Also check this post https://answers.splunk.com/answers/490134/how-to-resolve-issues-with-mongod-startup-such-as.html even this was a linux instance, but it hints to permission problem. Or this one https://answers.splunk.com/answers/490134/how-to-resolve-issues-with-mongod-startup-such-as.html mentions a manual mongoDB restart which removed a stale lock file. ... View more

This is hard to answer without any detailed knowledge of your setup. But I would start by checking for global permission of Apps and change it back to be App , next would be to check any rouge * entries in props.conf , last but not least run your searches in Fast Mode and add any needed field in the base search. Hope this helps, even it might not be the solution cheers, MuS ... View more

Maybe you need to change your source for this, have look at this free file https://www.maxmind.com/en/free-world-cities-database this can be used as csv lookup and provides Country, City, AccentCity, Region, Population, Latitude, Longitude ... View more

So the question is: where is the city name coming from? ... View more

Hi sravani27, you can use the csv as a lookup http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usefieldlookupstoaddinformationtoyourevents to get the latitude and longitude from this file. Once this is working set it up to be an automatic lookup, so Splunk will do it for you. Next step is to use the geostats command http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Geostats by using this you can show the results on the map of your choice in Splunk. Hope this helps ... cheers, MuS ... View more

Hi Vicky84, you can use this regex to get it: your base search here | rex "(?:[^\s]+\s){3}(?<perc>\d+)%" | ... or this one: your base search here | rex "\S+\s\S+\s\S+\s(?<perc>\d+)%" | ... The first regex matches three times everything that is not a whitespace followed by a whitespace and take all digits in to the field called perc . the second regex matches any non-whitespace character followed by one space followed by any non-whitespace character followed by one space any non-whitespace character followed by one space and take all digits in to the field called perc . Hope this helps and checkout the web page regex101.com which provides good examples and helps to learn regex 😉 cheers, MuS ... View more

Hi raghu0363, start here http://dev.splunk.com/page/developer_license_sign_up cheers, MuS ... View more

Hi jadengoho, Can you please accept your answer, thanks. cheers, MuS ... View more

How about the docs page http://docs.splunk.com/Documentation/Splunk/latest/Admin/HowSplunklicensingworks on licensing cheers, MuS ... View more

You can read a more detailed option here https://answers.splunk.com/answers/129914/how-does-one-remove-the-enterprise-security-suite.html cheers, MuS ... View more

Hi damode, there is actually a windows version of curl available here https://curl.haxx.se/download.html or try this one https://superuser.com/questions/344927/powershell-equivalent-of-curl Not a windows user so cannot be of much help here ¯\_(ツ)_/¯ cheers, MuS ... View more

Hi wuming79, those are called stanzas and represent the start of configuration sections, everything after a stanza until the next stanza applies to it. Find a detailed explanation here http://docs.splunk.com/Splexicon:Stanza Hope this helps ... cheers, MuS ... View more

Little update here: This is under investigation now ... View more

and should this not work, just read this answer https://answers.splunk.com/answers/73268/search-for-hosts-in-a-lookup-but-not-in-splunk.html to get a different approach to make it work 😉 cheers, MuS ... View more

Is this forwarders as in parsing heavy weight forwarders ? ... View more

Good point, I changed the search - thanks 😉 ... View more

Quick and dirty solution is to run this: | rest /services/data/indexes | where totalEventCount!=0 | stats values(currentDBSizeMB) AS size by title | streamstats sum(size) AS total ... View more

Because currentDBSizeMB is the size of each index and there is no need to sum() them. ... View more

I haven't done it on host yet. Usually I use sourcetype to do such things - so I cannot not really tell if this will work or not sorry .... ... View more

sure easy as this: index=_audit ( earliest=-0d@d latest=+d@d ) OR ( earliest=-1w@-0d@d latest=-1w@+d@d ) OR ( earliest=-2w@-0d@d latest=-2w@+d@d ) OR ( earliest=-3w@-0d@d latest=-3w@+d@d ) OR ( earliest=-4w@-0d@d latest=-4w@+d@d ) OR ( earliest=-5w@-0d@d latest=-5w@+d@d ) OR ( earliest=-6w@-0d@d latest=-6w@+d@d ) | timechart span=1h count | eval 6weeks_ago = if(_time > exact(relative_time(now(),"-6w@-0d@d")) AND _time <= exact(relative_time(now(),"-6w@+d@d")) , count, "0"), 5weeks_ago = if(_time > exact(relative_time(now(),"-5w@-0d@d")) AND _time <= exact(relative_time(now(),"-5w@+d@d")) , count, "0"), 4weeks_ago = if(_time > exact(relative_time(now(),"-4w@-0d@d")) AND _time <= exact(relative_time(now(),"-4w@+d@d")) , count, "0"), 3weeks_ago = if(_time > exact(relative_time(now(),"-3w@-0d@d")) AND _time <= exact(relative_time(now(),"-3w@+d@d")) , count, "0"), 2weeks_ago = if(_time > exact(relative_time(now(),"-2w@-0d@d")) AND _time <= exact(relative_time(now(),"-2w@+d@d")) , count, "0"), 1week_ago = if(_time > exact(relative_time(now(),"-1w@-0d@d")) AND _time <= exact(relative_time(now(),"-1w@+d@d")) , count, "0"), today = if(_time > exact(relative_time(now(),"-0d@d")) AND _time <= exact(relative_time(now(),"+d@d")) , count, "0") | where count!="0" | eval hour=strftime(_time, "%H") | stats max(today) AS today avg(1week_ago) AS 1week_ago avg(2weeks_ago) AS 2weeks_ago avg(3weeks_ago) AS 3weeks_ago avg(4weeks_ago) AS 4weeks_ago avg(5weeks_ago) AS 5weeks_ago avg(6weeks_ago) AS 6weeks_ago by hour After the final stats you can process the results further and compare them. cheers, MuS ... View more

Link updated 😉 ... View more

To be honest, I don't know ¯\_(ツ)_/¯ My guess here is that it uses UDP on port 514 since this is the default for syslog. cheers, MuS ... View more

Hi exmuzzy, you can try something like this: index=_internal | bin _time span=1h | stats count by host _time | stats max(*) AS *."max", min(*) as *."min" by host cheers, MuS ... View more

Hi exmuzzy, if Timewrap is not an option for you (maybe it will, after you read this answer 😉 ) try this run everywhere search (if you have the admin role assigned) : index=_audit earliest=-6w-1d@d latest=-6w-0d@d OR earliest=-1d@d latest=-0d@d | timechart span=1h count | eval weeks_ago = if(_time > exact(relative_time(now(),"-6w-1d@d")) AND _time <= exact(relative_time(now(),"-6w-0d@d")) , count, "0"), today = if(_time > exact(relative_time(now(),"-1d@d")) AND _time <= exact(relative_time(now(),"-0d@d")) , count, "0") | where count!="0" | eval hour=strftime(_time, "%H") | stats max(today) AS today avg(weeks_ago) AS weeks_ago by hour What this search does if the following: index=_audit earliest=-6w-1d@d latest=-6w-0d@d OR earliest=-1d@d latest=-0d@d Only gets events for yesterday and the same day 6 weeks before | timechart span=1h count run a timechart on a hourly span to count the events | eval weeks_ago = if(_time > exact(relative_time(now(),"-6w-1d@d")) AND _time <= exact(relative_time(now(),"-6w-0d@d")) , count, "0"), today = if(_time > exact(relative_time(now(),"-1d@d")) AND _time <= exact(relative_time(now(),"-0d@d")) , count, "0") set values based on the time of the events | where count!="0" discard empty events so we can compare them | eval hour=strftime(_time, "%H") create a hour field which finally will be used in | stats max(today) AS today avg(weeks_ago) AS weeks_ago by hour a stats to get the two values per hour and as next step you can do the comparison of the values. Hope this helps ... cheers, MuS PS: you could also just use the base search with the two time ranges and use timewrap ... View more