You asked why it shows a different set of results. If both searches are the same, check the time range used for the search or the dashboard. Not to forget the zoom level will also effect the number of shown results. ... View more

look at the base search (everything before the first | ) used in the dashboard and try to re-use it. ... View more

"all these worlds are yours, except /default - attempt no editing there" -- @duckfez, 2010 http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Configurationfiledirectories ... View more

Hi jonncallahan, This is not really a Splunk problem, since Splunk is just another process running on your OSX. I suggest starting to read here http://www.techrepublic.com/blog/apple-in-the-enterprise/introduction-to-os-x-access-control-lists-acls/ followed by https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/ and maybe this one https://www.scip.ch/en/?labs.20150108 If this still does not do the job, create a root cronjob that copies the needed file into a Splunk readable location and index the files from there. Hope this helps ... cheers, MuS ... View more

Hi goodsellt, Splunk by default shows the earliest events at top like in this run everywhere command. If you want to reverse the order simply add a |reverse or | sort - _time at the end of your search: Hope this helps ... cheers, MuS Update: Finally I understand what your question is all about 😉 So, if you want to such kind of time spanning, you must do some double bucketing of _time . First you will need to get your event by day (For this run everywhere example I used hours but this can be easily changed to days) index=_internal kb=* kbps=* earliest=-28h@h latest=-1h@h | bin _time span=1h | stats sum(kb) AS perHour by _time This will give you results per hour, note the latest in the base search - this is how to tell Splunk where to start the second _time bucketing. To get the second bucketing starting with the oldest event, we have to use reverse (not very efficient I know) and use the time chart against this event set | reverse | timechart span=7h values(perHour) AS val_perHour sum(perHour) AS Total This time we will use the span=7h to group events over 7 hours. The final search looks like this: index=_internal kb=* kbps=* earliest=-28h@h latest=-1h@h | bin _time span=1h | stats sum(kb) AS perHour by _time | reverse | timechart span=7h values(perHour) AS val_perHour sum(perHour) AS Total And the result is this: If you want to take this to the next level and have some kind of dynamic span based on the time range picker, check out this answer https://answers.splunk.com/answers/390574/how-to-create-a-search-that-shows-a-trending-value.html cheers, MuS ... View more

Hi melonman, Did you check out the Distributed Management Console http://docs.splunk.com/Documentation/Splunk/6.3.2/DMC/DMCoverview this should provide data for the search head. Regarding the indexer try this search host=YourHostNameHere sourcetype=splunk_resource_usage index=_introspection component=PerProcess "data.process_type"=search Hope this helps ... cheers, MuS ... View more

Hi @andrewtobin, this is indeed annoying. Some time ago I found a little Chrome plug-in ( Link in here https://answers.splunk.com/answers/206129/is-it-possible-to-change-the-date-format-when-runn.html ) which makes that with for you from en-US to en-GB for example. Another approach is to run an Apache Web server as reverse proxy in front of Splunk and rewrite the URL - example can be found here: http://blogs.splunk.com/2016/02/04/sso-without-an-active-directory-or-ldap-provider/ cheers, MuS ... View more

Just in case the next question will be How can I clear the fishbucket? Please find the docs on how to remove a file from the fishbucket using btprobe here http://docs.splunk.com/Documentation/Splunk/6.4.0/Troubleshooting/CommandlinetoolsforusewithSupport#btprobe or How to clean the fishbucket here http://docs.splunk.com/Documentation/Splunk/6.4.0/Indexer/RemovedatafromSplunk#Remove_data_from_one_or_all_indexes cheers, MuS ... View more

Hi rmsit, this list looks good to me and it should really be as simple as this. Make sure to check server.conf if you copy it to the new server, so it will not have the same host/server name as the existing indexer. And for step 4: it's outputs.conf you should modify 😉 Hope this helps ... cheers, MuS ... View more

Have you tried if(isnull(src) OR src=='?',"unknown",src) ... View more

Hi chawagon03, I just fixed the same error by using the stateOnClient = noop in serverclass.conf . I had to add it because I was daisy chaining deployment servers. cheers, MuS ... View more

Hi alexislh, running Splunk 6.4.0 and I have a bunch of System Activity views available in DMC in the Search navigation dropdown: Hope this helps ... cheers, MuS ... View more

Just fixed the exact same issue, but for me it was a fat-fingers-typo in the -secret of the bootstrap command ... took my some time to find it. cheers, MuS ... View more

Great, please accept the answer in this case 😉 cheers, MuS ... View more

Just add the specific user name into the base search : source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=* Account_Name=foo (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) cheers, MuS ... View more

Maybe it's worth to check other sources like http://serverfault.com/questions/517051/can-i-determine-iops-on-a-disk-array-using-bonnie or http://recoverymonkey.org/2013/02/25/beware-of-benchmarking-storage-that-does-inline-compression/ This is most likely related to the disk array, so also not forget to check the vendor for input on the topic 😉 cheers, MuS ... View more

Hi rehak_michal, Take a look at this App https://splunkbase.splunk.com/app/1493/ which will provide a testing script and some dashboards. Beside that and as mentioned by @sundareshr look at the Splunk dashboard examples https://splunkbase.splunk.com/app/1603/ Hope that helps ... cheers, MuS ... View more

awesome !! ... View more

Hi @Runals, if you want to get all saved searches, use this REST search: | rest /servicesNS/-/-/saved/searches/ Still not sure about the recipient part thought 😉 cheers, MuS ... View more

Hi Cuyose, if you have a field called Action you can do it like this: your base search goes here | streamstats max(duration) AS max_Action by Action, _time | stats max(duration) AS max max(max_Action) AS max_Action by Action, _time | ... This is un-tested, but should point you in the right direction. Hope this helps ... cheers, MuS UPDATE: since you modified the question 😉 ... View more

Hmmm , 2TB of ingested data and a subsearch ..... you're going to hit the hard limit for sure. I have no time to play around this use case right now; but most likely you can do a stats and/or streamstats with some if() eval's .... See the March virtual .conf session of @sideview to learn more on this topic http://wiki.splunk.com/Virtual_.conf cheers, MuS ... View more

You should provide more details on this, like do you want to query the details of the saved search and filter the details or do you want to get back the search results of a saved search and filter on the search results? cheers, MuS ... View more