Is it possible to write savedSearches (saved in the "Search App") into the configuration of the "GoogleMaps" module for a view (written in advanced xml) ? For instance, the following search executes this DYNAMICSEARCH every time this view is loaded. GoogleMaps will attempt to run the search dynamically and plot its results on a google map : <module name="HiddenSearch> <param name="search">DYNAMICSEARCH</param> <module name="GoogleMaps"> ... </module> </module> I want to save DYNAMICSEARCH as a saved search and use that as the search parameter instead Any ideas on how to go about this ? ... View more

Hi guys: In our current PROD architecture we have various OS flavors of the 4.3.2 Universal forwarders pushing data to ONE 4.3.2 Splunk Indexer We are anticipating an upgrade to 4.3.3 and I am doing a analysis on pros/cons of the actual upgrade. There are 3 questions to which I am seeking answers to. This is not about the "right" way to do this - but rather evaluating the overall benefit of an update and then implementing that change in line with known best practices : i) There are several combination of upgrade protocols that can be used. First of which is to upgrade BOTH the indexer and the forwarders to 4.3.3 ** An alternative** is to upgrade just the indexer to 4.3.3 and keep forwarders at 4.3.2 Would you favor one over the other ? ii) Considering the second approach described earlier, what problems could one face with having Splunk components that talk to each other every second in a system architecture with different versions (some are 4.3.3 others are 4.3.2 in this case). I have done some research and my findings there should really NOT be any major issues with this approach. Anybody strongly agree/disagree with that ? The indexer is backward compatible with the forwarers and this should not be a big deal. Note that folks who have done something similar for 4.2.X to 4.3.X have not seen any major issues - the findings in this post here more than likely also apply to an upgrade between two versions of 4.3.X http://splunk-base.splunk.com/answers/38117/updating-to-splunk-43-with-existing-42-universal-forwarders ii) Advantages of upgrading to 4.3.3 What advantages do heavy users of Splunk get in terms of functionality/efficiency for an upgrade from 4.3.2 to 4.3.3 ? There is very little material out there and I was wondering if there was any empirical evidence/known pros to performing this upgrade. Thanks ... View more

All: I am trying to chart browsers used by my app based on the "useragent" field from access_combined (apache logs) in this manner. sourcetype="access_combined" useragent!="-" AND useragent!="Apache" AND useragent!="Load-weight" AND useragent!="Java" AND useragent!="Jakarta Commons-HttpClient" | stats count(eval(match(useragent, "Firefox"))) as "Firefox", count(eval(match(useragent, "Chrome"))) as "Chrome", count(eval(match(useragent, "Safari"))) as "Safari", count(eval(match(useragent, "MSIE"))) as "IE", count(eval(NOT match(useragent, "Chrome|Firefox|Safari|MSIE"))) as "Other" The problem is that the actual log entry looks like this: For firefox: 97.76.108.114 - - [11/Jul/2012:08:36:37 -0700] "POST /forgotPassword HTTP/1.1" 200 3799 "https://www.easycareonline.com/forgotPassword" "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1" For IE: 97.76.108.114 - - [11/Jul/2012:08:36:37 -0700] "POST /forgotPassword HTTP/1.1" 200 3799 "https://www.easycareonline.com/forgotPassword" "MSIE 8.0; Windows NT 5.2; Trident/4.0" The useragent entry files these two under OTHER because the ACTUAL VALUE for useragent is : "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1" AND "MSIE 8.0; Windows NT 5.2; Trident/4.0" Any ideas on how to go about this ? Maybe regexes ? The problem with using field extractions is that there is no set standard for what a UA (User Agent) string should look like, at all. I wonder what the chrome entry looks like (obviously we have none yet) ... View more

We are in a bit of pickle currently trying to disassociate indexed data from a sourcetype that is currently tied to a certain index - both of which we wish to discard. The data was pushed out from the universal forwarder which was setup in this manner in the inputs.conf: [monitor://c:\accesslog\access*.log] disabled=false followTail=0 index=os sourcetype=accesslog I want to change configuration on the indexer (or the forwarder) such that it goes to sourcetype="access_combined" which is associated with index="default" WITHOUT having to edit the aforementioned segment in the inputs.conf on the forwarder. How do I do this without having to setup a brand new configuration set (like the one above) and re-indexing EVERYTHING again. Bear in mind, this is a tonne of data and we are attempting to avoid an overage. ... View more