Hi mkatz, you can combine the searches and run it as one search by using the filldown command: host=hostname SSL=TLSv1.2 OR host=hostname2 RequestIP | filldown clientIP RequestIP | where clientIP=RequestIP | stats count by task This is un-tested since I don't have your events available, but should get you started. cheers, MuS ... View more

Also, do not use * searches. Since Splunk will have to read in your example, all events containing host fields from disk and compare if the values starts with xyz . Take a good lock at the slide here http://conf.splunk.com/session/2015/conf2015_JHarty_DuncanTurnbull_Splunk_UsingSplunkSearchLanguage_AQuickGuideToSearch.pdf to learn more about Search Efficiency Optimisation. cheers, MuS ... View more

just a funny thought; who about this: base search here | eval corr_field= coalesce(Event_Number, Ticket) | stats values(*) AS * by corr_field ... View more

use this in your base search: earliest=-0d@d+6h latest=-0d@d+6h+30min This will snap tho the current day 6am til current day 6:30am cheers, MuS ... View more

you need to have the schedule_search capability to Schedule saved searches, create and update alerts, and review triggered alert information. This is usually only granted to the power user role. cheers, MuS ... View more

Hi japala, DMC should be the best option, but it will only show your environment correct if all internal logs are forwarded to the indexers and the Splunk instance running DMC has all indexers as search peer, see the docs for more detail http://docs.splunk.com/Documentation/Splunk/6.3.0/DMC/DMCoverview cheers, MuS ... View more

Not an answer, because you got some nice hints already. But check the slides from this .conf Session http://conf.splunk.com/session/2015/conf2015_JHarty_DuncanTurnbull_Splunk_UsingSplunkSearchLanguage_AQuickGuideToSearch.pdf ... View more

just run this as search | inputlookup domain_admins.csv to see what is returned from the lookup file ... View more

Hi peterdawood, you can start with this search, where you add all additional fields to the base search: (index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* EventID=* | deduce host or you filter after the next | which will be not as efficient as the first search and you could also miss some events that does not contain host but contain EventID because the base search only searches for host : (index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* | deduce host | search EventID=* | do more Splunk> Fu And here is a freebie, read the slides and learn much about search efficiency: http://conf.splunk.com/session/2015/conf2015_JHarty_DuncanTurnbull_Splunk_UsingSplunkSearchLanguage_AQuickGuideToSearch.pdf Hope this helps ... cheers, MuS ... View more

Or you setup the second search | ldapsearch domain=xxxxxxx.xxx search="(&(objectclass=group)(cn=Administrators))"|ldapgroup|table member_name, member_domain to feed a lookup table and run this at night and enrich the user data with the admin group membership. See the docs for more details on outputlookup and lookups to enrich your data: http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Outputlookup http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/Usefieldlookupstoaddinformationtoyourevents ... View more

Hi Sampathu, what's your intension to do so - do you want to find forwarder not sending and create an alert? If so don't re-invent the wheel - either use this app https://splunkbase.splunk.com/app/1294/#/overview if your pre Splunk 6.2 or run DMC http://docs.splunk.com/Documentation/Splunk/6.3.0/DMC/DMCoverview Both have plenty of pre-build alerts to handle this. Hope this helps ... cheers, MuS ... View more

just to be complete, here is the latest command ran on the same server as yesterday: index=_internal earliest=-3d@d latest=-2d@d | stats values(sourcetype) | foreach values* [ mvexpand <<FIELD>> ] This search has completed and has returned 8 results by scanning 2,907,591 events in 248.982 seconds. ... View more

Okay, if it's related to the distributed search group as well one can modify the distsearch.conf file to create or modify the group http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/Distributedsearchgroups . This can be done using git, puppet, vi, rsync ......... what ever your flavour is. ... View more

Sure, but it will be hard coded this way not as dynamic as the props.conf and transforms.conf approach which will pick up the first as field and the second one as value. Try this regex: .. | rex "status=\[(?<status>\d+)\],\stime=\[(?<time>\d+)\sms\]" | table status time ... View more

What do you want to get from the provided example? ... View more

Hi arungoyal, take a look at this app https://splunkbase.splunk.com/app/1799/ which allows you to create a slideshow of dashboards in Splunk. cheers, MuS ... View more

what does the props.conf look like and did you restart spunk after the change? Also note this will only be valid for new events. ... View more

this will work as run everywhere search: | gentimes start=-1 | eval foo=" username=john.doe username=domain\john.doe username=other_domain\foo.baz" | rex max_match=0 field=foo "(?:=(?!\w+\\\)|(?<!=)\\\)(?<user>\S+)" | table user ... View more

Sorry my bad, just add max_match=0 to the regex and it will match everything: tag=authentication eventtype="aruba-user-authenticated" | rex max_match=0 "(?:=(?!\w+\\\)|(?<!=)\\\)(?<user>\S+)" ... View more

Just for the fun of it, I ran all searches as run everywhere examples with fixed time range and leave you to choose the fastest/best for your use case: index=_internal earliest=-2d@d latest=-1d@d | dedup sourcetype | table sourcetype This search has completed and has returned 8 results by scanning 2,907,591 events in 249.892 seconds. index=_internal earliest=-2d@d latest=-1d@d | stats dc(sourcetype) by sourcetype This search has completed and has returned 8 results by scanning 2,907,591 events in 229.72 seconds. index=_internal earliest=-2d@d latest=-1d@d | stats latest(sourcetype) by sourcetype This search has completed and has returned 8 results by scanning 2,907,591 events in 228.705 seconds. index=_internal earliest=-2d@d latest=-1d@d | table sourcetype | stats latest(*) as * by sourcetype This search has completed and has returned 8 results by scanning 2,907,591 events in 382.519 seconds. index=_internal earliest=-2d@d latest=-1d@d | table sourcetype | stats values(sourcetype) This search has completed and has returned 1 result by scanning 2,907,591 events in 388.672 seconds. cheers, MuS ... View more

Hi Dohrendorf_Consist, take a look at the dashboard examples app https://splunkbase.splunk.com/app/1603/ where you can find exactly this example - sorry I don't have it handy right now. cheers, MuS ... View more