Sure there is, just try this for example | rest /servicesNS/-/-/saved/searches | search title="DMC*" this will return 13 saved searches from the Monitoring Console . The title is the name of any saved search. cheers, MuS ... View more

Hi stevesmith08, If you use the field with less multi values, expand it and do the compare operation it should work just fine. Try something like this: sourcetype = MySourceType earliest = 0 latest = now() | eval category = if(_time>relative_time(now(), "-2h@h"), "DeviceIDnew", "DeviceIDlater") | chart values(deviceID) by IP, category | mvexpand DeviceIDnew | eval compare = if(DeviceIDlater=DeviceIDnew, 0, 1) | table IP, DeviceIDlater, DeviceIDnew, compare This will work with a small set of events, if you have millions of events try this: sourcetype = MySourceType earliest = 0 latest = now() | eval category = if(_time>relative_time(now(), "-2h@h"), "DeviceIDnew", "DeviceIDlater") | chart values(deviceID) by IP, category | stats values(*) AS * by IP DeviceIDnew | eval compare = if(DeviceIDlater=DeviceIDnew, 0, 1) | table IP, DeviceIDlater, DeviceIDnew, compare Hope this helps ... cheers, MuS ... View more

Based on the comments, upvotes this answer has been accepted to be the correct one. cheers, MuS ... View more

Well, It says in the /var/log/messages that it cannot allocate memory. there you have the reason. Now you need to find out if you either can add more memory or limit the other application so they don't use all the memory. cheers, MuS ... View more

Exactly for the reasons I told you search will search in the _raw for a string, while where uses eval to compare two values of two fields 😉 ... View more

It does sound horrible indeed 😉 ... View more

Greeting from the future, according to the latest docs https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTcluster#cluster.2Fslave.2Fcontrol.2Fcontrol.2Fdecommission it is like this : curl -k -u admin:pass https://indexer:8089/services/cluster/slave/control/control/decommission -X POST cheers, MuS ... View more

Well in this case, the easiest option is to simply replace the lookup file with the newer version on the file system of the Splunk instance itself. ... View more

Hi yspade5, There are some troubleshooting option, I will just list a few of them. On the license master: - check if Splunk is running - check the file $SPLUNK_HOME/var/log/splunk/splunkd.log for any SSL related errors - verify in web.conf the option mgmtHostPort = <IP address:port> is NOT set to a port other than 8089 On one of the license slaves - verify from that you can connect to the license master on port 8089 over https (using curl for example) Also check if there were any changes in your network just before the error started to happen. Hope this helps ... cheers, MuS ... View more

That's where the defaultGroup = cluster1 in outputs.conf kicks in, it will send ANY data to the target. But you can also remove the defaultGroup = cluster1 and do something like this: props.conf [my:sourcetype1] TRANSFORMS-000-route_to_cluster = 000-route_to_cluster1 TRANSFORMS-001-route_to_new_index_cluster2 = 001-route_to_new_index_cluster2, 003-route_to_cluster2 [my:sourcetype2] TRANSFORMS-000-route_to_cluster = 000-route_to_cluster1 TRANSFORMS-001-route_to_new_index_cluster2 = 002-route_to_new_index_cluster2, 003-route_to_cluster2 transforms.conf [001-route_to_new_index_cluster2] DEST_KEY =_MetaData:Index REGEX = . FORMAT = my_new_index1 [002-route_to_new_index_cluster2] DEST_KEY =_MetaData:Index REGEX = . FORMAT = my_new_index2 [000-route_to_cluster1] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = cluster1 # which is the name from outputs.conf [003-route_to_cluster2] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = cluster2 # which is the name from outputs.conf Hope that make sense ... cheers, MuS ... View more

Hi gmuller1, you can set a default search mode by using a ui-prefs.conf setting with this: [default] display.page.search.mode = [fast|smart|verbose] choose what ever mode you want as default, put it into $SPLUNK_HOME/etc/system/local/ and restart Splunk. This should set the default search mode, but only until you change it again in the UI then it is saved in your session cookie. Hope this helps ... cheers, MuS ... View more

There are two limits that you could hit here, one being Splunk with the default limit in authentication.conf being set to 1000: sizelimit = <integer> * OPTIONAL * Limits the amount of entries we request in LDAP search * IMPORTANT: The max entries returned is still subject to the maximum imposed by your LDAP server * Example: If you set this to 5000 and the server limits it to 1000, you'll still only get 1000 entries back * Defaults to 1000 Which is the same as the default size limit in AD https://support.microsoft.com/en-nz/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil Maybe this helps to find the cause for this. cheers, MuS ... View more

Hi myazid, according to this shiny PDF https://marketplace.mobileiron.com/servlet/servlet.FileDownload?file=00P3400000hElSdEAK there is a universal forwarder on the appliance and according to this post https://answers.splunk.com/answers/607031/is-there-any-mobile-iron-devicemdm-integration-doc.html you can use the Administration Console to configure everything. Just the messenger here, never used MobileIron ¯\_(ツ)_/¯ Hope this helps ... cheers, MuS ... View more

Hi splunkuseradmin, find a detailed answer how it can be done here : https://answers.splunk.com/answers/708473/how-do-you-update-a-lookup-table-manually-in-a-dis.html#answer-708607 There is also an option to use SPL in combination with | inputlookup append=t ... | ... | outputlookup ... to update the lookup file using event data in Splunk itself. Hope this helps ... cheers, MuS ... View more

Have you checked $SPLUNK_HOME\var\log\splunk\splunkd.log for errors? Try running in an admin CMD: $SPLUNK_HOME\bin\splunk.exe clean locks $SPLUNK_HOME\bin\splunk.exe restart cheers, MuS ... View more

except the REGEX , just use . because the props.conf already limits the use of the transforms to specific sourcetypes 😉 ... View more

yep, that should work ... View more

Hi kuki_junior, try this: your base search here | stats count values(user) AS user by IP Hope this helps ... cheers, MuS ... View more

please hold, this can be done on the HWF 😉 ... View more

@ehowardl3 is the data split/cloned to both idx clusters or load balanced? ... View more

Hi oxthon, Well looking at this in a pure technical way it is of course possible to do this, does it make sense to do it ¯\_(ツ)_/¯ Most likely better to follow @ddrillic 's advice and make sure those events do not come into Splunk in the first place. But back to your question, you can use a props & transforms setup to check if an event contains a valid IP and put it into index=right anything with an invalid IP will go into index=error . This setup can be based on source, sourcetype or host. Try something like this: props.conf [your sourcetype name here] TRANSFORMS - 000-sourcetypeName-routing-based-on-ip = 001-sourcetypeName-routing, 000-default-errorRouting transforms.conf [000-default-errorRouting] REGEX = =\s[\d\w\.!]+\s DEST_KEY = _MetaData:index FORMAT = error [001-sourcetypeName-routing] REGEX = (?:\d{1,3}\.){3}\d{1,3} DEST_KEY = _MetaData:index FORMAT = right These setting must go onto the parsing Splunk instance (HWF or indexer) and you need to restart this instance. Hope this helps ... cheers, MuS ... View more