Which splunk version do you run? ... View more

Hi, as a first step, take a look in the splunkd.log of the forwarders. Always a good starting point for investigations according to forwarders. ... View more

Hi, you can create a search for a complete day with the following earliest and latest filters: index=_internal earliest=@d latest=@d+24h What you can do then, is you can add or substract hours, minutes or seconds like this: index=_internal earliest=@d+1h+10m latest=@d+24h-1h So, if you have two textinputs and the inputs have tokens $from$ and $to$ you could create a search like: index=_internal earliest=@d$from$ latest=@d+24h$to$ and all your users have to do, is type +14h and -6h to get the timerange from 14:00 to 18:00. Greetings Tom ... View more

Hi, i remembered this blogpost, where a configuration for your usecase is given. But this definitly is an unsupported configuration and not for use in production. Why exactly do you want to run multiple forwarders on a single machine, because there are only a few cases where this is needed? What about virtualization? Greetings Tom ... View more

Hey, there is an excellent part of the documentation that covers your questions -> Link Grettings Tom ... View more

You should be able to use timechart for this. Is datetime equivalent to _time? Then you can do something like: ... | timechart span=2s earliest(_time) values(other_field) by host Greetings Tom ... View more

Your regex didn't match. there are way to much "\" symbols in your regex and i think also your group definition "(?.*?)" is syntactically wrong. ... View more

The rex command extracts multiple words from the string and puts them into the field test1. Because there are multiple values, the field then is a so called multi value field. Mvcombine transforms mvfields to normal fields. ... View more

Hi, i think this might be caused by the following configuration default: MAX_TIMESTAMP_LOOKAHEAD This is the configuration, how far splunk is seaching in the event to find a timestamp and it defaults to 150 characters. If you count the characters to the end of your date in the event where the timestamp is not correctly recognized, you exceed the 150 chars. Can you try to set this value up, maybe to 250? You should add this to the stanza of your sourcetype in the props.conf. Greetings Tom ... View more

Hey, thats what splunk answers is for 🙂 If this was what you want, it would be nice if you transform the comment to an answer and mark your question as solved. So others with the same problem can also find the solution. ... View more

Hi, there is also a dedup for mvfields: From the docs: mvdedup(X) This function takes a multi-valued field X and returns a multi-valued field with its duplicate values removed. ... | eval s=mvdedup(mvfield) So maybe something like this will work? mvcount(field)=1 | where b!=0 | eval lookupfield=logfield | lookup my_lookup_table lookupfield | table _time, field1, field2, field3, field4, field5, field6, lookuptablefield, field7, field8 | eval lookuptablefield=mvdedup(lookuptablefield) I created a small run everywhere example: | stats count | eval mvfield="a,a,a,b,b,b" | makemv mvfield delim="," | eval mvfield=mvdedup(mvfield) | fields - count Greetings Tom ... View more

Hi, you just configure the name of the sourcetype on your UF in the inputs.conf. Then you want to make sure the sourcetype is correctly configured. You can do that with the help of the add data wizard and the preview on your indexer/search head. Doing this with the wizard and the preview is best practise. You can for example copy a sample file from your UF and use this with the wizard/preview. You already mentioned that you can configure the sourcetype correctly in the wizard and your events are broken correctly. And you are also right with your other statements: If some amount of data is already indexed, and I change the props.conf will it not go back and reindex based on the updated props.conf or is it forever stuck parsed incorrectly? This is why you normaly should use a sample file with the preview on your search head to make sure the sourcetype is correct. You can then create a temp index and add the sample file as snapshot, not as monitor (monitor means the files is always watched, snapshot means it is just one time added but not watched permanently). If you made a mistake you can delete the temp index and start over again. If the data is added with the help of a monitor, the data will remain parsed incorrectly in your splunk. You have three options then: 1) Wait until the index size / time is reached and the events are dismissed 2) use the delete command (this is more masking of the data than a delete) 3) clear the fishbucket Splunk is already monitoring these files but doesn't pick it back up. This happens because splunk wants to make sure not to read the same events twice. For example if you rename a file, you do not want splunk to read it again. This is useful if you want to roll your logfiles. You can make splunk reading files again buy clearing the corresponding index and the fishbucket. Or you can use the crcSalt option. You can find information about the crcSalt in the link i posted abouth about the fishbucket. Pretty complex answer, best is you avoid this situation by using the wizars and the preview with a sample file as snapshot. Greetings Tom ... View more

Hi, i think what you are looking for is called "Intermediate Forwarding" in the splunk world. Look at this little section in the docs: link There is not much documentation for this setup, but there are already some questions regarding this. For example: http://answers.splunk.com/answers/10429/is-there-an-example-configuration-available-for-an-intermediate-forwarding-configuration.html http://answers.splunk.com/answers/32446/universal-forwarder-is-not-working-as-an-intermediate-forwarder.html Greetings Tom ... View more

In the code you posted is no definition of the token. <h1>I KNOW WHO YOU ARE $Area$</h1> </html> It just asks for the token $Area$ and substitude by whatever is in this token. But you must have defined it before. For example by a text input, a dropdown list or a drilldown. Can you use the token in an other situation? For example in the title of a panel or in a drilldown search. ... View more

Hi, there are two ways to control the size of your indexes: size and time. When you create or configer an index, you can give the index a maximum size (maxTotalDataSizeMB). Whenever this size is reached, events are frozen. This can be done via WebUI. The second option is to configure a time period, whenever all events are older than the time period, the events are frozen (frozenTimePeriodInSecs). If you have no action defined for the transition to frozen (for example a script) the events are deleted. You can find additional infos here: link. Greetings Tom ... View more

Hi! I think your approach isn't bad. Is the time dimension really completely irrelevant?. At least your results are returned in one day spans. I think you could also use a combination of the stats and bucket command. Greetings Tom ... View more

Is this: "abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" all in one line, or in 3 seperate lines? sometimes a screenshot from the data as you can see it in splunk is the best for us to help. I don't know, this looks pretty messy and complicated, but maybe it helps: | stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<a_1>[^\;]+)\;(?<a_2>[^\;]+)\;(?<a_3>[^ ]+) (?<b_1>[^\;]+)\;(?<b_2>[^\;]+)\;(?<b_3>[^ ]+) (?<c_1>[^\;]+)\;(?<c_2>[^\;]+)\;(?<c_3>.*)$" | eval row1='a_1'." ".'b_1'." ".'c_1' | eval row2='a_2'." ".'b_2'." ".'c_2' | eval row3='a_3'." ".'b_3'." ".'c_3' | table row* | transpose | rex field="row 1" "(?<value1>[^ ]*) (?<value2>[^ ]*) (?<value3>.*)$" | table value* ... View more