EDIT : New information at the end. When I run a search over our ASA, all the fields defined by the splunk_ta_cisco-asa work except one. I have severity lookups and vendor classes, but I have no "action" defined even though it should be. This is important because a lot of graphs in the network side of the Cisco Security Suite require "action" to be defined in order to report. I'm not an expert by any means, but I spent time last week trying to track down how it should be doing what it doesn't quite do, but I still can't figure out why it's not working. In props.conf, the lookup for action is defined right next to several lookups that work fine (like the severity lookup). LOOKUP-cisco-asa-action_lookup = cisco_action_lookup vendor_action OUTPUT action In transforms.conf, again next to others that work fine, the cisco_action_lookup is defined. [cisco_action_lookup] filename = cisco_action_lookup.csv So, one of the broken searches is this: eventtype=cisco-firewall action="*" | timechart count by action It is easy to modify it to be a working search and test that the lookup actually works by just manually specifying the lookup ahead of search action="": `eventtype=cisco-firewall | lookup cisco_action_lookup vendor_action OUTPUT action | search action="" | timechart count by action` The fixed search returns data with action fully populated, unlike the unfixed search. UPDATE : I have found out more and though it still doesn't make sense to me, perhaps it will to someone. If I aliased the output field at the end so: LOOKUP-cisco_action_lookup = cisco_action_lookup vendor_action OUTPUT action AS aa_action then aa_action shows up just fine. When I again remove the alias, action disappears from the output. UNLESS I run a wide enough search (a day's worth of data or more) then I can sometimes find ONE "action" set to "unknown". So when aliased to aa_action, it shows up on about 20-35% of the events depending on what time period you pick. When not aliased, I get approximately one "action" per million events and it's set to unknown. (And it is indeed an odd line). Can "action" be being unset somehow? Early on I grepped through the etc folders making sure, but I could have missed something. How best to find such a thing, if this is what's happening? ... View more

I know I can override the default bins=100 in any particular search. Is there any way to set something slightly higher as the default? Use case: The majority of our timechart based searches bucket reasonably well, but both Weekly and Business Weekly reports should not trigger a bump to the next bin size (daily) and should remain hourly. Unfortunately, I don't wish to have to add "bins=170" or bins="200" to all searches and would like a way to set it as the default, which sounds like a very reasonable knob that ought to be available. I can't find it though. I can't just set span=1h because the searches may vary between "show me today" to "show me the previous year." I need to keep the dynamic span aspect, just have a few more buckets available before it kicks me into larger buckets. ... View more

While testing some training materials, I created a temporary index and a remote windows event collection input for my own PC. Then I deleted it and recreated it exactly as it had been. Again, testing docs for training. 😞 But my newly recreated input only grabbed events newer than the last time it indexed it and ignored the 2 or 3 weeks of previous entries. I figured this wasn't too big of a deal, I've reset file monitoring and database monitoring before, but I can't figure out how to reset the remote windows event collections. I saw this: I tried http://answers.splunk.com/answers/30006/how-do-i-trigger-the-re-indexing-of-events-from-a-locally-collected-windows-event-log-channel But when I open the appropriate file in there with an SQLlite DB viewer I only have 8 rows for other inputs, nothing for the one I need to start over. So, does anyone have any ideas? ... View more