Hi damode, the TIME_FORMAT = %m-%d-%Y %H:%M%S,%l should be TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N . Regarding the truncating add TRUNCATE = 20000 to the props.conf Hope this helps ... cheers, MuS ... View more

Hi AnujaJadhav2, using regex101.com I ended up with this or regex: Node ID=(?i:(nbg))(.+)(?i:(cxm\d))|Node ID=(.+)(?i:(cxm\d)) the capturing group (.+) gives you the required results. I'm sure this is not the best solution regex wise and some more clever guys haver better regexes, but it gives you something to start with 🙂 cheers, MuS ... View more

Hi vincenp2, you can try this run everywhere search to get the required results: index=_audit user=* action="login attempt" info="succeeded" earliest=-120d@d | fields user | join user [ | rest /services/authentication/users splunk_server=local | fields title roles realname | rename title as user ] | fields user roles realname | stats last(_time) AS _time by user, roles, realname | where _time < relative_time(now(), "-90d@d") | eval lastSeenInSecs = round(now() - _time, 0) | eval "Last seen in (Days+HH:MM:SS)" = tostring(lastSeenInSecs, "duration") The join here is actually no problem, because the REST search is a generating command and only returns a few results. Hope this helps ... cheers, MuS ... View more

So what is the error message you get from the indexers? Can you please check the job inspector and post the error as well, please ? ... View more

Hi proylea, I did that once and simply installed a fresh Splunk on Windows and copied the following directories over: $SPLUNK_HOME/etc/system/local/ $SPLUNK_HOME/etc/apps/ $SPLUNK_HOME/etc/users/ and where applicable: - $SPLUNK_HOME/etc/passwd - $SPLUNK_HOME/etc/deployment-apps/ - and all possible clustering directories in some special cases you end up also copy over splunk-launch.conf and/or splunk.secret but usually this is not needed. This will work if the old and new Splunk instances will have the same name, otherwise you need to change the server name in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf . Finally the UUID could also be a problem and may need to be recreated on the new system after the migration. Hope this helps ... cheers, MuS ... View more

Hi there, you should use the code formatting for SPL and regex to keep all the special characters, code formatting can be applied by selecting the text and press either CTRL-K or the 101010 button. This helps people to be able to help because they can see all of your SPL and regex. cheers, MuS ... View more

You should provide both dashboard XML so people can help you better. But usually this is related to a missing or misspelled token somewhere along the drill down. cheers, MuS ... View more

Hot buckets are open files which Splunk is writing to and I'm sure you know the risks of open files if let's say the server crashes ... there is the potential data loos. If you have an average 1Gb per day then is is more like this for indexes.conf : maxDataSize = 250 maxHotBuckets = 4 maxWarmDBCount = 116 the remaining options look okay. You could also stick to your options but still need to change maxHotBuckets = 3 to be maxHotBuckets = 1 . But I saw you found this answer https://answers.splunk.com/answers/205125/are-there-any-search-and-performance-pitfalls-with.html as well and know about the risk associated to set maxHotBuckets = 1 Another question, is the hot/warm and cold storage on different storage tiers? If not, the split actually does not make lot sense - again just my 2 cents here and I hope this makes a bit more sense now 😉 cheers, MuS ... View more

can you please modify your post and use the code function (mark the text and press either CTRL-K or the 101010 icon) this helps in keeping the log and the regex 😉 ... View more

What does the messages tell you, you have 4 of them? If you query the REST api directly can you get something back: | rest /servicesNS/-/-/saved/searches splunk_server=local | search title="api*" ... View more

Surly you could do something like this, but should you do this is the question to answer here ... In your example, you have set maxHotSpanSecs to 30 days this means in a worst case scenario you can loose 30 days worth of data from your hot buckets - can your business accept that risk? The option maxDataSize is set to the default of 750Mb, does 30 days of data fit in there? Add many more questions to answer here ..... It is really hard to provide a fit them all solution, because all environments are different, all data is different, all use cases are different, and all business requirements are different. Sorry that I'm not able to provide the final solution that suits your needs perfectly cheers, MuS ... View more

Hi epeeran, basically you can do something like this: index=a OR index=b | eval id=coalesce(fieldA, fieldB) | stats values(*) AS * by id This will take either values from fieldA or fliedB as id and the stats will group everything by id . You can also read this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html to learn more about this topic. Hope this helps ... cheers, MuS ... View more

I found a even easier one, use the https://earthquake.usgs.gov/fdsnws/event/1/query?format=csv&starttime=2014-01-01&endtime=2014-01-02&minmagnitude=5 csv option and Splunk uses sourcetype=csv on it's own. Also remember, that data once indexed will not be re-indexed by Splunk. ... View more

please read the link http://www.georgestarcher.com/splunk-success-with-syslog/ it will explain everything ... View more

Two things to add: you cannot delete a user if you are logged on as this user you cannot delete a LDAP user cheers, MuS ... View more

You need to provide more details and information on I want to block .... like How do you want to block them and where do you want to block them? cheers, MuS ... View more

Hi triest, maybe I misunderstand your question, but how about a case() instead of searchmatch() ? Since searchmatch() takes a regex as argument you will compare against a literal filter in your example. Your example works btw if you do it like this: | eval actual=if(searchmatch("filter"),1,0) but this will match all events since you have filter in all example events. Would a case() like this do the thing? | eval actual=case(expected="1", "Yes", expected="0", "No", 1=1, "unknown") Again I may understand the requirement completely wrong ¯\_(ツ)_/¯ 😉 cheers, MuS ... View more

The reason I added this comment was at the SplunkTrust AMA at .conf 2017 some one asked why he gets all these weird errors when he puts the cluster configs on the peers using puppet 😉 The response was an in unison NO! and of course the SplunkTrust explained then why this should not be done. ... View more

Indeed the true() is always true 😉 The reason why I usually try to match as much as possible in the case() and use the catch all 1=1, "unknown" as last, is that you can then run a search to find any unknown values and fix them. A search example would be this: | makeresults | eval boo="2", foo=case(boo=1, boo, 1=1, "unknown") | transpose | search "row 1"="unknown" | stats count values("row 1") AS value by column | rename column AS fieldname ... View more

Hi tschminke, Usually you just copy the following directories from the old server onto a fresh install to migrate : $SPLUNK_HOME/etc/system/local $SPLUNK_HOME/etc/users $SPLUNK_HOME/etc/apps Your mileage may vary if your are using some special apps and maybe you need to copy splunk.sercret as well. Hope this helps ... cheers, MuS ... View more

As far as I know this is still not possible out of the box, but you could put the logic into your custom command instead. cheers, MuS ... View more

Here we go: three Fezzes make up a perfect answer 😉 ... View more

Can you please provide the dashboard XML including the base search that does not work? ... View more

Okay too slow in the morning hours 😉 here is my answer anyway: | makeresults | eval foo="\nCDIARIA2 \nCDIARIAC \nMAROV91 \nMAFTB87 \nMATBU90" | makemv foo | mvexpand foo | eval jobname=ltrim(foo,"\n") | stats count by jobname The first 4 lines are just to produce dummy data, the ltrim() is the one you can use to remove unwanted characters from the left. cheers, MuS ... View more