Hi tandem_spence, Maybe I'm too pedantic here, but to answer your question Is it possible for a universal forwarder to inject additional data into existing log stream? Yes, this is possible. There is the _meta option in inputs.conf http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf which enables you to add any additional key / value pairs to the event you want. For example: _meta = field1::foo field2::bar will add this field1 = foo and field2 = bar to all events. I know you added a lot of information in your post and most likely your verbosity level will be dynamic and therefore this approach will not solve your use case. But as I said, it's more my pedantry / OCD here answering your original question 😉 anyway, Hope this helps ... cheers, MuS ... View more

Hi ewise1, take a look at this answer https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html to learn how it can be done. Your regex would be something like this: ^(\w+\s\w+|^\w+)[\s:\[\d\]]+'(.+)' hope this helps ... cheers, MuS ... View more

Did you follow the app instruction? It says: As the dashboards are driven mainly by eventtypes, you may need to make a copy of \default\eventtypes.conf to \local\eventtypes.conf and add 'index=<your events="">' to the begining of each eventtype search query. ... View more

Hi rangineniarunkumar, On the indexer you can set the acceptFrom = <network_acl> option in inputs.conf to a set of networks or addresses to accept connections from, see the docs for more details http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf A second option is to filter your events http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest and only keep events from your known host for example. Hope this helps ... cheers, MuS ... View more

Hi eyaluodba, Sure, read more about the topic in this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html or in the Virtual .conf March 2016 session over here http://wiki.splunk.com/Virtual_.conf For a start just combine your base searches: ( index=_internal source=*web_access.log* /app/ action=edit ) OR ( index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" ) followed by any further commands you need to get to your required result. Hope that helps ... cheers, MuS ... View more

Hi aksampat, I will not solve your problem right now, BUT a good starting point is this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html or the awesome March 2016 post on this page http://wiki.splunk.com/Virtual_.conf Keep pushing and use stats to the limits 😉 Hope this helps ... cheers, MuS ... View more

Thanks for the points, but if you click the ^ symbol it will upvote the answer or comment and will not take points away from you 😉 ... View more

Okay, I miss understood your question! A DS should never be its own DC - This will / can produce wormholes and Loki will unleash his army of doom over your Splunk 😉 No really, you should not do this. Easiest way to overcome this use case would be a cronjob which copies your apps from etc/deployment-apps to etc/apps cheers, MuS ... View more

Hi Esky73, Yes, it can be done - but it is tricky and you need to plan this carefully. Basically on the first Deployment server you change the repositoryLocation option http://docs.splunk.com/Documentation/Splunk/latest/Updating/Useserverclass.conf#Non-filtering_attributes so apps will not be placed into etc/apps (default directory) but in the etc/deployment-apps directory. On the second Deployment server you can mange the DS clients as usual. Test it before put this into production! Hope this helps and makes sense ... cheers, MuS ... View more

plus 1 for Fast Mode . If you include all fields you are interested in the base search like this field=* splunk will extracted for you even in Fast Mode ... View more

This will give you the wrong results, because it is a OR search. ... View more

Yes, as @woodcock mentioned where will use the right side of the = as field names because it is eval based. search on the other side will treat as strings/numbers. Feel free to accept this answer if it solved your problem ... cheers, MuS ... View more

Hi gauravmishra15, a bit late for the party ... In Splunk Enterprise under Settings - Source Types you can list, create and edit sourcetypes options in the according props.conf . The docs talk about the process to modify sourcetypes in Splunk Enterprise here http://docs.splunk.com/Documentation/Splunk/latest/Data/Managesourcetypes and for Splunk Cloud here http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Managesourcetypes Hope this helps ... cheers, MuS ... View more

use this command to show what is actually applied as config: splunk btool limits list thruput that is on the forwarder. But by looks of it, you have no limit active ... Did you check DMC / MC for any blocked queues? ... View more

Just to clarify, did you check there is no maxKBps = <some Number other than 0> option set in limits.conf on the UF? ... View more

Isn't the field Country only available after the iplocation command? ... View more

As I have written, it shows how it can be done. If the end result does not macho your needs, adapt the search. ... View more

Hi ahmedhassanean, try this run everywhere search as admin: | tstats count WHERE earliest=-7d@d latest=now index=_internal by host, sourcetype, _time | bucket _time span=1d | stats last(_time) AS last_time sum(count) AS per_day_count by _time, host, sourcetype | eval last_week = if(last_time > exact(relative_time(now(),"-8d@d")) AND last_time <= exact(relative_time(now(),"-7d@d")) , per_day_count ,"0") | eval today = if(last_time > exact(relative_time(now(),"-1d@d")) AND last_time <= exact(relative_time(now(),"-0d@d")) , per_day_count ,"0") | stats sum(today) AS today sum(last_week) AS last_week by host It will show you one way to do it by using stats and counting based on the time of the events. Another way can be using the timewrap command https://splunkbase.splunk.com/app/1645/ which should be available on Splunk cloud. Hope this helps ... cheers, MuS ... View more

Can you post your props.conf and transforms.conf please? Because this is the way it is done in Splunk, so there must be something wrong or the configs where not on the parsing instance, see the docs http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationparametersandthedatapipeline#How_configuration_parameters_correlate_to_phases_of_the_pipeline for more details cheers, MuS ... View more