Hi andresito123, You're not looking for map (this is a search command which should be only used as some sort of last resort). You're looking for a field alias http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Abouttagsandaliases By using an alias of IP for fur you will able to use it in Enterprise Security. Hope this helps ... cheers, MuS ... View more

Hi zindain24, How about this: index="_internal" (sourcetype=splunkd_access "POST /servicesNS/" "/search/saved/searches") file!="notify" | table _time clientip user file | rename file AS saved_search This will create a table containing time, clientip, user and the saved_search name. Hope this helps ... cheers, MuS ... View more

Hi dhavamanis, according to the docs http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTcluster#cluster.2Fmaster.2Findexes a POST is not supported, therefore you will not be able to create an index in the cluster directly. But, you can create it on the Cluster Master itself using POST on this REST endpoint http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTconf#configs.2Fconf-.7Bfile.7D using indexes.conf . This will create your indexes.conf on the Cluster Master in $SPLUNK_HOME/etc/system/local/ which can be copied over to $SPLUNK_HOME/etc/master-apps/_cluster/local on the Cluster Master using a cron job. After the copy the cluster bundle can be applied using this undocumented REST end point: curl -k -u admin:changme https://localhost:8089/services/cluster/master/control/default/apply This is a work around but it will get you there in the end. Hope this helps ... cheers, MuS ... View more

Hi bkumarm, Since you're not using any license specific information here, you can run the following query (which is totally un-tuned and uses three sub searches (Bad bad bad and not really performing well!) but this is one way to get this combination of information to get what you need) from your search head: index=_internal group=per_sourcetype_thruput source="/opt/splunk/var/log/splunk/metrics.log" group=per_sourcetype_thruput | eval sizeMB = round(kb/1024,2) | stats sum(sizeMB) by series, host, index | rename sum(sizeMB) AS UsedInMB series AS sourcetype | join sourcetype [ | eventcount summarize=false index=* index=_* | dedup index | fields index | map maxsearches=100 search="|metadata type=sourcetypes index=\"$index$\" | eval index=\"$index$\"" | fields index sourcetype ] | join index [ | REST /services/data/indexes | table title maxTotalDataSizeMB | rename title as index ] | stats values(sourcetype) AS sourcetypes sum(UsedInMB) AS UsedInMB values(maxTotalDataSizeMB) AS IDXmaxTotalSizeMB by index, host | eval PCtDiskUsage= UsedInMB*100/IDXmaxTotalSizeMB Everything before the first join get you the information about the disk space usage per sourcetype. The first join gets all sourcetypes from all indexes and the second join will get the max size per index. The final stats is used to group everything and the eval will get the percentage of disk space used for this sourcetype in this index. The result will look like this: And if you want to know why I wrote bad bad bad because of my three subsearches; you can read some details over here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html and get some general guidance on this topic. Hope this helps ... cheers, MuS ... View more

Hi imrago, if you use a customised path for your iplocation DB using limits.conf [iplocation] db_path = <path> * Absolute path to GeoIP database in MMDB format * If not set, defaults to database included with splunk it will not get updated by any Splunk version update. Hope this helps ... cheers, MuS ... View more

Hi ibekacyril, Well, the straight approach is to get only digits matching in the regex (?<my_number>\d+) This will create a field called my_number and you can run a stats count(my_number) on it 😉 Next example is this one: \w+\s(?<my_number>[^\s]+)\s That's faster but will match This and you want the numbers ... so on to the next one (?:\w\s)+(?<my_number>\d+)\s a non-captureing group of one and unlimited times, as many times as possible, giving back as needed [greedy] \w match any word character [a-zA-Z0-9_] \s match any white space character [\r\n\t\f ] but this will be slower because it will need more steps to match the result you want - Hint: www.regex101.com c\.i\.m\sThis\sis\sjust\sa\ssample\s(?<my_number>\d+)\s almost as fast as the first one, but it take a bit more steps to match There almost endless possibilities for regex to match, but you want the most efficient one - use regex101.com and learn how to use regex 😉 Hope this helps ... cheers, MuS ... View more

Hi vrmandadi, This was a tricky one, but I got there finally 😉 Your problem is that your needed values are within one event and therefore the SPL command to get the result is a bit tricky, because it contains zipping those multivalued fields and splitting them again base on the field ENDPOINT_LOG{}.EML_LAST_UPDATE_TS because this is unique for the information. So, here is the command which will work on the provided event example indexed as _json sourcetype: source="foo.json" host="indexer" sourcetype="_json" | eval my_id = 'ENDPOINT_LOG{}.EML_ID' | eval request= 'ENDPOINT_LOG{}.EML_REQUEST_TIME' | eval response = 'ENDPOINT_LOG{}.EML_RESPONSE_TIME' | eval update_time = 'ENDPOINT_LOG{}.EML_LAST_UPDATE_TS' | table update_time my_id request response | sort - update_time | eval zipped = mvzip(update_time, my_id, "###") | eval zipped = mvzip(zipped, request, "###") | eval zipped = mvzip(zipped, response, "###") | mvexpand zipped | makemv delim="###" zipped | eval update_time = mvindex(zipped, 0) | eval my_id = mvindex(zipped, 1) | eval request = mvindex(zipped, 2) | eval response = mvindex(zipped, 3) | fields - zipped | eval average_response_time = strptime(response, "%Y-%m-%d %H:%M:%S.%3N") - strptime(request, "%Y-%m-%d%H:%M:%S.%3N") What happens here is the following: source="foo.json" host="indexer" sourcetype="_json" The base search to get the event | eval my_id = 'ENDPOINT_LOG{}.EML_ID' | eval request= 'ENDPOINT_LOG{}.EML_REQUEST_TIME' | eval response = 'ENDPOINT_LOG{}.EML_RESPONSE_TIME' | eval update_time = 'ENDPOINT_LOG{}.EML_LAST_UPDATE_TS' Just some eval 's to make the field names more usable | table update_time my_id request response | sort - update_time A little table added, not need at all but helps to show the information | eval zipped = mvzip(update_time, my_id, "###") | eval zipped = mvzip(zipped, request, "###") | eval zipped = mvzip(zipped, response, "###") zip all the multivalued fields together into one new filed called zipped | mvexpand zipped | makemv delim="###" zipped expand it and set the delimiter to be ### | eval update_time = mvindex(zipped, 0) | eval my_id = mvindex(zipped, 1) | eval request = mvindex(zipped, 2) | eval response = mvindex(zipped, 3) get the values based on position in the zipped field into new single value fields | fields - zipped remove the zipped field and | eval average_response_time = strptime(response, "%Y-%m-%d %H:%M:%S.%3N") - strptime(request, "%Y-%m-%d%H:%M:%S.%3N") do some maths to get the response time for each transaction - tata 🙂 the result looks like this Hope this make sense and is useful ... cheers, MuS ... View more