsearch: index=* sourcetype=proxy [ inputlookup mydomains | fields badguy | rename badguy AS domain] ... View more

You should check out the Protect against loss of in-flight data section of the forwarding manual, as well as the Persistent Queues section of the Getting Data In manual. TL;DR: For some inputs, Splunk has a configurable queue where it will store data for when forwarding can resume. For other types of inputs, it will stop following the input until the pipeline is clear again. ... View more

No, it still wouldn't be perfect. You still need a deployer, which would most likely be the DS. So another system would still be needed. ... View more

Search artifacts are not just the user's history, but also remnants/results from previous searches. For example, if you have a scheduled search that runs and sends out a link to the results, that link is to search artifacts rather than rerunning the search. ... View more

Barely. SHP has a lot of performance problems in most cases, as it is CIFS/NFS based. Rsync provides different levels of pain. From what I have seen in the past, attempting to sync search heads via rsync produces weirdness (at best). Best option here, unfortunately, is to get another search head. Splunk recommends that servers in SHC be similar, which makes sense, as SHC doesn't really have a concept of "weighting". However, perhaps a small VM that sees no end-user searches. ... View more

My recommendation is create a series of DS apps that contain the inputs, usually one for each event log branch you want to collect, something like: DS-all_departments-Inputs-wineventlog_security DS-all_departments-Inputs-wineventlog_system DS-all_departments-Inputs-wineventlog_application Then, in your serverclass.conf, you can mix and match as needed: # get the windows security logs from all windows systems [serverClass:WinSecurity] whitelist.0=* machineTypesFilter=windows-* [serverClass:WinSecurity:app:DS-all_departments-Inputs-wineventlog_security] [serverClass:WinApplication] whitelist.0=prod.yourcompany.com [serverClass:WinApplication:app:DS-all_departments-Inputs-wineventlog_application] # note that we don't have to add the winsecurity logs, # as they are already in another class which includes all windows systesm [serverClass:WinTheWorks] whitelist .0 = appservers.yourcompany.com [serverClass:WinTheWorks:app:DS-all_departments-Inputs-wineventlog_application] [serverClass:WinTheWorks:app:DS-all_departments-Inputs-wineventlog_system] You can then distribute the Splunk_TA_windows to your indexers and search heads only, not all of your enterprise. But, you can use the inputs.conf from the TA as the base for your input apps. ... View more

For the love of Benji, don't do SHP. ... View more

Yo dawg, Splunk heard you liked conf, so they put conf.conf in your conf so you they can conf your conf from conf. Seriously though, the conf.conf file controls configuration precedence in Splunk. It isn't documented very well, because it isn't meant to be modified. I haven't really messed with it much (nor do I recommend doing so), but here is a fun tip to see the configuration file precedence in Splunk: grep conf conf.conf | grep ­‐v confdb ... View more