Is there a way to determine the earliest/latest events in an index that has been moved off to Hadoop? I'm running Splunk 7.0.2. ... View more

I am attempting to determine the earliest event in a particular index by executing the following search over All Time (as instructed by the Metadata command). I am running Splunk Enterprise 7.0.2: | metadata type=hosts index=vpn Error in 'metadata': No 'host' key found in results. Cannot merge metadata. If I choose different time periods, some of them work (previous 30 days, Year to Date) but some do not (previous year). Anyone see this before? ... View more

I am using version 1.22 of the ServiceNow Security Operations app on Splunk 6.5.3. I want to use the snsecincident command in a search in order to customize some of the incident properties that can't be customized within the Create ServiceNow Security Incident Alert Action. Then I want to schedule that search as an Splunk Alert. However when I attempt to use either of the snsecevent or snsecincident manual search commands, I get the error This command must be the first command of a search. Am I misunderstanding the documentation? Shouldn't I be able to pass the fields from a search to these commands? ... View more

Congrats on the new release! I have an AWS HF instance forwarding to on-premise indexers. Is this model supported? I didn't see mention of this model being explicitly supported or not supported and since the product was new, I wondered if this was a documentation oversight. Thanks! ... View more

I have an event with a mix of JSON and non-JSON data. I have successfully extracted a Payload field with props whose value is a JSON data structure. Then using the search | spath input=Payload , the value is successfully parsed into KV pairs. But how do I move this to a config file for automatic extraction? I was looking at an EVAL- statement with the spath() function, but it's not clear what the "Y" value should be if I want to extract all of the fields, not just a specific one: EVAL-Payload = spath(Payload, "*") ... View more

I created the following search to audit the changes made to our network infrastructure: (index=ise Protocol=Tacacs MESSAGE_CODE=5202) OR (index=acs process="Tacacs-Accounting" MESSAGE_CODE=3300) | rex field=CmdSet mode=sed "s/^\[(?: )?|CmdAV= ?\]?|CmdArgAV=(?:)?|(?:)?\s\]//g" | where CmdSet!="" | lookup dnslookup clientip AS Address OUTPUT clienthost AS Device | eval Device=(if(isnull(Device),Address,Device)), Time=strftime(_time,"%H:%M:%S") | eval Date=strftime(_time, "%m")."-".date_mday."-".date_year | stats list(CmdSet) AS Command, list(Time) AS Time BY Date,User,Device Here's some sample output: Date User Device Command Time 09-14-2017 admin access-switch switchport access vlan 600 13:13:32 interface GigabitEthernet 1/0/26 13:13:25 no shutdown 13:13:57 shutdown 13:13:56 09-14-2017 admin core-router transfer upload start 17:36:08 transfer upload password <hidden> 17:36:08 transfer upload username transfer 17:36:08 transfer upload filename core-router-confg 17:36:07 transfer upload serverip 10.10.10.1 17:36:07 transfer upload datatype config 17:36:07 transfer upload port 21 17:36:06 transfer upload mode ftp 17:36:06 There's a couple of issues I'm really struggling with: 1. I would like to eliminate rows /AFTER/ the stats command where the Command starts with 'transfer upload' or any number of other command snippets. I have spent the day trying various techniques like |where but I can't seem to figure how eliminate these rows. I realize I can do this with a regex before the stats, but I'm trying to learn some more advanced techniques. 2. I can't figure out how to sort the rows by Time. When I use the sort command, I lose all of the grouping and it becomes table output. Is there a way to sort the Commands in the stats output based on the Time column (also preserving the value in the Time column)? 3. There are some rows where the list() limit of 100 is a factor. Is there a better way to construct this search to work around that limit (as opposed to increasing the limit)? I tried using values(), but I seem to loose the relationship between the Command and Time fields. Really struggling here, thanks. ... View more

I have an IP (216.3.51.108) that I'm trying to geolocate, but the City and Region fields are returning as Null. When I geolocate using the Maxmind 'GeoIP2 City Database Demo', I get all the values I expect. In reading the documentation for the iplocation command I came across the instructions for updating the database. But the instructions aren't quite clear if I need to update the database on the SH cluster or the Index cluster (or both). There is a paragraph stating that you /can/ update on the indexer, but to me this is different than saying you /must/. What are the steps to update the geoip database in a distributed cluster? I actually did it on both but this did not change my results, so I must be doing it wrong. ... View more