If this was useful and answered your question, please accept the answer - thx. ... View more

For my above example it would be like this: your base search here | eval user_time=tonumber(trim(like(source, "%user-info%"), "t")) | eval some_time=tonumber(trim(like(source, "%some-info%"), "t")) | stats sum(hits) AS total_hits by ipaddress, name, hits, user_time, some_time | where some_time < user_time ... View more

It looks like you hint a low disk space limit here: 11-03-2015 04:40:36.779 -0500 ERROR DiskMon - Cannot write data to index path "/opt/splunk/var/lib/splunk/audit/db" because you are low on disk space on partition "/". Indexing has been paused. Will resume when free disk space rises above 5000MB. either free up disk space or decrease the limit in server.conf : [diskUsage] minFreeSpace = <num> * Specified in megabytes. * The default setting is 5000 (approx 5GB) ... View more

This is way I told this before 😉 -> Place this on the Splunk instance where the parsing happens http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings ... View more

Better late, than never 😉 There is an option in outputs.conf but the docs are a bit confusing: sslCipher = <string> * If set, uses the specified cipher string for the input processors. ... View more

Hi panzerkw, you're asking actually two different things here. The initial question was how can I verify which version of SSL it's using? Answer: check out this answer https://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files.html or run this command $SPLUNK_HOME/bin/splunk cmd openssl version The second question was Does the new install package remove the old ssl version or do I have to remove it manually? Answer: Splunk's install package include all software components that Splunk require, so it will update the SSL version in $SPLUNK_HOME not the one for the OS! Hope this helps ... cheers, MuS ... View more

Hi Gauri, it does not matter if your events are in different index , source or sourcetypes you can most likely use stats instead of join 😉 Just use as base search something like this: index=a Or index=b sourcetype=c OR sourcetype=d | more Splunk Fu ... cheers, MuS ... View more

take this run everywhere search which works: | gentimes start=-1 | eval foo="'Call_SSN' '123456789' 'Ssn_bla' '987654321' 'bla_SSN' '123456789'" | rex mode=sed max_match=0 field=foo "s/[SsNn_]+.+?['\s]+\d+'/*SSN xxxxx/g" my provided SEDCMD will only replace the values NOT the fields. ... View more

Can you tell what you did? ... View more

Hi GauriSplunk, join is the last resort to solve search problems, not the first choice - see docs http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Join or this https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html Your problem here is the value of time is not a number, its a string and therefore Splunk will not do what you expect because it will compare it differently. First you need to remove the t from the time values and convert it to a numeric value: eval time=tonumber(trim(time, "t")) Next you can get the two time values into new field depending on the source : eval user_time=tonumber(trim(like(source, "%user-info%"), "t")) | eval some_time=tonumber(trim(like(source, "%some-info%"), "t")) And finally use the new time fields to compare them: your base search here | eval user_time=tonumber(trim(like(source, "%user-info%"), "t")) | eval some_time=tonumber(trim(like(source, "%some-info%"), "t")) | stats count by ipaddress, name, hits, user_time, some_time | where some_time < user_time This is un-tested so you probably need to tweak it, but it should give you some hints how it can be done. cheers, MuS ... View more

Hi kimche, does the user running Splunk have the permission to read those files? What does splunkd.log report about those files? Have to searched index=main earliest=0 ? Is this a typo or is the closing ] missing in the secure stanza of your inputs.conf ? cheers, MuS ... View more

Can you provide some samples and your configs? Otherwise it's like asking the magic glass ball :)))) Btw, looking at this line it seems this Example1 is actually Example1=Nov 2 2015 11:06:00:260AM and represents the or a time stamp for the event...... ... View more

Hi japan, go through all the objects (views, searches, field extraction and so on) in your app and make sure they are not private (see http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/Manageknowledgeobjectpermissions ). Next install this app https://splunkbase.splunk.com/app/2613/ which will export any App and its content, as long as it is NOT private. You will get a spl file which can be installed on other Splunk instances without problem. Hope this helps ... cheers, MuS ... View more

Hi locose, looks like the regex does not match your example events; this regex will match: [SsNn_]+.+?['\s]+\d+' tested and working on https://regex101.com . So your props.conf should look like this: [my_source_type] SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN xxxxx/g Place this on the Splunk instance where the parsing happens http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings and restart Splunk; it will also only be applied to new events. Hope this helps ... cheers, MuS ... View more

Just a side note on using subsearches , they have a hard limit - see docs for more details http://docs.splunk.com/Documentation/Splunk/6.3.0/Search/Aboutsubsearches ... View more

You get Error occurred attempting to enable our service public......de/....-Light: . .... Are you on Splunk Light? ... View more

Sure, running this | tstats values from datamodel=internal_server where earliest=-1d@d latest=-0d@d returns this for me (Sorry for the ugly paste): values(bytes) values(count) values(date_hour) values(date_mday) values(date_minute) values(date_month) values(date_second) values(date_wday) values(date_year) values(date_zone) values(digest) values(eventtype) values(file) values(host) values(ident) values(index) values(linecount) values(nodename) values(other) values(punct) values(req_time) values(root) values(search) values(server.acceleration.is_dm_acceleration) values(server.acceleration.is_not_dm_acceleration) values(server.acceleration.is_not_report_acceleration) values(server.acceleration.is_report_acceleration) values(server.clientip) values(server.is_acceleration) values(server.is_licenser) values(server.is_metrics) values(server.is_not_acceleration) values(server.is_not_licenser) values(server.is_not_metrics) values(server.is_not_scheduler) values(server.is_not_splunkdaccess) values(server.is_scheduler) values(server.is_splunkdaccess) values(server.licenser.is_daily_usage) values(server.licenser.is_not_daily_usage) values(server.licenser.is_not_pool_warnings) values(server.licenser.is_not_quota) values(server.licenser.is_not_slave_warn_summary) values(server.licenser.is_pool_warnings) values(server.licenser.is_quota) values(server.licenser.is_slave_warn_summary) values(server.method) values(server.metrics.is_Thruput) values(server.metrics.is_not_Thruput) values(server.metrics.is_not_pipeline) values(server.metrics.is_not_queue) values(server.metrics.is_not_systemwide_search_load_) values(server.metrics.is_not_user_search_load) values(server.metrics.is_pipeline) values(server.metrics.is_queue) values(server.metrics.is_systemwide_search_load_) values(server.metrics.is_user_search_load) values(server.scheduler.is_alerts) values(server.scheduler.is_not_alerts) values(server.scheduler.is_not_scheduled_reports) values(server.scheduler.is_not_summaryindexing) values(server.scheduler.is_scheduled_reports) values(server.scheduler.is_summaryindexing) values(server.spent) values(server.splunkdaccess.is_job_endpoint) values(server.splunkdaccess.is_not_job_endpoint) values(server.status) values(server.uri_path) values(server.uri_query) values(server.user) values(source) values(sourcetype) values(splunk_server) values(splunk_server_group) values(timeendpos) values(timestartpos) values(uri) values(version) values(with_new) 130333 131320 17548 3729 4367 60970 7123 77973 -1 500 15 30 56 october 28 29 friday 2015 780 1 splunkd-access admin default local searches tz user-prefs views indexer - _internal 1 server server.splunkdaccess - - - 11ms - - - 17ms - - - 1ms - - - 3ms - - - 6ms - - - 8ms - - - 9ms ..._-__[//:::._+]_"_///-_/."___-_-_-_ ..._-__[//:::._+]_"_///////_/."___-_-_-_ ..._-__[//:::._+]_"_//////?=&=-_/."___-_-_-_ ..._-__[//:::._+]_"_//////?=-_/."___-_-_-_ ..._-__[//:::._+]_"_/////?=&=%%%%&=_/."___-_-_-_ ..._-__[//:::._+]_"_////_/."___-_-_-_ ..._-__[//:::._+]_"_///?=%&=%&=-_/."___-_-_-_ 30/Oct/2015:15:56:28.979 +1300 30/Oct/2015:15:56:28.985 +1300 30/Oct/2015:15:56:28.998 +1300 30/Oct/2015:15:56:29.022 +1300 30/Oct/2015:15:56:29.043 +1300 30/Oct/2015:15:56:29.062 +1300 30/Oct/2015:15:56:29.080 +1300 30/Oct/2015:15:56:29.101 +1300 30/Oct/2015:15:56:29.121 +1300 30/Oct/2015:15:56:29.150 +1300 30/Oct/2015:15:56:29.208 +1300 services servicesNS disabled%3Dfalse is_visible%3D1%20AND%20disabled%3D0 0 1 1 0 127.0.0.1 0 0 0 1 1 1 1 0 0 1 0 1 1 1 1 0 0 0 GET 0 1 1 1 1 1 0 0 0 0 0 1 1 1 0 0 1 11 17 3 6 8 9 0 1 200 /services/apps/local /services/authentication/users/admin /services/data/user-prefs /services/search/timeparser/tz /servicesNS/admin/launcher/data/ui/nav/default /servicesNS/admin/launcher/data/ui/views /servicesNS/admin/launcher/saved/searches _with_new=1&search=is_visible%3D1%20AND%20disabled%3D0&count=500 count=-1 digest=1&count=-1 search=disabled%3Dfalse&search=visible%3Dtrue&count=-1 admin /opt/splunk/var/log/splunk/splunkd_access.log splunkd_access michael-VirtualBox dmc_group_deployment_server dmc_group_indexer dmc_group_kv_store dmc_group_license_master dmc_group_search_head 49 19 /services/apps/local?search=disabled%3Dfalse&search=visible%3Dtrue&count=-1 /services/authentication/users/admin /services/data/user-prefs /services/search/timeparser/tz /servicesNS/admin/launcher/data/ui/nav/default /servicesNS/admin/launcher/data/ui/views?count=-1 /servicesNS/admin/launcher/data/ui/views?digest=1&count=-1 /servicesNS/admin/launcher/saved/searches?_with_new=1&search=is_visible%3D1%20AND%20disabled%3D0&count=500 HTTP/1.0 1 ... View more

Hi thomas.unger_extern, while in the Website Availability Check App goto Settings - Data inputs » Website Availability Check and enable or disable any input listed there. This will restart the web_ping.py script which you can see in the _internal index of Splunk: 10-30-2015 15:02:41.984 +1300 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/website_monitoring/bin/web_ping.py 10-30-2015 15:02:41.983 +1300 INFO ExecProcessor - Removing status item "/opt/splunk/etc/apps/website_monitoring/bin/web_ping.py (isModInput=yes) You can also check the process on the OS level before the data inputs change it was: MuS 3990 3989 0 14:34 ? 00:00:02 python /opt/splunk/etc/apps/website_monitoring/bin/web_ping.py after the change it is: MuS 10835 10834 4 15:02 ? 00:00:00 python /opt/splunk/etc/apps/website_monitoring/bin/web_ping.py Hope this helps ... cheers, MuS ... View more

Hi Goophy, take this run everywhere command which just runs fine on the internal_server data model, which is accelerated in my case: | tstats values from datamodel=internal_server the result is this: and as you can see it is accelerated: So, to answer to answer your question: Yes, it is possible to use values on accelerated data models to return all values. Maybe you hit some limit (haven't found anything on a quick search) and try to return too much values at once? cheers, MuS ... View more

Nice answer! Just to add a link to another answer which could be helpful in this case https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html cheers, MuS ... View more

Hi dcloes, This is how it can be done, but be aware you should but the indexes.conf into c:/program files/splunk/etc/system/local . You can also verify your setting were applied by running this command from the CLI: $SPLUNK_HOME/bin/splunk cmd btool splunk cmd btool --debug indexes list <index_name> With this you can verify if your settings is not over-written by some other indexes.conf , see the docs for more details on this http://docs.splunk.com/Documentation/Splunk/6.3.0/Admin/Wheretofindtheconfigurationfiles Hope this helps... cheers, MuS ... View more

Hi Mike, in a nutshell it is as simple as this: Stop Splunk Copy colddb from $SPLUNK_DB//colddb to /newspace/colddb Edited /opt/splunk/etc/system/local/indexes.conf and add the following for the index: coldPath = /newspace/colddb Restart Splunk You can also verify your setting were applied by running this command from the CLI: $SPLUNK_HOME/bin/splunk cmd btool splunk cmd btool --debug indexes list <index_name> With this you can verify if your settings is not over-written by some other indexes.conf , see the docs for more details on this http://docs.splunk.com/Documentation/Splunk/6.3.0/Admin/Wheretofindtheconfigurationfiles Hope this helps... cheers, MuS ... View more

Hi ProudDevil, you can use map to get those events; take this run everywhere search which will search index=_internal for kbps values over 35 in metrics.log and will return the surrounding events from sourcetype=splunkd , starting 2.5 minutes before the event and ending 2.5 minutes after the event: index=_internal source="*metrics.log" kbps>35 | eval start_time=_time-150 | eval end_time=start_time+150 | map search="search index=_internal sourcetype=splunkd earliest=$start_time$ latest=$end_time$" you can change the map search to return events for the kbps and the surrounding events as well: index=_internal source="*metrics.log" kbps>35 | eval start_time=_time-150 | eval end_time=start_time+150 | map search="search index=_internal source="*metrics.log" earliest=$start_time$ latest=$end_time$" Hope this helps to get you started ... cheers, MuS ... View more

Sorry to bring bad news, but this does not work: Error in 'autoregress' command: You cannot specify new field name when you specify a range for 'p'. Also remember this will only work if you don't use a filter in the base search otherwise autoregress has only _raw events containing the filter and nothing else. ... View more

Can you provide one example each? ... View more