As far as I know, no. The Saved Search dialog, has two radio buttons, as I describe above, and it defaults to private. ... View more

Alternatively, you can do a transaction command on mac_addr and src_ip and get all the values, filtering out any that don't meet the airport requirement, normalizing your field names first. ... View more

I just tried this event and it should have worked find out of the box, without custom timestamping... $splunk cmd parsetest "3931|20101012125332|APP.STARTUP|system|3|INFO|Thread..." ... Parsed: Tue Oct 12 12:53:32 2010 UTC Time: 1286913212 I don't know what your TIME_FORMAT values are, but if similar events work fine, then that's probably not the issue. There are a few other possibly causes. Timestamps still have to pass the MAX checks, two of which could be relevant here, and default to: MAX_DAYS_HENCE=2 MAX_DIFF_SECS_AGO=3600 if the event in question was more than 2 days in the future (somewhat unlikely) or if it was more than an hour before the previous event (possible with syslog being out of order). If your timestamps are wildly out of order, consider increasing this MAX_DIFF_SECS_AGO. ... View more

Yes, if I understand properly. Join all events about a single node with a transaction, then each transaction will have all the values. ...| transaction some_node_id_field ... from there, there are many things you can do -- compare particular nodes like this: | diff pos1=1 pos2=2 enables get top combinations... | top audit, enables cluster nodes to similar nodes... | cluster ... View more

If you really just want to know when host!=os_hostname, just use ... | where host!=os_hostname ... View more

Here's one I came up with. The idea is to cluster events over the last N hours, and then see if there are any clusters that only consist of events in the last 5 minutes. Those are your new type of events -- they don't look like anything seen in the last N hours. Search back 10 hours; cluster results; for each cluster, keep the all _raw values, the oldest time, and the size; now, keep only those clusters that the oldest event in it was newer than 5 minutes; sort by size to get the smallest new clusters first. earliest=-10h | cluster t=0.7 labelonly=t showcount=t | stats values(_raw) as raw last(_time) as time last(cluster_count) as size by cluster_label | eval minute5=now()-5*60 | where time > minute5 | sort size | fields size, cluster_label, raw You can run this as an alert to run every 5 minutes. You can tweak the initial hours and the 5 minute range as needed, and the t=0.7 value as well. If there are too many new clusters, increase the 10 hours window to prevent false positives of events that occur, for example, every 15 hours. If there are still too many new clusters, decrease the value of t (e.g., 0.6), so that clustering is more loose, and only more radically different events will be noted. Hope that helps. ... View more

Short answer: this is a bug. The code to parse searches without running them notes that the subsearch (having not run) is not a valid eval expression. A bug has been filed (SPL-36704). Thank you. ... View more

Splunk does not parse json at index time, and at search-time any sort of regex would do a half-hearted job, especially on your example where a value is a list. There are two options: 1) The fastest option is to add a scripted input. For example, you can write a little python program to convert json to attr=val format and output the logs in a friendly format, before splunk is called: http://www.splunk.com/base/Documentation/latest/Admin/Setupcustom%28scripted%29inputs 2) Another option is to write a custom search command to do the conversion for you at search-time. It's slower, but allows you to tweak it as needed, and apply it only when you want -- http://www.splunk.com/base/Documentation/latest/SearchReference/Customsearchshape ... View more

In 4.2, there is a slide controller on the Fields Picker that turns off the expensive field discovery. ... View more

If you just want to change the sourcetype names, for search-time settings, you don't need to reindex any data! You can just use a sourcetype alias. http://answers.splunk.com/questions/4940/sourcetype-aliasing Only if you need different timestamps and linebreaking do you really need to reindex. ... View more

yes, but how do i fax it nicely? ... View more

Also see... http://answers.splunk.com/questions/4381/can-splunk-help-me-further-analyze-refine-the-durations-of-my-transactions ... View more

It's a good suggestion. Somewhat related -- in Splunk 4.2, the Saved Search dialog allows you to specify the permissions. You can specify either: Keep search private Share as read-only to all users of current app ... View more

In Splunk 4.2, the Saved Search dialog answers your wishes. You can specify either: Keep search private Share as read-only to all users of current app ... View more

If your custom search command is in an app, you should also put the searchbnf.conf in the app as well. ... View more

filed in bug system as SPL-36529. ... View more

Just send email to text message... * Sprint Nextel: 1234567890@messaging.sprintpcs.com * AT&T: 1234567890@txt.att.net * T-Mobile: 1234567890@tmomail.net * Verizon: 1234567890@vtext.com * Virgin Mobile USA: 1234567890@vmobl.com http://www.wikihow.com/Text-Message-Online ... View more

I think there's a configuration problem with how your data is being fed to Splunk. Your data's sourcetype is set to syslog, which is a single line sourcetype (meaning one event per line, in this case with a timestamp on each line). But if you look at your error message, you see 'text="I:..."', which means that the event's text is "I:", which is definitely not a syslog event with a timestamp! It's rightfully complaining. It seems that perhaps you have different streams of data, non-syslog data, coming in over udp:514. If you were to store a sample of your syslog events as a file, and have splunk index that, I believe it would process it rather uneventfully, so to speak. Hope that helps. ... View more