Hi vikfnu, still not much of information in here, and also no hint to the search your using ..... so I'm asking the magic glass ball and try to answer what I reckon you might want to do .... One thing first, upload the data as is into Splunk no need to do any preanalysis of any kind. Upload your csv files (lets call them 1.csv to 4.csv ) into an index, let's say it is called csv and create a search that will return all the event, don't care about grouping or anything else for now - just get the events: index=csv source=1.csv OR source=2.csv OR source=3.csv OR source=4.csv this will just return all the events. Now, we need to find some field that can be used to correlate the events you mentioned ComputerName and Categoristion_ I assume the later has something after the _ so we ignore this one for now. By adding a case() statement to the SPL we can get all variations of ComputerName from the events and use it: | eval ComputerName = case(isnotnull(ComputerName), ComputerName, isnotnull(computername), computername, isnotnull(computerName), computerName, 1=1, "unknown") this list need to be extended so it matches all possible variation for any computer name field available in the events, and the last 1=1 is a catch all and will show you unhandled cases 😉 After that step you can correlate the events using a stats on ComputerName and _time : | stats count values(*) AS * by ComputerName _time Once this is done, you can add more PSL to munch the data in every possible way until you get your expected result. So here is everything from above as one SPL statement: index=csv source=1.csv OR source=2.csv OR source=3.csv OR source=4.csv | eval ComputerName = case(isnotnull(ComputerName), ComputerName, isnotnull(computername), computername, isnotnull(computerName), computerName, 1=1, "unknown") | stats count values(*) AS * by ComputerName _time If this is not what you are after, than I need to bring my magic glass ball into service or you need to provide more details on the events (anonymise any sensitive data!) and you SPL you used. Hope this helps ... cheers, MuS ... View more

Hi a212830, I came along such problems when the user or group DN was set at a too high level in the LDAP tree. Work around was always setting the user and group DN's as specific as possible. You can add multiple in the list and seperate them by using a ; between them. Also, increase the logging channels of AuthenticationManagerLDAP and ScopedLDAPConnection in Settings » Server settings » Server logging to get more logs during run time. Another thing especially with AD: there was always a performance boost by using a specific DC server instead of the AD domain name. This has of course down sides as well. Hope this helps ... cheers, MuS ... View more

Hi knalla, try this run everywhere search: | makeresults | eval myTimeString="Mon 07/23/2018 17:19:01.89", _time=strptime(myTimeString, "%a %m/%d/%Y %H:%M:%S.%2N"), epoch=_time This will parse your string and creates _time which will be shown human readable in Splunk, and epoch as an epoch time. Read more about strptime() here http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables Hope this helps ... cheers, MuS ... View more

Hi batsonpm, when using inputlookup you will not get a field called _raw , try using the header name for this column: | rex field="Server Connection" "address: (?<Server>[^)]+)" Also note the changed regex, since your would match everything after address: . Hope this helps ... cheers, MuS ... View more

Hi lucasfbeinjamin, I used this app https://splunkbase.splunk.com/app/1317/#/details to index events from RabbitMQ. AMQP should work as well and you can find some details here https://answers.splunk.com/answers/417881/amqp-messaging-modular-input-how-do-we-configure-a.html Hope this helps ... if not I summon @Damien Dallimore 🙂 cheers, MuS ... View more

Hi jip31, to start with: you are using 6 times join which is causing the performance issues and a lot other problems you probably not even notice you have them 😉 As a start combine all you searches into one single base search: ( index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="Free Megabytes" OR counter="% Free Space" ) OR ( index="windows-wmi" sourcetype="WMI:LastLogon" LastLogon ) OR ( index="windows-wmi" sourcetype="WMI:LastReboot" LastRebootUpTime ) OR ( index="windows-wmi" sourcetype="wmi:MemorySize" ) OR ( earliest=-120d index=windows sourcetype=winregistry ) OR ( index="windows-wmi" sourcetype="wmi:videosignal" ) and do what ever needs to be done in the next SPL steps. I you want to use the first lookup file as filter for the base searches you can actually just do something like this: ( index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="Free Megabytes" OR counter="% Free Space" ) OR ( index="windows-wmi" sourcetype="WMI:LastLogon" LastLogon ) OR ( index="windows-wmi" sourcetype="WMI:LastReboot" LastRebootUpTime ) OR ( index="windows-wmi" sourcetype="wmi:MemorySize" ) OR ( earliest=-120d index=windows sourcetype=winregistry ) OR ( index="windows-wmi" sourcetype="wmi:videosignal" ) [| inputlookup append=t NZDL-Out.csv | search ComputerName=$tok_filterhost$ | rename ComputerName as host, Online as Ping_Status | eval Ping_Status =if(Ping_Status=="True","OK","KO") | table host Ping_Status | format ] The sub search here is okay, because it uses a lookup file and will return a OR search pattern like ((host=foo1 AND Ping_Status="KO") OR (host=foo2 AND Ping_Status="OK")) Once you get the base search sorted, you can do all the rename , eval and/or stats to get the result you need. Hope this helps ... cheers, MuS ... View more

Hi patricianaguit, while SEDCMD and the props/transforms can do the same, SEDCMD is for index time only http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf (search for SEDCMD) and will be applied to your _raw events. The props/transforms approach can do the same as SEDCMD in this regard, but it can also just be used for search time. That said, it will can not only change _raw events but it can also just change the search result without changing _raw . To answer which is better; it all depends on your use case 😉 Hope this makes sense ... cheers, MuS ... View more