I have a long, that gets pretty long, and currently splunk is ingesting it as a whole. this log gets up a couple hundred lines long, and there are multiple events within this log that I need to extract. I am currently using REGEX to do the extraction, but it is only pulling the most recent instance of the extraction and not extracting the other instances within the log. For example, here is my extraction: NOTE:\sPROCEDURE\s(?<procedure>\w+)\sused And here is the log file that I am consuming. NOTE: Deleting WORK.CONTENTS (memtype=DATA). NOTE: PROCEDURE DATASETS used (Total process time): real time 0.00 seconds cpu time 0.01 seconds MACROGEN(CONTENTS_CNTR): data _null_ ; MACROGEN(CONTENTS_CNTR): file "/idn/wsmis/SDPMON_Raw/Logs/SDPMONRaw_Job45_error_log_FDT20150423_RD20151116.txt" mod ; MACROGEN(CONTENTS_CNTR): put "*** value for list_of_files cnt/freq:" @80 "8" @93 "***;"; ommiting 197 lines... NOTE: PROCEDURE CONTENTS used (Total process time): real time 0.00 seconds cpu time 0.00 seconds MACROGEN(CONTENTS_CNTR): data _null_ ; MACROGEN(CONTENTS_CNTR): set contents ; MACROGEN(CONTENTS_CNTR): if _n_ = 1 ; MACROGEN(CONTENTS_CNTR): call symput('no_obs',strip(put(NOBS,comma12.))); MACROGEN(CONTENTS_CNTR): call symput('desc',"list_of_files_last"); In this example you can clearly see there there are two PROCEDURES the first is called DATASETS and the next is called CONTENTS . My extraction is only pulling out the DATASETS value, and then not pulling out the other. Should I be adding a setting to my sourcetype to allow for multiple values here? Adding the search / index time extractions as requested: search time settings: EXTRACT-rT_cpUT = The SAS System used:\s+real\s+time\s+(?<totalRealTime>[^s]+)[^.*]+cpu\stime\s+(?<totalCPUTime>[^s]+)\s+ EVAL-totalCPUTime = replace(totalCPUTime, "^(\d{2})\.(\d{2})","00:00:\1.\2") EXTRACT-proc = NOTE:\sPROCEDURE\s(?<procedure>\w+)\sused EXTRACT-logFile = \/idn\/saslogs\/Altlogs_Linux\/(?<fileDate>\d+)\/(?<user>[^-]+)-(?<version>[^-]+)-\d+-(?<startTime>\d+)-PID(?<pid>\d+) in source EXTRACT-logFile2 = \/idn\/saslogs\/Altlogs\/(?<fileDate>\d+)\/(?<user>[^-]+)-(?<version>[^-]+)-\d+-(?<startTime>\d+)-PID(?<pid>\d+) in source index time settings: NO_BINARY_CHECK=1 LINE_BREAKER = ((*FAIL)) SHOULD_LINEMERGE = false TRUNCATE = 9999999 Thank you for any help!! ... View more

I have a single data input (myLog.log) and I need to send this same data to 2 different hosts, indexes and sourcetypes. I am using deployment server, so I have custom built two separate apps. App1: inputs.conf [monitor:///opt/splunk/var/log/myLog.log] crcSalt = <SOURCE> disabled = 0 sourcetype = testy_testy index = test_apps App1:outputs.conf [tcpout] defaultGroup = myCustomer1 [tcpout:myCustomer1] server = 10.10.10.10:8089 App2:inputs.conf [monitor:///opt/splunk/var/log/myLog.log] crcSalt = <SOURCE> disabled = 0 sourcetype = staging_test index = staging App2:outputs.conf [tcpout] defaultGroup = myCustomer2 [tcpout:myCustomer2] server = 10.10.10.20:10080 Both of these apps exist on the same machine, however, I am not seeing any data in my second index. Will the fishbucket not register this as a new data source, and is there way to configure this? ... View more

I am attempting to overlay last weeks CPU with this weeks CPU utilization, to give a side by side contrast. Currently, I have the following: sourcetype="mySourcetype" earliest=-7d@d latest=now | eval ReportKey="ThisWeek" | append [search sourcetype="mySourcetype" earliest=-14d@d latest=-7d@d| eval ReportKey="LastWeek" ] | timechart span=1d avg(pctCPU) by ReportKey Which produces this chart: (I substituted minutes for days in the chart so it wouldn't take long to load) Is there a way I can make this go over the same 'time', so it looks like a true over lay? Meaning if I set this to a weekly, Mon - Fri kind of time range? ... View more

I was reading documentation, though I didn't see anything on if it's possible to set an index wide property within props.conf. For instance: [my_sourcetype] REGEX-field1 - field_(?<myfield>\w+) Is there a way to add an extracted field to a sourcetype? Is there such a thing as this, or a way to do it for an entire index? [my_index] REGEX-field1 - field_(?<myfield>\w+) ... View more

I am attempting to configure the EMX XtremIO Add-on for Splunk Enterprise with multiple appliances. In total, I have 6 of varying sizes, 3 each in 2 separate data centers. I have 2 heavy forwarders I have the add-on installed on, 1 in each Datacenter, and I am attempting to add multiple XtremeIO appliances levering the 'setup' feature through the 'manage apps' menu and I keep getting an error. That error looks like this: Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/TA-EMC-XtremIO/xtremiocustom/xtremioendpoint/setupentity How can I add another XtremIO device to a single heavy forwarder? ... View more

I was just wondering if there was a way to monitor all interfaces with something like a wildcard? for example, instead of: [snmpif://myDevice] destination = 10.10.10.10 port = 161 snmp_version = 2C interfaces = 1,2,3,4,5,6,7,8,9,10 communitystring = idnbigdata snmpinterval = 60 index = myIndex sourcetype = snmp:if disabled = 0 I could instead have something that looked like this: [snmpif://myDevice] destination = 10.10.10.10 port = 161 snmp_version = 2C interfaces = * / ALL communitystring = idnbigdata snmpinterval = 60 index = myIndex sourcetype = snmp:if disabled = 0 Is this possible to do, or do I have list everything? ... View more

I have installed the latest version of the SNMP Modular input, and when I'm entering all of the information necessary I am encountering the following error while trying to save: Encountered the following error while trying to save: In handler 'snmpif': The script returned with exit status 1. This is a screen shot: Can anyone suggest any thing to get around this? ... View more