Hi Graham_Hannington, have you tried something like this: index=_internal earliest=-10sec@sec latest=-1sec@sec | bin _time span=1ms | chart count over _time by sourcetype This produces the same output as timechart is doing, but you have more control on the time span. cheers, MuS ... View more

Hi rakeshksingh, Have a look at the docs here http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/AboutSplunkregularexpressions and try the online regex tool called www.regex101.com which works perfect for Splunk regex. Another benefit of regex101.com is that it provides detailed explanation who and why it does match or does not match 😉 Hope this helps ... cheers, MuS ... View more

Apps are available in many different versions and normally they don't match the Splunk version. On Splunkbase apps.splunk.com you can find the version of Splunk that are support by the app. Hope this helps ... cheers, MuS ... View more

Is it approved_date or Approved_Date ? Also check if the value of the filed is numeric and not a string, other wise use strptime() http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions#strptime.28X.2CY.29 to read the string into a number. Hope this helps ... cheers, MuS ... View more

Oh there are so many limits and problems you will hit with this. Check out the awesome Let's stats handle this for you by Sideview March 2016 http://wiki.splunk.com/Virtual_.conf or find some hints in the answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html But basically you could do this untested search: base search goes here | stats values(*) as * by d_id m_pid because all your events will either have d_id or m_pid . Without real world events we cannot help more ... cheers, MuS ... View more

Pro Tip: never add a specific version into URL links of docs 😉 ... View more

Hi simpkins1958, usually this indicates some wrong / weird files or wrong directory levels in the package. For example on Mac OSX you can find all these ._* or .DS_STORE files. To work around this problem just unpack the downloaded app package on your PC and check that you have a directory called app name and in there you can find bin , default and all the other required folders. If you find a folder called app name/app name and then all the other folders, the app has been packed wrong. If the folders look good, search for theses ._* files and delete them, afterwards zip the cleaned directory using the following zip options zip -r app.zip app -x *.DS_Store* -x *__MACOSX* (on OSX at least) this will exclude those invisible Mac resource files such as _MACOSX or ._Filename and .DS_STORE files. Now you should be able to install the app without any problem. Hope this helps ... cheers, MuS ... View more

Hi there, fast forward into the future, we can do the great circle formula in Splunk now. This example will provide the expected result: | makeresults | eval lat1=1, lon1=1, lat2=2, lon2=2 | eval rlat1 = pi()*lat1/180, rlat2=pi()*lat2/180, rlat = pi()*(lat2-lat1)/180, rlon= pi()*(lon2-lon1)/180 | eval a = sin(rlat/2) * sin(rlat/2) + cos(rlat1) * cos(rlat2) * sin(rlon/2) * sin(rlon/2) | eval c = 2 * atan2(sqrt(a), sqrt(1-a)) | eval distance = 6371 * c | table lat1 lon1 lat2 lon2 distance distance will be the distance in km . Hope this helps ... cheers, MuS ... View more

Hi there, fast forward into the future, we can do the great circle formula in Splunk now. This example will provide the expected result: | makeresults | eval lat1=1, lon1=1, lat2=2, lon2=2 | eval rlat1 = pi()*lat1/180, rlat2=pi()*lat2/180, rlat = pi()*(lat2-lat1)/180, rlon= pi()*(lon2-lon1)/180 | eval a = sin(rlat/2) * sin(rlat/2) + cos(rlat1) * cos(rlat2) * sin(rlon/2) * sin(rlon/2) | eval c = 2 * atan2(sqrt(a), sqrt(1-a)) | eval distance = 6371 * c | table lat1 lon1 lat2 lon2 distance distance will be the distance in km . Hope this helps ... cheers, MuS ... View more

typing too slow...again Just a little tip: there is actually no need to escape the > inside of the [...] it will also work without the escaping ... View more

Hi honobe, based on the provided information this regex: '<(?<Message_ID>[^>]+)>' will match everything between '< and >' and use the match in the new field called Message_ID . This is a really basic example and can be optimised but I hope it helps to get you started ... btw don't use field names with spaces 😉 cheers, MuS ... View more

Is this an actual sample event you pasted here? ... View more

You should edit your post and use for config file content the little Code 101010 button or select the text and press CTRL-K this will keep everything as code. Like your [setnull] stanza is empty, is that lost because of the formatting or is there actually nothing? cheers, MuS ... View more

Hi Sanjai676, check your events that they contains all needed tags and CIM fields otherwise the Thread Gen saved searches will not match. Hope this helps ... cheers, MuS ... View more

Hi Svill321, here is a quick check list: What are you applying this on? source, sourcetype or host? Check for typos Where is this props.conf applied? Must be on the parsing layer, either heavyweight forwarder or indexer Check with $SPLUNK_HOME/bin/splunk btool props list if your config on the parsing instance is applied correctly your first regex does not match, try this \d{2}\:\d{2}\:\d{2}\||\d\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}:|\d\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}\.\d{3}, BREAK_ONLY_BEFORE only works if Splunk encounters a new line that matches the regular expression. same with the second regex, try this instead `([\r\n]+)\d{2}:\d{2}:\d{2}||\d\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}:|\d\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}.\d{3}, did you restart the parsing Splunk instance after the changes? This will only be applied to new arriving events, it is not applied to any existing already indexed events Hope this helps to trace down the error ... cheers, MuS ... View more

Hi xsstest, I reckon this is still the best place to read about Where do I configure my Splunk settings? http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings but if you prefer the docs page here it is http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationparametersandthedatapipeline cheers, MuS ... View more

the stats search created by @somesoni2 is your efficient way to do it 😉 cheers, MuS ... View more

I just had a poke in some perfmon events and was not able to find the field process_cpu_used_percent , where do you get this one from? ... View more

Hi mightaswelby, Just three quick things to check: Not all fields are listed by default, only fields with a coverage of more then 1% are shown - you need to change to all fields in the select fields view is NumberOfLogicalProcessors a string or a numeric value? the eval only works if the events have both fields NumberOfLogicalProcessors AND process_cpu_used_percent available cheers, MuS ... View more

ah I see .... let me have a look .... ... View more