Another hint, place your script into $SPLUNK_HOME/bin/scripts and try to run it like $SPLUNK_HOME/bin/splunk cmd yourscript.bat ... View more

Also, take a look at $SPLUNK_HOME\var\log\splunk\splunkd.log , it should tell you if the script is executing or not. Also run $SPLUNK_HOME\bin\splunk cmd btool inputs list to see if you can find your script listed, as this will indicate if the configuration is correct. ... View more

Your inputs.conf is missing an interval to run the script: interval = [<number>|<cron schedule>] * How often to execute the specified command (in seconds), or a valid cron schedule. * NOTE: when a cron schedule is specified, the script is not executed on start-up. * If specified as a number, may have a fractional component; e.g., 3.14 * Splunk's cron implementation does not currently support names of months/days. * Defaults to 60.0 seconds. * The special value 0 will force this scripted input to be executed non-stop; that is, as soon as script exits, we shall re-start it. ... View more

ohhh you're using a subsearch....I'm no friend of them at all 😉 Because you hit limits with them and they are not really fast. This is not related to this question, but look at this answer http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html and try to adapt your search to a single stats search. ... View more

what is the exact search command you're using now? ... View more

Use the job inspector to verify what happens with the time range in the base search ... View more

Just change the stats like | stats count by client user _time so it matches your needs. The first field after the by statement is the the sorting one. ... View more

Hi sp1711, The obvious search is something like: My_search | timechart values(client) AS client count by user limit=5 but this shows the top 5 globally, not the top 5 per day. The problem with "per-day" is that every day could have 5 completely different top user and thus for a month, you may need 150 series. If you really want to calculate per day, it's something more like: My_search | bin span=1d _time | stats count by _time client user | sort - _time count | dedup 5 _time this will give you, per-day, the top 5 client, user ,count groups. Add this to graph / chart it: | timechart span=1d values(client) AS client sum(count) by user limit=1000 Hope this helps ... cheers, MuS ... View more

Oh my bad sorry .... try one of these settings: [setindex_MySourceType] REGEX = . FORMAT = my_custom_i DEST_KEY = _MetaData:Index WRITE_META = true or [setindex_MySourceType] REGEX = . FORMAT = index::my_custom_i DEST_KEY = _MetaData:Index ... View more

does your custom index exists ? ... View more

you could use field extraction http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/ExtractfieldsinteractivelywithIFX to get d1 , d2 , d3 , d4 as fields and a lookup table to translate the d fields into numbers .... this is the most you could probably do or change the source output to be decimal 😉 ... View more

Hi davebo1896, you can add a bit of SPL to this REST call, like this: | REST /services/server/info | stats count AS myCount | eval Status=if(myCount=="1", "OK" , "PANIK")| table Status to get what you want or you just check the TCP port of the search head from load balancer. Because if the Web server from Splunk is down your search head is not usable by any user. Hope this helps ... cheers, MuS ... View more

Hi evanr76, have a look at this answer where you can read something about this topic http://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files.html cheers, MuS ... View more

Hi cmlombardo, best thing would be to set the correct index at input level in the inputs.conf . But you can do this as well later on any Splunk server doing parsing. Maybe your regex does not match ; if you aplly this to one special sourcetype you can use something like this because you want to have anything from this sourcetype in the new index: props.conf: [MySourceType] # makes sure it goes to the proper index. TRANSFORMS-8_AssignToIndex = setindex_MySourceType transforms.conf [setindex_MySourceType] REGEX = . DEST_KEY = _MetaData:Index FORMAT = my_custom_i As long as this is done at parsing level and the sourcetype matches exactly, you will get any new incoming events in the index=my_custom_i Hope that helps ... cheers, MuS ... View more

And that's the way you should do it, Splunk is not aware that Feb is equal the 02 months and sorts it based on the alphanumeric value. If you need to sort it like this, you provided the answer yourself 😉 ... View more

Take a look at this answer http://answers.splunk.com/answers/93211/sso-and-user-session-timeout.html and at this docs for SSO troubleshooting http://docs.splunk.com/Documentation/Splunk/6.0.1/Security/TroubleshootSplunkSSO cheers, MuS ... View more

Uppsss, my bad. looks like I got the additional question wrong 😉 ... View more

Hi omgwut56k, if I get you correct, you wants to stop or reconfigure some search heads and have them stop forwarding their _internal index - right? There are a few things you should keep in mind tough: it is not a good practice not to forward the _internal , since it makes troubleshooting much more complicated. What is your intension to do so? If it's about the data amount send, then rather fix any problem on that search head than stop forwarding. If your concern is about license; _internal does not count on the license and has a default retention of 30 days. But back to your question; this is pretty easy, login to any search head that has all your indexers are search peer and run: index=_internal | stats count by host This will get a table of all splunk server sending their _internal events to the indexer. Hope that helps ... cheers, MuS ... View more

Okay, instead of asking for more help; Why don't you read the docs about the field extractor http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/ExtractfieldsinteractivelywithIFX and learn how to use it. It helps you to get anything out of your events into fields, which then can be used in any further search within the same app. Make your life much easier 😉 ... View more

Well do you have a field called source? Try rex instead of regex and if it's still not working try this: index=abc host="xyz" |rex "(?&lt;job&gt;[^/]*)$" | table job ... View more

Hi Sourabhv05, So, you want an answer asap 😉 Your regex is pretty easy, you're looking for everything after the last / so try this: your base search goes here | rex field=source "(?<job>[^\/]*)$" | table job This will extract everything after the last / and put it in a field called job . You can test and learn regex over here https://regex101.com Hope that helps and was asap enough 😉 cheers, MuS ... View more