Sounds like you need the transaction command. Here are several links from the docs to get you started:      http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Searchfortransactions      http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Abouttransactions      http://www.splunk.com/base/Documentation/4.1.6/AppManagement/Buildatransaction      http://www.splunk.com/base/Documentation/4.1.6/SearchReference/Transaction      For example, for your first example, one approach might be: Login | transaction startswith=("Failure") maxspan=10m host,user | search Success Failure ... View more

The simplest approach is to pipe through the multikv command at search time:      http://www.splunk.com/base/Documentation/latest/SearchReference/Multikv ... View more

Assuming you are working with monitor inputs, the files would should not be reindexed. Splunk's detection of duplicate files is based on CRC checksums. The exception would be if you have configured a crcSalt , which will let you include a fixed string or the value of source as part of the comparison. Other metadata, including sourcetype, would not be a factor in detecting duplicates. More information on the CRC calculation:      http://www.splunk.com/base/Documentation/latest/Admin/Howlogfilerotationishandled ... View more

Several possible approaches. Just be sure to test and proceed with caution, especially if choosing option I or III. Option I: Create a separate index for each site. For each site, create a new index with a name matching the site. Then just set the list of which ones should be searched by default, either by setting srchIndexesDefault in authorize.conf or through the Manager's Role settings. See How do I Set the Default Index? and authorize.conf Now, you can search on index=NY , etc. For existing data, you can re-index, but you probably don't need to. Take a look at this thread for some hints on moving data into a new index. Or, you can just live with the existing data in the default main index until it ages out. See here for more information:       http://answers.splunk.com/questions/5479/how-to-rename-an-index Note that the link is for version 4.1.4 and earlier. I suspect that it will still work, but have not verified -- there may be other implications depending on version. Since this can impact your existing data, you'll definitely want to test ahead of time and verify that your procedure works as you expect. It would also be a good idea to contact Splunk support and ask them to review your plan. Option II: Create an eventtype for each site. You still need to know the hostnames initially, but once it's configured you will only need to update the eventtype definition when things change. Technically, this still requires identifying a list of hosts or other criteria per-site, but now you only have to manage it at the eventtype level, not per-search or per-view. Option III: Create an indexed field Usually not recommended, but may work well in your situation. It will increase the size of the index somewhat and could have implications for search performance. And, of course, it's a mostly permanent choice. Option IV: Use a lookup table to map between host and site Listed only for completeness. This option sounds good in theory, but is likely to kill performance, since trying to search by site will likely scan across all events before triggering the lookup. It technically accomplishes what you want, but will utterly destroy perfomance. Option V: Adopt a naming convention for hosts that includes site, or use IP addresses for host Probably not realistic, but worth mentioning. If, e.g., all of your LA machines are named 'LA-XXXXX' or have an ip address in 10.1.2.XXX, then it's easy to do a search on host="LA-*" or similar. If you decide to go this route, you can use a lookup (scripted or static) to resolve the hostname for display purposes. It does create significant performance issues if you want to regularly search based on hostname. ... View more

In places where Win2008 event codes are different from Win2003, it's usually just by an offset of 4096. You just need to create a new field that has the equivalent codes for comparison. Also, try to filter out as much as possible in your initial search string instead of using where . Doing so is almost always a good idea, but can make a particularly big difference when using transaction . Something like: index="testindex" sourcetype"WinEventLog:Security" CategoryString="Object Access" OR TaskCategory="File System" "*WriteData*" NOT User="System" NOT "Account Name: SYSTEM" | eval ComparisonCode=if(EventCode<4096, EventCode+4096, EventCode) | transaction maxspan=1m maxpause=30 ComparisonCode ... View more

The most common approach is to use the transaction command. Something like: orcserver ("user connected" OR "connect") | transaction host, pid maxspan=1s maxevents=2 startswith=("user connected") | stats count as "ConnectionCount" by user, src_ip | table user, src_ip, ConnectionCount (The example transaction assumes that "26462" in your sample log is being extracted into a field called pid.) ... View more

You'd need two transforms, but it's definitely doable. In transforms.conf: [cmdbent1] SOURCE_KEY = host REGEX = ^(\d+\.\d+\.\d+\.\d+)$ FORMAT = cmdbent::"ip_address" [cmdbent2] SOURCE_KEY = host REGEX = (.) FORMAT = cmdbent::"name" In props.conf: [yoursourcetype] REPORT-cmdbent = cmdbent1, cmdbent2 By default, Splunk will not extract a value unless the destination field is empty -- since cmdbent1 is executed first, cmdbent2 acts as a fallback/default value. If you want the transform to always apply, then leave out the sourcetype stanza header and place it at the top of props.conf. If it's not listed beneath a stanza header, it will be treated as a global setting. ... View more

LINEMERGE and related settings by nature operate on single lines and try to reassemble them into multi-line events. When all your data is on one line, the assumption is that it's all part of the same event. Instead, take a look at LINE_BREAKER , which will allow you to break events up before line merging takes place. As a bonus, it's generally faster since you can turn merging off. Fair warning -- I haven't tested this regex -- but it should give you the general idea: [metaviewer_audit_xml] LINE_BREAKER = [\>\s]((?=\<Event\>)) SHOULD_LINEMERGE = False TIME_PREFIX = <Date> MAX_TIMESTAMP_LOOKAHEAD = 350 You can find a little more information here:      http://www.splunk.com/base/Documentation/4.1.6/Admin/Indexmulti-lineevents ... View more

It depends on what you're actually searching. Usually the best approach is to use Advanced XML and the HiddenPostProcess module. This lets you create one master search with HiddenSearch , then below that define HiddenPostProcess searches which narrow the results down. This should help get you started:      http://www.splunk.com/base/Documentation/4.1.6/Developer/PostProcess If you need more examples, there's at least one in the UI Examples app on SplunkBase. It's also used in the OSSEC app, among others. ... View more