no answer, i gave up. i will wait for the next few versions and hopefully its documented a little better also. ... View more

from above: my end goal here is to look for clients that last synced over 30 days ago. ... View more

this seems to be working to generate the field in human readable format lastSync=strftime(strptime(LastSyncAttemptTime, "%m/%d/%Y %H:%M:%S"),"%m/%d/%y %H:%M:%S") what i realized is to finish the rest of the search it was easier to leave it in epoch time. use this for now: | eval lastSync=strptime(LastSyncAttemptTime, "%m/%d/%Y %H:%M:%S") | eval lastsyncbad = relative_time(now(), "-30d" ) | where lastSync < lastsyncbad there might be a more effective method but this works. ... View more

that yields: LastSyncAttemptTime 04/08/2016 07:19:46 lastSync 1460114386.000000 which looks like it converted it into epoch time. convert again? ... View more

Right now the workflow is realtime alert on this search: Lockout Alert: eventtype=msad-account-lockout out | lookup AD_Users_Lookup sAMAccountName as user | table _time, displayName, user, email, telephoneNumber, mobile, pwdLastSet, description, Caller_Computer_Name, dest_nt_host | rename Caller_Computer_Name as "Occurred On", mobile as "Mobile Phone", telephoneNumber as "Phone", user as "UserID", pwdLastSet as "Password Changed On", signature as "Action", description as Description, dest_nt_host as "Reported By" The secondary search that I'm thinking about looping in is: Why it locked out, but may come back with multiple results if they try on different PCs (src): eventtype="msad-failed-user-logons" EventCode=4625 | table user, src, src_ip, EventCodeDescription, dest ... View more

fresh installs ... View more

yup, all 3 servers are on 6.3.1 ... View more

standard auto LB seems to work when the stream of data isn't that heavy. i'm assuming that's why it doesn't work so well with syslog from 50+ devices. i set the forceTimebasedAutoLB = true now it changes indexers every 30 seconds which i think it a little overkill. my searches are usually over 15 mins spans so i could extend the interval to maybe 3 or 5 mins. basically my new question is what affect does changing the 30 second interval up to 3+ mins? if my indexer1 goes down, will it take 3+ mins for it to switch to indexer2? ... View more

so after setting forceTimebasedAutoLB=true, i see the syslog data load balanced between the indexers now. its on the default 30 second rotation. i'm worried about increasing that frequency because i believe that will also be the fail-over time in the event of a indexer outage? ... View more

right i saw that page, but it still leaves me with a ton of questions. so in order to use python, they have this block: to use Python to interpret the script file: '---- myscript.py ----- '#!/path/to/python '..... '..... does this mean that i need to install my own version of python? or is there a way to point it to the version installed with splunk? ... View more

Does this still hold true for version 5.0.3? i'm trying to implement this and can't seem to make it point to the new script. \Splunk\etc\apps\search\local\commands.conf [sendemail] filename = $SPLUNK_HOME/etc/apps/search/bin/my_sendemail.py streaming = false run_in_preview = false ... View more

perfect, thanks ... View more

not sure about the deployment monitor for that use. however your other setup sounds about right. i would restart splunkd service on the forwarder, take a look at the /var/log/splunkd.log, it will provide a lot of useful information about what is going on. ... View more

i'm somewhat new to splunk but i'll try to help till someone else gives a better answer. MachineA should have the input configured to monitor a file http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf MachineA should also have the outputs configured to push the data to MachineB http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd This forward should be a 'Splunk Forward' MachineB should be set to receive the data usually defaults to: [splunktcp://9997] now you mention deployment monitor, thats a different beast. if you are using a deployment server [MachineB], you have to create/modify $SPLUNK_HOME/etc/system/local/serverclass.conf on MachineB serverclass.conf tells the deployment server which folders under /deployment-apps/ it should push to which clients. and drop your configs for input into a folder inside of (default location) {MachineB] $SPLUNK_HOME/etc/deployment-apps/ ex: $SPLUNK_HOME/etc/deployment-apps/MyInputForMachineA/default/inputs.conf http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configuredeploymentclients not sure at your splunk level but your scope here is quite large. i would start at manually configuring the input, forwarder and receiver. then move onto deployment server/monitor. ... View more