Just a little improvement on the search: ex. sourcetype="A" OR sourcetype="B" (method="GET" AND method="HEAD" AND method="OPTIONS" AND method="POST" AND method="PUT" AND method="TRACE" AND method="TRACK") | eval HOST=case(sourcetype="A",host,sourcetype="B",hst2) | stats count(path) as PATH by HOST | where PATH>=10 Since you're not using the HOST in any of the if and or's, move it to the base search and use the eval on the reduced set of results. hope this makes sense ... cheers, MuS ... View more

Hi asarran, take a look at the docs about the convert command http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert and its option memk() . But to answer your question, math calculation can be made with the eval command http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval using the Arithmetic operators. Hope this helps ... cheers, MuS ... View more

Hi skoelpin, I co-organise the Auckland and Wellington groups and we ask Splunk users around the cities if they want to host it and also we ask them if they are keen to do a talk. We also provide some Pizzas and Beers - but I think this is somehow financed / sponsored by Splunk in the end. Just kick your group off and plan the first loose meeting in a fancy place or office and let the fun start 🙂 Hope this helps ... cheers, MuS ... View more

What version of Splunk are you running on what OS and please add the search you are using - thanks. ... View more

You're welcome 🙂 ... View more

Yeah, I thought about that as well but here is another solution: The epoch time after strptime will be starting at the current day midnight, so just subtract this from the value and you will get your seconds 😉 Try this run everywhere command: | gentimes start=-1 | eval foo="00 00:01:00.209" | eval myFoo=strptime(foo, "00 %H:%M:%S.%3N") - relative_time(now(), "-0d@d") | stats count avg(myFoo) AS avg_foo by foo, myFoo cheers, MuS ... View more

And to add another comment: in some cases it can be used on the universal forwarder as well 😉 See @amrit 's answer here: https://answers.splunk.com/answers/118668/filter-iis-logs-before-indexing.html cheers, MuS ... View more

Hi timrcase, some SplunkTrustee posted this blog http://blogs.splunk.com/2016/02/04/sso-without-an-active-directory-or-ldap-provider/ which explains how it can be done 😉 Hope this helps ... cheers, MuS ... View more

nice - the docs say clientName = deploymentClient * Takes precedence over DNS names. so this should work, but you should use deploymentclient.conf . cheers, MuS ... View more

Ah now I understand your request.... I have no DNS available to modify host entries and test it, but my assumption is that Splunk uses A records or NAME records. If I recall it correct you could only overcome such a situation by using the messy solution on the deployment server........ ... View more

Hi a212830, messy solution: add the aliases to /etc/hosts or the corresponding windows file. clean solution: ask your network / DNS team to create CNAME's for the private cloud hosts and use them. Hope this helps ... cheers, MuS ... View more

Nice - just be aware off the sub search limits http://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Aboutsubsearches#Subsearch_performance But as long as you don't come close those limits and are happy with the performance, use it 😉 ... View more

Hi Cuyose, Yes, you can do such a thing in Splunk. Here is an example that will add all hosts found within the last last hour into a lookup file: index=_internal earliest=-1h | eval server_name=host | table server_name | append [ inputcsv server_down ] | dedup server_name | outputcsv server_down The second example uses the same lookup file and removes all hosts found in the events within the last and the lookup file: index=_internal earliest=-1h | eval server_name=host | table server_name | append [ inputcsv server_down ] | stats count by server_name | eval server_name=case(count = 2,null() , count=1,server_name) | table server_name | outputcsv server_down To test it and to verify use the first search and use the 2nd line as | eval server_name="foo" to add some dummy hosts. Hope this helps ... cheers, MuS ... View more

Hi moon92, those are the hot buckets of your Splunk instance, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.4.2/Indexer/HowSplunkstoresindexes#Bucket_names Check for other errors before this message and check maybe your disk space usage. The is a default limit in server.conf of 5000mb, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Serverconf#Disk_usage_settings_.28for_the_indexer.2C_not_for_Splunk_log_files.29 Beside this, it's hard to provide additional help based on the provided information. Hope this helps ... cheers, MuS ... View more

Well, as mentioned in the provided link's answer the reasons can vary. It can be your local Windows box, it can be your SSD - because having a SSD does not automatically mean you will benefit from it's theoretical I/O speed. I would suggest to have a closer look at the machine specs and if the minimum specs are met http://docs.splunk.com/Documentation/Splunk/6.4.2/Installation/Systemrequirements#Recommended_hardware and use Perfmon data to monitor what happens if you start a search on your box. ... View more

Hi pradjswl, Regarding 3rd search; there is and error in (index=teb sourcetype=tealeaf_eventbus x_EventID=10577 DISPLAYCODE=SVCMS03 | rename x_BESTSessionID AS a_xf_BestSessionID) OR (index=sl_logs sourcetype=sl_myworld) could this be more like (index=teb sourcetype=tealeaf_eventbus x_EventID=10577 DISPLAYCODE=SVCMS03) OR (index=sl_logs sourcetype=sl_myworld) | rename x_BESTSessionID AS a_xf_BestSessionID ? Regarding 1st and 2nd searches; try to remove everything after the first stats - if the events do make sense add ONE additional step in the search pipe and re-check the events... continue until it breaks and you have the step in the search pipe which needs to be fixed. cheers, MuS ... View more

Have you tried something like this: blocked OR deny AND sourcetype=pan:traffic AND user="mydom\\$userName$" | rename src_ip AS src | eval BadGuy=if(sourcetype=pan:traffic, 1, null()) | streamstats anything you need further down the search pipe you can use a where BadGuy=1 and do more Splunk-Fu afterwards. Again check out the provided links which provide multiple excellent examples to do it. cheers, MuS ... View more

Hmmm, still the rest command uses the REST API to show the information and I never heard / saw a REST API call being made in real-time.....maybe you want to elaborate your use cases a bit more? ... View more

Hi kent_farries, modular inputs create or use a checkpoint to make sure they don't indexer events twice, therefore you have to use splunk clean inputdata YourModularInputNameHere to remove those checkpoints as well. See the docs for more details on clean inputdata http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/CLIadmincommands and see the docs here http://docs.splunk.com/Documentation/Splunk/6.4.2/AdvancedDev/ModInputsCheckpoint about the modular input checkpoints. Hope this helps ... cheers, MuS ... View more

Hi sk4l, First thing that should not work the way you think is the rest command; rest cannot be used in real-time searches and give this error: Error in 'rest' command: This command is not supported in a real-time search and the other thing is your used rest end point /search/jobs/export . I'm not sure if this is correct because the docs http://docs.splunk.com/Documentation/Splunk/6.4.2/RESTREF/RESTsearch#search.2Fjobs.2Fexport mention /services/search/jobs/export Hope this helps ... cheers, MuS ... View more

Hi thakarpratik, this can only be answered by yourself, because it is all related to your use case and your used data. Here is a good starting point http://docs.splunk.com/Documentation/Splunk/6.4.2/Capacity/ComponentsofaSplunkEnterprisedeployment and to answer one question at least: run it on Linux if you can choose your OS 😉 If you still struggle, there are plenty of Splunk partners and also Splunk PS available to support you with your first Splunk built. Hope this helps ... cheers, MuS ... View more

blush thanks 🙂 ... View more

No UI access to any transforms.conf in cloud 😞 So, you need to pass it to the cloud ops ... ... View more

Hi proylea, your using *RememberMe* and another wild card field in the lookup; did you configure the lookup to use match_type = WILDCARD(fieldname) in transforms.conf ? The default for lookups is match_type = EXACT - see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Transformsconf Hope this helps ... cheers, MuS ... View more