I have a question about constants and timechart/chart/stats I have a search like this sourcetype="syslog" | ... | eval target = 100 | eval range=case( (date_hour>=3 AND date_hour<=4), "in", (date_hour<3 OR date_hour>4), "out" ) | stats count by range I need to be able to add a | append such that i can print the difference. Difference = 100 - "in" - "out" Any ideas on how stats works in the context of deducting two values gathered over time from a constant and displaying it on the exact same time chart ? ... View more

I have a search like this sourcetype="syslog" | ... | stats c(eval(range="alpha")) AS ALPHA_COUNT c(eval(range="beta")) AS BETA_COUNT This displays the count of alpha and beta in the form of a timechart just fine. I need to lookup a field from a lookup table like this | lookup gamma_count This field is a constant Then I need to display the three stacked in the form of a bar chart, so it looks like this [alpha_ count] | [beta_ count] | [gamma_count] Any ideas ? Any help would be appreciated ... View more

I have a search which gives me a whole range of timestamps (the usual date _ hour, date _ minute and date_second) I want to populate a stacked bar chart with the those time stamps by re-arranging them in the following * bins * i) 12-2 PM ii) outside 12-2PM iii) no timestamp found The search I devised which is not working looks like this sourcetype="syslog" | eval timestamp=strftime(_time,"%H:%M:%S") | eval range=case(date_hour>=23 AND date_hour<=24, "in", date_hour<23 OR date_hour<=24, "out", timestamp==null, "rest") | timechart count(timestamp) by range Any idea so as to why this is not working ? Any help is appreciated ! ... View more

I have two sourcetypes that have a field that does not have the same name in both places (but has the same values) i) sourcetype="alphalog" ModuleNum=* | dedup ModuleNum ii) sourcetype="betalog" MNumber=* | table MNumber Please note that sourcetype="betalog" has another field called MName. I need to write a Splunk query that basically does this -> Select betalog.MName from both sourcetypes where alphalog.ModuleNum = betalog.MNumber Is there a query that does a join like this in Splunk ? Any help would be appreciated ... View more

I have a somewhat complicated question about how the now() method applies in the context of stats. I have a splunk search to weed out accounts with no transactions in the last 24 hours I am using now() to determine a cutoff date for weeding out those accounts. lastTransactionProcessed is provided as a field by sourcetype="banklog" and is always populated sourcetype="banklog" | eval cutOffTime=relative_time(now(),"-48h") | where lastTransactionProcessed>cutOffTime | dedup accountNum | table accountNum The above query works as expected which is great. The problem is that I am expected to create a trend (using stats) for the last 4 days for this search and when I get now() involved with stats (see below), things dont work out as I hoped. sourcetype="banklog" | eval cutOffTime=relative_time(now(),"-48h") | where lastTransactionProcessed>cutOffTime | bucket span=1d _time | dedup accountNum _time | eval target=15 | eventstats dc(accountNum) as "successCount" | eval failures=target-successCount | stats first(target) as Target, c(successCount) as Success by _time | eval failures=15-Success I am interested in simply plotting success versus failure here and I schedule the time interval for this search for -4d@d to now. I only get results for one day (which is the last 24 hours). Any clues so as to what I might be doing wrong here ? ... View more

I cant seem to get my inputlookup setup correctly when I try to do a join on a field called module from syslog and a field called serialno from a correctly configured lookup called syslookup sourcetype="syslog" module=* | eval serialno=module | lookup syslookup serialno | search serialno=* | table module There are 20 serial nos There are 10000 modules Right now the search above is giving me 10000 modules (instead of 20). Any idea what I could be wrong here. ... View more

I have a log by the name of auditlog, which logs accountNumber AND accountCreateDt accountCreateDt = %Y-%m-%d format. I am trying to identify Accounts that were created less than 24 hours ago by executing this search. sourcetype="auditlog" | convert timeformat="%Y-%m-%d" mktime(accountCreateDt) as lastTime | convert mktime(_time) as c_time | eval Diff=c_time - lastTime | where Diff < 86400 | table accountNumber For some reason, this query is not working. IF i replace the last query with | table Diff it works like a charm (it gives me all time difference as long as account was created less than 24 hours ago). Am i not using eval and table correctly ? ... View more

I have a universal forwarder pushing a log file from a window server into a splunk indexer in this manner. Configuration from -> C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf [monitor://C:\temp\somelogfile.txt] disabled=0 followtail=0 index=logger sourcetype=txt This pushes data from that txt file (which gets updated ONCE a day NOT rolled over) -- ONCE a day. Everything gets pushed out to the indexer correctly and all is fine and dandy EXCEPT In the Splunk search bar -> The search works when I enter : index="logger" - I can drilldown to the sourcetype and then show events -> The search ALSO works when I enter : index="logger" sourcetype="txt" . This shows events. -> The search does NOT work when I ONLY enter sourcetype="txt" into the splunk search bar. No results show up Anybody have an idea so as to why Splunk would simply not recognize and filter by sourcetype ALONE when pushing data from universal forwarder ? I dont see any errors under /var/log/audit.log or any other log files just FYI. For most other sourcetype/index combinations that I am familiar with, you can search by either SOURCETYPE OR INDEX -- and then drill down by the OTHER once the events start to appear. Is it possible that I am not setting something in inputs.conf that I am supposed to when the resource being indexed does not live on the indexer itself ? Any input would be appreciated. ... View more

I am trying to set up an Alert for syslog (udp:514) - and this is the search condition I use: sourcetype="syslog" TCP_DST_PORT="31621" | eval timeStamp=date_year."-".date_month."-".date_mday.":".date_hour.":".date_minute.":".date_second | table timeStamp, count(eval(TCP_TYPE="TCP_Client_Accepted")) as F5_ACCEPT, count(eval(TCP_TYPE="TCP_Node_Connected")) as F5_CONNECT | eval F5_MISSED=F5_ACCEPT-F5_CONNECT | WHERE F5_MISSED>2 Note that syslog is the log in Splunk that captures transmitted messages on udp:514 Note also that date _ year, date _ month, date _ mday, date _ hour, date _ minute, date _ second are all populated This is what I expect in the CSV alert that in the email. || YYYY-MM-DD:HH:MM:SS || F5_ ACCEPT || F5_CONNECT || F5_ MISSED || But that search does not currently work. Any suggestions ? ... View more