Thanks @vganjare 🙂 ... View more

So, while most of you were sleeping Thor's Hammer was spam fighting and got ride of them mostly within 50 seconds to one hour - killing almost 60 spamerz tonight..... and did not get one single karma for it - and also did not complaining about it and I'm not working for Splunk ! ... View more

agreed - well, we provided some hints now its up to the questionnaire to use them 😉 ... View more

Yes, it is for sure a matter of performance, because searches are faster when they use fields that have already been extracted (indexed fields) instead of fields extracted at search time. That said, if hit_hour="*" hit_day="*" visit_day="*" visit_hour="*" agent="*" are search time field extractions and it is a sparse search it will probably get worst. Why do you reckon it is bad in regards of functionality? ... View more

That's why I have the last line in the answer 😉 ... View more

props.conf and transforms.conf troubleshooting is hard I know and mostly like the hardest thing is that you must figure out what's wrong, because I can only provide some basic hints like these: http://answers.splunk.com/answers/4075/whats-the-best-way-to-track-down-props-conf-problems.html http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/Enabledebuglogging ... View more

Hi BorrajaX, try something like this: earliest=-24h | rex field=host "(?<host_name>[a-zA-Z]+)\d*" | rex field=_raw ":\d{2}\s(?<sample>[\w\s]+)$" | stats count by host_name, py_module, sample | sort -count | head 10 This will create a new field called sample containing any alphanumeric and white space character after a : and two digits and a white space until the end of the line Hope that helps ... cheers, MuS ... View more

Hi ryuch2002, there are multiple sources on docs and answers how to do it: First identify the search you are doing, like is it a dense or sparse search - http://docs.splunk.com/Documentation/Splunk/6.2.3/Capacity/HowsearchtypesaffectSplunkEnterpriseperformance Next, try to adapt what's mentioned here http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Writebettersearches and last but not least go through this answer http://answers.splunk.com/answers/172275/how-do-optimizations-for-field-based-searches-work.html and try to use all there techniques in your search. @vganjare had a good approach, but on the wrong side of the | instead of using fields after the search, try to use as much fields as possible before the first pipe | like this: index=\"jennifer\" sourcetype=\"jennifer_perf_agent\" tag=\"$server$\" hit_hour=\"*\" hit_day=\"*\" visit_day=\"*\" visit_hour=\"*\" agent=\"*\" This is still not the best possible in regards of performance but a starting point. cheers, MuS ... View more

run it as the user splunk or run this first source /opt/splunk/bin/setSplunkEnv to set all needing environment settings. ... View more

Hi nawneel, No, not by using Splunk internal features....But, you could do it using sideview utils like described in this answer from @sideview https://answers.splunk.com/answers/215137/prevent-users-from-table-sorting-when-clicking-on.html cheers, MuS ... View more

thanks for the hint 😉 ... View more

Hi burras, these are only hints to give: You're doing linebreaking which is a parsing operation and always happens on the indexer or on a heavy weight forwarder (see the wiki on this topic http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F ) To troubleshoot this you can check at first if the stanza name in the props.conf exactly matches; is your sourcetype really called sm-esam-access ? Next check if any other props.conf is taking precedences over yours or if your is applied at all with btool : $SPLUNK_HOME/bin/cmd btool props list --debug or $SPLUNK_HOME/bin/cmd btool props list sm-esam-access --debug Next would be to check if any defined regex is matching or not and last but not least remember this props setting is only valid for any new incoming events. Hope that helps ... cheers, MuS ... View more

Sorry, but I will not advice further because it is all written in the docs. Just follow the steps: Configure the deployer's security key The key is optional, but if you use it, you must set it to the same value on all cluster members and the deployer Use the -conf_deploy_fetch_url parameter specifies the URL and management port for the deployer instance. This parameter is optional during initialization, but you do need to set it before you can use the deployer functionality ... View more

Hi selspiero, short google search and found this: http://psonlinehelp.equallogic.com/V3.3/configuring_syslog_event_notification.htm This means, that Equallogic can send syslog; perfect because Splunk can receive syslog. Follow the docs http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/SyslogTCP to enable Splunk to receive syslog. Hope that helps ... cheers, MuS ... View more

Hi p2splunk2015, Splunk can read anything that you can read, that said: Splunk can index any human readable files or inputs or net streams. This is more likely a thing you must handle and convert your files, so Splunk can read and index the data. Splunk itself does not provide any way to do so. cheers, MuS ... View more

Hi arnabsen1234, try something like this: | gentimes start=-1 | eval httpUrl="document/import/upload/reload" | rex field=httpUrl mode=sed "s/\// /g" cheers, MuS ... View more

As said; un-tested and usually I don't use any kind of sub searches. ... View more

You see, took me 9 minutes to write this answer 🙂 ... View more

Hi shreyasathavale, Sure, the lazy and not very well performing way would be this: earliest="06/08/2015:00:00" latest="06/14/2015:23:59" index=iis | stats count as hit by date_hour, date_mday | eventstats max(hit) as maxhit by date_mday | where hit=maxhit | sort hit desc |top limit=1 hit,date_mday,date_hour |fields date_hour,date_mday,hit, earliest, latest | map search=" search (earliest=$earliest$ latest=$latest$+3600) index=perfmon host=web1 (counter="% Processor Time" OR counter="Get Requests/Sec" OR counter="Current Connections") |stats avg(Value) by host, counter This is completely untested and keep in mind, for me it's early Monday morning 🙂 I'm pretty sure this can be done with some stats tricks Hope that helps ... cheers, MuS ... View more