If most of your events are showing the correct host=MyHostName , then it sounds like you're already using transforms.conf to override a subset of the events. Splunk does this out-of-the-box for [syslog] and a few other sourcetypes, but you can disable it. Check the sourcetypes of the incorrect events - they're probably all showing up as syslog or similar. Try adding the following in props.conf: [source::/private/var/log/*] TRANSFORMS= TRANSFORMS-host= You may only need one of the two TRANSFORMS= lines above - most of the default host override use TRANSFORMS , but if you're running postfix, you'll also need to reset TRANSFORMS-host . Edit: There are two possible reasons why some events would show localhost and some MyHostName ... Your raw syslog data contains localhost for some events, and MyHostName for others. Splunk is extracting the value it sees. Transform-based host assignment uses a regular expression to pull out the new value of hostname. If the regex doesn't match, it will fall back to using the value you set in the .conf files. For more information on how overriding of the hostname works, take a look at:      http://www.splunk.com/base/Documentation/4.2/Data/overridedefaulthostassignments. To see the default transforms used for syslog events, look in the following two files:      $SPLUNK_HOME/etc/system/default/transforms.conf      $SPLUNK_HOME/etc/system/default/props.conf ... View more

You can extract it from the auth token. First, in the definition of your search command in commands.conf , set [yourcommand] filename = yourcommand.py passauth = true Your script will then receive a token that looks like: <auth> <userId>admin</userId> <username>admin</username> <authToken>cbd900f3b28014a1e233679d05dcd805</authToken> </auth> (Note: The auth token will actually be in a single line with no whitespace. The above formatting is only for readability.) Once you have that, it's just a matter of extracting the username from the string. For example, if you're using InterSplunk: import splunk.Intersplunk as si results, dummyresults, settings = si.getOrganizedResults() authString = settings.get("authString", None) if authString != None: start = authString.find('<userId>') + 8 stop = authString.find('</userId>') user = authString[start:stop] ... View more

Getting rid of the quotes makes it a little messy, at least if you want to allow for the possibility of spaces within the quoted string. Here's one way: #transforms.conf [snmp-fields] REGEX = \s(\S+)\s*=\s*\w+: (")?((?<=")[^"]+|(\S+)) FORMAT = $1::$3 #props.conf [snmp] KV_MODE = none REPORT-snmp = snmp-fields The trick is to consume the opening quotation mark first so that it isn't part of the capture group (i.e., the extracted field). Then, within the capture group, use negative lookbehind to determine whether you're matching inside a quoted section (match up to the end-quote), or just matching a block of non-whitespace. Another way would be to create two separate transforms -- one for quoted string values and one for integer and other non-string types. ... View more

There has definitely been some work done on this before, and I believe Splunk's SEs have used Amazon-based instances for demos from time to time. The following would be a good starting point: Splunk and EC2 Splunk Ninja - Cloud Power - Splunkin' With Amazon's EC2 Splunk Architecture for Multiple Hybrid Clouds ... View more

First, do your indexed events show up with the correct sourcetype of ossec ? What version of the app did you upgrade from? If you upgraded from 1.0, you many need to check ossec/local/transforms.conf and ossec/local/props.conf , and clear out any left-over entries that may affect those fields. In particular, the field extractions changed in 1.1, since most users wanted host mapped to the endpoint computer instead of the OSSEC server as in 1.0. The normal behavior in 1.1 is: host contains the name of the ossec agent/client machine, extracted dynamically at index time reporting_host is an alias of host ossec_server is extracted at search time If you want to preserve the old behavior, you'll need to copy in the settings from ossec/samples/props.conf . Depending on your setup, you may also need to set the following in props.conf: TRANSFORMS-host = syslog-host ... View more

You can use a single | symbol as an OR in regex, but you don't really need to in this case. Something like the following should work, where you simply tell it to consume any optional characters before the <login> tag's closing bracket. (?i)<login [^>]*>(?<PCustomerName>[^<]+)" If you really want an OR condition, you use a vertical bar (pipe) symbol, like: (<login>)|(<login xmlns="">)(?<PCustomerName>[^<]+)" For a good reference take a look at http://www.regular-expressions.info/ Also, check out Kodos or Regex Buddy if you need a good way to test. ... View more

While this doesn't answer your question, if you are a Splunk Enterprise customer, be sure to enter this as an Enhancement Request. See this previous answer: How can I Submit an Enhancement Request ... View more

Splunk by itself is only going to be able to mask based on regex replacement, but that doesn't necessarily mean any 16-digit string. http://www.splunk.com/wiki/Community:Credit_card_masking_regex http://www.regular-expressions.info/creditcard.html If you want to fully run the Luhn algorithm, you'd need to be using a scripted input to Splunk, or have some external form of pre-processing. ... View more

.bash_history may not capture everything if the user has multiple sessions or the session terminates abnormally. See http://mywiki.wooledge.org/BashFAQ/088 Depending on your setup, you might want to consider using a version of bash with native syslog support compiled in. To help get you started: http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/ ... View more

Or, when you just need basic wildcard matches, you can skip the regex processing altogether and use "log*" instead of the regex "log.*" ... View more

If you can assume that you know all of the possible protocols, the simplest would be to just match on the known cases: | rex field=_raw "(?i)\b(?<proto>tcp|udp|icmp|igmp|ip|gre)\b" Or, pull them into two separate fields, and then use eval : | rex field =_raw "(?P<proto1>\w+) blah (?P<proto2>\w+)" | eval proto=coalesce(proto1, proto2) You can do something similar with transforms - you just may need multiple transforms depending on how you write it. This link may also help if you need more examples for ASA transforms beyond what's in the Splunkbase app. ... View more

Ah, good catch! I looked for the previous answer but missed it somehow. ... View more

Do you have any information about the underlying log format? Where is the GUI getting its data? ... View more

If you haven't already, can you give the latest build on SplunkBase a try and see if it's still an issue for you? ... View more

Looks like the fix didn't make into the SplunkBase upload. The fix is probably sitting in local -- once I get back to my dev box I'll re-upload and bump the version number. ... View more

The simplest thing would be to just get rid of the 'Total' column. Try piping your results through: | fields - Total before passing the search to your chart commands. ... View more

CIDR matching as dwaddle suggests is the simplest if you can get it down to CIDR blocks. Another option would be to break out your range definitions into eventtypes, or to build a lookup table and search on the output -- look here:      http://answers.splunk.com/questions/5916/using-cidr-in-a-lookup-table ... View more

This is a known bug in builds prior to 1.1.83. It's showing the top 10 but the results are being clustered/grouped -- e.g., you get the top 10 users, but counting the user only once for a given reporting_host/severity/user. When you drill down, it swaps out the search and you see the full result set. ... View more

Also take a look at the Search Reference and the included cheat sheet - http://www.splunk.com/base/Documentation/latest/SearchReference/SearchCheatsheet ... View more

Sorry, typo. There's no 't' in sysconfig. See edit and additional link above. ... View more