Why would delay_test ever be null? If it is being null because delaya, delayb, delayc, or delayd are null, then this issue is with the way you are doing concatenation/addition. If any of the fields in an "eval newField=field1+field2...filedX" are null, the newField will be null. If you are attempting to add all those fields (that is, mathematical add them), you'll want to use either the fillnull (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fillnull) or "eval ifnull()" function to make sure all the delayX fields have a value (even if it is "0"). Then you may need to use the "convert" function to make sure all the delayX values are treated as numbers. After that, you will be able to add them up to a get a "Delay_test" value for every event. ... View more

Alternatively, use an eval "case", eval "coalesce", replace function, or fillnull function to set the value of the field to a literal "null". Then use the transaction command along with the "startswith" and "endswith" parameters to merge the series of events that start with a "null" value and end with a non-"null" value into transaction events. The transaction command will output a "duration" field for each transaction. You can then do a conditional alert only when the events have a duration > X. If you can give some example data, I can write the query described above. ... View more

I'm assuming you are trying to find IPs attempting to bruteforce their way into your system. If so, you might want to use "... | stats dc(login_name) by IP | where dc(login_name)>5". This will give you a table of all the IPs that have tried more than 5 login names. ... View more

You can either use the first method and then filter out events where "your_new_field" is null (because the regex didn't match anything). Or you could run the second command given to filter out the relevant events, and then pipe that to the first command to actually do the extraction. ... View more

I was able to get the output I was looking for with a VBScript. My main concern however is why the bat script (and specifically the "net localgroup") command worked in some instances and not others. The error I was getting was what I would expect when run under the SYSTEM context, but I don't know why it DID work on 10 hosts. This concerns me because it makes me think Splunk is no runnign under SYSTEM as it should be. ... View more

Subsearchs always run after the main search, as subsearchs use the results of the main search as an input. sourcetype="foo" | [search blah | fields bar] does work as the main search returns everyhting in the "foo" sourcetype, and the subsearch then takes those results and looks through them for "blah". Of course this is a waste of resorces and you would be better off doing sourcetype="foo" blah | fields bar Can you explain what it is you are trying to accomplish in the end, and perhaps I can come up with a better way to get to that end goal. ... View more

I'm not sure what you are trying to do, but you may be able to do a "join" with a field or values that will never match (so that no results of the subsearch will actually get joined to the primary search). I haven’t tested this but... index=main keywords to search for | eval joinOn=1 | join type=outer joinOn [search subsearch keywords | outputcsv paper.csv | eval joinOn=2] | ... The thing to remember is that the subsearch will run after the main search, so the outputcsv command won't happen until the main search has already completed. What is it you are trying to accomplish this way? There may be a better way to get to the same end results. ... View more

Possibly, but only if the data to index is located on the Splunk search head (or is reachable via a script on the search head). See http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Runshellscript . This will run a script on the search head. ... View more

Also, see routing and filtering data, specifically to a null queue: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad ... View more

Scripted inputs run under the context of the Splunk user. If that doesn't work for your specific needs, you could create a script that is run via Windows task scheduler (which will let you select the user to run the script as). The script just needs to do what ever parsing of the original log file you want, and then output it to a new file that you can have Splunk monitor/index. ... View more

Yes, you can use scripted input (http://docs.splunk.com/Documentation/Splunk/5.0.1/AdvancedDev/ScriptSetup). ... View more

Glad that worked. I have edited the answer to include the required explicit "search" command. On a side note, if the relationship between ModuleNo and ModuleType doesn't change, you might want to put this in data in a lookup table instead of indexing it as events. If you need help with this, check the documentation on lookup tables or post another question. ... View more

What exactly doesn't work; does it not return any results, does it only return results from one sourcetype... ... View more

What you'll want to do is run this search every 30 minutes: | inputlookup job1results.csv | append [ search ...] | search _time>(now()-2592000) outputlookup job1results.csv This will keep "job1results.csv" updated with all the results that were within the last 30 days. Then on the dashbaord, use a search like this: | inputlookup job1results.csv | ... View more

There are quite a few different ways to accomplish this; martin_mueller suggestion is a good one. However, speaking from experience, this is a very difficult thing to monitor without getting a ton of false positives. It all depends on the data you are watching. If for example you were to setup such an alert for Windows Event Log events, you would find that it probably trips every Monday morning when you have a bunch of users accessing the network at 8:00AM. If you adjust the thresholds to ignore this, you risk missing a similar (unexpected spike) at 11:00PM on a Sunday. I setup some similar alerts, and spent a good week writing horrendous search queries that were many liens long. I ended up comparing the data coming in over the last hour, to the average data coming in during the same day/hour for the last 4 weeks. After fiddling with this for two months, and still not getting what I wanted, I gave up, just graphed the data on a chart, and got an intern to sit and watch it for anomalies. ... View more

As previously mentioend you can use "append" or "appendcols", or you can use "join". If you use "join", you will need a common field to join on, but this can easily be accomplished by adding ... | eval joinOn="blahblahblah" to both searches, then use the new field "joinOn" (which has the same value in both searchs) as the field to join on. I imagine you probably want to use append or appendcols though... ... View more

No, the "outputlookup" command creats the csv file in the lookup directory automatically. "inputlookup" will then find the same csv file in the lookup directory. Like I said, this will cause an error on the first run (as the "inputlookup" comes first, and is trying to load a csv that "outputlookup" hasn't created yet) but after that will work fine. ... View more

Should also add, there are other ways to get output lookup to append results, instead of using inputlookup at the start. However, doing this way give you the ability to insert a "dedup" command (if appropriate) before the "outputlookup" command. ... View more

This sounds like a good use of a lookup table. Put whatever search terms you currently have in "job1" in the "..." of the following code | inputlookup job1results.csv | append [ search ...] | outputlookup job1results.csv The first time the job runs it will generate an error as the csv file doesn't exist until after the job runs once. After that however, it will just continue to append the results of each successive run to the csv file. At some point, you probably want to either do a "dedup" or completely overwrite the csv so it doesn't get out of hand. You could for example create a second scheduled search that is simply ... | outputlookup job1results.csv run first thing in the morning, so that job1results.csv only includes results from the searches run that day. ... View more