You are using strftime , which is converting your times into text strings, which you can't do maths operations on. What format is time_of_last_change ? Is it a unix timestamp? If so, you can calculate the difference by doing eval diff=relative_time(now(), "-1h@s") - time_of_last_change . Otherwise, you most probably want to use the strptime command, which converts times in text format into a unix timestamp, which is seconds. From there, you can calculate the time difference. ... View more

In your query, you are not correlating your CSV data with the original indexed data. You may need to do a stats or a join to combine the indexed data with your CSV data. Alternatively, have you tried using your CSV as a lookup? index=s1 | lookup cosco_mapping.csv city AS office OUTPUT lattitude longitude ... View more

All your questions are covered in the docs, http://docs.splunk.com/Documentation/HadoopConnect/1.2.5/DeployHadoopConnect/ExporttoHDFS Compression Level Use the slider bar to determine file compression. 0 means no compression and 9 give you the maximum possible compression. The higher the compression level is set, the more slowly files are written. The higher the compression, the smaller the size of the exported files in hdfs will be. Also note that higher compression may also mean slower retrieval of data How does partitioning work? Partitioning is a process by which the export data is placed in a dynamic directory structure based on the values of certain event fields. You can choose how exported data is partitioned. It can be partitioned by any of the fields present in the event. Hadoop Connect exposes the following out-of-the-box partitioning variables: Date Hour Host Source Sourcetype When you are creating an export job, you can select one or more of these partition variables in the user interface. Splunk will create directories based on these partions in hdfs. So if you select Date, Hour and Sourcetype, Splunk will create the following directory structure for your data /2018/11/06/00/WinEventLog_Security/ to store the various files containing your exported data Creating your own partitions In addition to the out-of-the-box partitioning variables, you can use any field to compute a partitioning path into the events (results) to be exported. Use the special field _dstpath . For example, to export your search results into the path <base-path>/<date>/<hour>/<app> , use the following search string: search ….. | eval _dstpath=strftime(_time, “%Y%m%d/%H”) + “/” + app_name You can perform other types of preprocessing of data in the Splunk platform (lookups, field extractions, evaluate other fields, and so on) or choose to export it in raw format Schedule Export The Schedule Export is the only way to export indexed data into hdfs. ... View more

Oracle Linux is essentially a repackaged RedHat Linux, so the RPM versions of Splunk Enterprise and the Universal Forwarder should be compatible. You can also use the tgz version if you prefer. ... View more

The issue you are having is because you have a | search Thread:1 , all other threads are being discarded after that point. You probably need to incorporate the Thread:1 etc... into your rex statement. Can you provide some log samples. ... View more

You will need to use prestats mode with tstats, see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats | tstats prestats=true summariesonly=true count from datamodel="Network_Traffic.All_Traffic" where All_Traffic.dest_port=22 by All_Traffic.dvc, All_Traffic.action | rename All_Traffic.dvc as Device, All_Traffic.action AS Action | stats sum(count) by Device, Action ... View more