I can't find any of those options ("using transform", or where it's allowed to be multivariate) - where do I find these? ... View more

Thank you for your response. Does not make a difference. I still get the same result for both commands below. | stats dc(cs_username) | transaction cs_Cookie | stats dc(cs_username) As I mentioned before that there is a likelihood of same cs_username may be used from multiple workstations. How do I catch that? ... View more

I see from your new question that you've done some research. The answer is yes. You place the configured TA_unix app on the deployment server in the deployment apps folder. Then you set up the serverclass.conf file on the deployment server. Then you restart the deployment server with the following command: splunk reload deploy-server All of the forwarders defined in the serverclass.conf file will check with the deployment server for apps specified in the serverclass.conf file. The forwarders should already have a deploymentclient.conf file in splunk\etc\system\local . ... View more

You already did the sort -Count, so just complete your search with a | head 10 ... View more

Not a problem. Happy to help. Very nice use case 🙂 ... View more

No problem. Please check the checkmark next to this post to accept the answer. Thanks! ... View more

Hi, thanks! I have RESOURCENODE in caps now. I'm not getting the expected output yet. ... View more

Let me sum up a second; I thank dmaislin_splunk for his answers, now I know "where Splunk for Fortigate gets his data". My problem now is that I don't know how to both get my data in the index I want AND force their type to fortigate (with those conditions: all my sources come from the same host, on the same port, I separate them with the device_id). My configuration of transforms.conf seems bad, and I can't get it right, even after tons of tests. I need something that would be like [force_fortigate_sourcetype] DEST_KEY = MetaData:Sourcetype, _MetaData:Index REGEX = [device_ID]|[TheOtherDevice_ID] FORMAT = Sourcetype::fortigate, Index::index3 ... View more

@dmaislin is this not the correct app for as400 - https://splunkbase.splunk.com/app/633/#/overview? Thanks in advance ... View more

yep transaction is what I needed, thank you! ... View more

You'll need a setting in transforms.conf as well. This is a good reference in addition to the example in the docs. http://splunk-base.splunk.com/answers/49366/how-to-ignore-first-three-line-of-my-log. ... View more

Does this answer your question? If so, please accept. ... View more

| top limit=3 Class_Frequency by Employee_ID showcount=f showperc=f ... View more

Awesomeness! ... View more

I downvoted this post because op stated the exception, and the comment does nothing to answer the question. ... View more

Yes. This is the default behavior. http://docs.splunk.com/Documentation/Splunk/4.3.2/Admin/Inputsconf http://docs.splunk.com/Documentation/Splunk/4.3.2/Admin/Howindexingworks ... View more

... | transaction mvlist=t TransActionField | ... That will keep in natural order instead of ordering lexigraphically 🙂 ... View more

Why don't you post something useful and constructive. Make the thread useful for others... I now just run searches on indexies being indexed to. Normally a count of all requests per day and just hope splunk has indexed all the events properly (or as I expect). ... View more

If you don't mind, please open a new Question asking this, and tag it with the CEE TA app tag by clicking this link: http://answers.splunk.com/ask/?appid=1742. I'll try to watch for it and answer there. ... View more

* | table _raw | outputcsv mysearch This will output the results to $SPLUNK_HOME/var/run/splunk/mysearch.csv with just pure raw data in it. ... View more

Neverminf, I misunderstood your question. ... View more

As another example, some of the more advanced charting keys and custom charting configurations are only supported by FlashChart, not JSChart.... ... View more

Paste some sample logs with that sample of data including he CustumReport.aspx entry. ... View more