see the updated answer.... ... View more

Hi campbellj1977, well, this is tricky to answer for sure; because your finding are most likely to be true for any searches, reports, alerts and dashboards. But not for the real-time searches. This is because real-time searches search through events as they stream into Splunk Enterprise for indexing. When you kick off a real-time search, Splunk Enterprise scans incoming events that contain index-time fields that indicate they could be a match for your search. So, it is likely that you will not get a performance benefit out of splitting...But, how about adding a second indexer to add overall performance or troubleshoot what exactly gets your indexer overloaded or blocked. If your on Splunk 6.2 you can use the internal Distributed Management Console for this http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/ConfiguretheMonitoringConsole#What_is_the_distributed_management_console.3F Take a look at the pipeline image below to get an overview of the Splunk input pipeline: Regarding your comment about the forwarder; this will only skip a part of the parsing queue but still uses all other queues (the universal forwarder that is). If you're using a heavy forwarder in front, it will skip parsing, merging and typing and in the indexerPipe until tcpoutput . This would only help if your indexer has blocked parsing queues, because the heavy forwarder would take the parsing, merging and typing load. Your real-time search will still pick up the events right at the stage they stream in into the indexer. But they maybe benefit from the fact that the indexer has less load when you're using the heavy forwarder in front.... Hope this helps ... cheers, MuS ... View more

from the docs on props.conf http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/Propsconf Specifies the field/value extraction mode for the data. * Set KV_MODE to one of the following: * xml : automatically extracts fields from XML data. ... View more

This is not possible with inputcsv, it only allows to read cvs files in $SPLUNK_HOME/var/run/splunk Did you try inputlookup already? ... View more

okay, try this: >|< This will match either > or | then the 32 times any alphanumeric and ends with a < Tested and working on regex101.com cheers, MuS ... View more

Hi HattrickNZ, you can use something like this instead: w0 = Sunday w1 = Monday etc... example: earliest=@w0 
 Searches from the current time to the previous Sun Hope that helps ... cheers, MuS ... View more

Hi jmallorquin, I will soon upload an updated version of the app with more detailed debugging features .... ... View more

Okay, but this is a different requirement 😉 Installing or using your own python modules for a custom script is very easy...basically 🙂 Can be tricky sometimes, depends on the module you're using. Take a look here http://stackoverflow.com/questions/279237/import-a-module-from-a-relative-path to get some ideas how it cloud be done in the script, afterwards create an app and place everything into the app's bin folder - the script and the python module that is. ... View more

Hi bnorthway, I would not recommend doing so, but dr. google has quiet a long list providing guides who to install pip on windows like this one http://docs.python-guide.org/en/latest/starting/install/win/ or this one https://pip.pypa.io/en/latest/installing.html Have fun and remember, if you break stuff you have to fix it .... cheers, MuS ... View more

You can file a feature request here http://www.splunk.com/index.php/submit_issue (the P4 category) ... View more

Hi vaishnavi07, For sure I can suggest how to do this; take a look at this answer here : http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html It will explain everything to you.... cheers, MuS ... View more

Hi SanthoshSreshta, take a look at this answer http://answers.splunk.com/answers/73745/max-data-points-that-charts-can-handle.html cheers, MuS ... View more

Because of this http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html 😉 ... View more

and I'm back into business, so does s p a m m e r z get to feel Thor's hammer 🙂 ... View more

from the docs about sort http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Sort : Description: List of fields to sort by and their order, descending ( - ) or ascending ( + ). ... View more

If this answers your question, please accept it - thx 🙂 ... View more

Like @martin_mueller wrote, post some samples. I did such a thing for an Oracle OVD, it's no big deal 😉 ... View more

It this a typo or does your option for this inputs stanza really looks like index = <domain> ? It should be index = domain instead. ... View more

Hi shariinPH, If you haven't set any coldToFrozenScript in your indexes.conf your old events will not be archived http://docs.splunk.com/Documentation/Splunk/6.2.3/Indexer/Automatearchiving That said, if you're using all default settings for your indexes, Splunk will delete any old events for you. Check the docs for more details on that http://docs.splunk.com/Documentation/Splunk/6.2.3/Indexer/Setaretirementandarchivingpolicy Hope that helps ... cheers, MuS ... View more

Sorry to say, but this is not the way you should use regex. If you're using a lot of this regex's on your search head, you will probably end in troubles. Here is why, your regex tell Splunk to search for : ABC5= matches the characters ABC5= literally (case sensitive) \/ matches the character / literally \w* match any word character [a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \W* match any non-word character [^a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \/ matches the character / literally \w* match any word character [a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \W* match any non-word character [^a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \/ matches the character / literally \w* match any word character [a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \W* match any non-word character [^a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \w* match any word character [a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \W* match any non-word character [^a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \w* match any word character [a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \W* match any non-word character [^a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \w* match any word character [a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \W* match any non-word character [^a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \w* match any word character [a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \W* match any non-word character [^a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \w* match any word character [a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] \W* match any non-word character [^a-zA-Z0-9_] Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] (?&lt;DIST&gt;.*) Named capturing group DIST .* matches any character (except newline) Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] .{20} matches any character (except newline) Quantifier: {20} Exactly 20 times xml matches the characters xml literally (case sensitive) There are far more optimized regex available to get only a part of a string. Maybe you should be more specific with your use case or provide more examples. BTW: using your regex and your provided example it matches IKEA.4 cheers, MuS PS: Sorry to make this an answer but the regex translation part is simply too long for a comment 😉 ... View more

Now do it without the map and I will accept the answer 😉 ... View more