The ePub (iPad, etc) version is available now, for free at http://splunkbook.com The hard copy should be available in about 2 weeks at Amazon. ... View more

1) You might be interested in looking at the Field Extractor app which will generate the regexes for you, if you just click on the values you want extracted. 2) you can have one regex to pull out both values. Something like "FLETCHER\\(? \w+).*?(? \d+) bytes" 3) you search needs to be something like: sourcetype=SFTP_records | stats sum(bytes) by org ... View more

The other answers here seemed to have focused on raw. I'm not sure why, because the question said he wants to do stats. Regardless, the other answers are now unnecessarily convoluted. In 4.3 we added the "mvraw=true" option to transaction, so _raw can be a true multivalued field. Regarding stats, mvexpand should work fine. It's unclear what probably the questioner had with it. ... View more

The following series of eval commands calculate the Stardate in the field "star_date". First it determines the year, the length of the year, and the proportion of the year that has gone by. Years are relative to year 2323. < your search > | eval year=strftime(_time, "%Y") | eval leap = if((year % 4 == 0) and ((year % 100 != 0) or (year % 400 == 0)), "1", "0") | eval length = if(leap=="1", 31622400, 31526000) | eval time = _time - (60*date_zone) | eval year_date = relative_time(time,"@y") | eval star_time =((time - year_date) * 1000 / length ) | eval star_year = year - 2323 | eval star_date = star_year.star_time There's an interesting bit of detail regarding timezones in that the snap-to-times in Splunk are local to your local timezone, meaning @y (the beginning of the year) is different for users in California and Russia. To compensate for that, we modify the 'time' value with the date_zone field. This example is good for introducing eval, strftime, if(), and relative_time(). ... View more

done. updated in the latest version! ... View more

Here's how to do it. 1) calculate the median value for duration, using "eventstats", which puts the value onto every event/transation. 2) use "where" to filter out events/transactions that are below the median duration. 3) now calculate the average duration for the remaining events/transactions Putting it all together: "your transaction search" | eventstats median(duration) as threshold | where duration>= threshold | stats avg(duration) ... View more

Your quoting is wrong for the map command. Try using the subsearch syntax. e.g. | map [ sendemail to="test@test.com" subject=$host$ server="mailhost"] See: http://splunk-base.splunk.com/answers/27012/whats-wrong-with-this-map-search-command ... View more

Look at this snippet of your search: ... search="sourcetype="vc_termlog" TermID=$PTID$" Look at the quoting! That's ... search="sourcetype=" vc_termlog " TermID=$PTID$" Now you see the problem? Also, I think your search needs to start with "search" Try ... search="search sourcetype=vc_termlog TermID=$PTID$" Or use the subsearch notation for map: | map maxsearches=17 [search sourcetype="vc_termlog" TermID=$PTID$] ... View more