Hello Gurus! Here is what I am trying to do. I am trying using Simplified XML, Form to select a certain host and time, that will only analyze selected day's 8:00 - 16:00 time frame data only. I know you can do this, where I can define into search date_hour>8 date_hour<18 But when I added this into my form search xml view, the app wouldnt take it. to summarize How can I make it so that when the user select a date then it analyze for only that day's 8:00 ~ 16:00 ? what would be the syntax for defining "every day, 8:00 ~ 16:00" in splunk? Thanks~! ... View more

Anybody in Splunk answers tried to register process to monitor for Unix systems? I am trying to set-up Splunk to monitor running status of a process. When a process dies, meaning no longer exists, then I want splunk to generate an event that the process no longer is running in a system. It sounds pretty simple, but my delima is that when I search for a process, for example httpd. When the httpd is running then, it would give me a result to verify that the process is there, but when the process no longer exists, splunk will fail searching for that process event. Based on the result that failed to search a process event, how can I make that situation into an event? I would appreciate it if anyone has simular monitoring template that mointors certain proceses' status. ... View more

How can I define manually force define the date and time. Splunk didn't properly processes the correct time in the event vs time it indexed. processingFailureEvent - HADAP_CPU_ALM - M-DAP5_B, Cab 1, Cage 1, Slot 1, HADAP_CPU_ALM 1 - Jan 12, 2011 10:33:30. I have tried to give it a shot like below, but didn't work. TIME_FORMAT="%b %d, %Y %H:%M:%S." I appreciate guru's suggestions! Thanks. ... View more

Any gurus know why there are files created in /var/tmp/ folder by Splunk? splunk@splunk:/var/tmp> more ddtb5535964469493924781.tmp ??USTOMER-VXTBTO?0-0A-E6-B0-F9-4F?USTOMER-VXTBTO?L10.35.10.133窒?ILE?rojan.Downloader.1938.A質2005-06-29 18:03:03. 0?005-06-29 18:03:03.0?005-06-28.01 (185480)?6842754?:\WINDOWS\system32\meminf.exe????? ? ??????窒窒窒窒窒 窒1窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?ILE?ackdoor.BotGet.FtpB.Gen質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?:\WINDOWS\system32\2pac.txt?? ?? ??????窒窒窒窒窒窒1窒??????? Connectswitch質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?HKCU\Software\Netscape\Netscape N avigator\User Trusted External Applications ""=""?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3 Connectswitch?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY?dwa re.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall\WildTangent CDA?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L 10.35.10.126窒?PY?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\W TVis.WTVisSender.1?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY ?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\WTVis.WTVisSender?? ? ? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY?dware.WildTangent質 2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\WTVis.WTVisReceiver.1?? ?? ???L???? ???? ?? 窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY?dware.WildTangent質2005-06-29 18:06:39. 0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\WTVis.WTVisReceiver?? ?? ???L???? ???? ??窒窒窒窒窒? ?窒?0??????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:3 9.0?005-06-28.01 (185480)?6842754?KCR\WT3D.WT.1?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒?1??????0-0A-E6-A6 -CD-C3????L10.35.10.126窒?PY?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)窒 16842754?LHKCR\WT3D.WT?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒?2??????0-0A-E6-A6-CD-C3????L10.35.10.126? 窒SPY?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\WT.WTMultiplaye the file looks like above. Which looks like the files we are indexing. What could this file be? How can we avoid the files to pile up in /var/tmp dir again? Thanks for your help ... View more

Does anyone know how to set-up saved serarch to generate RSS feed that includes the actual event contents or specific fields? Current RSS feed just provides number of event counts instead of actuall contents or specific fields of the event. ... View more

Is there a way to re-intialize the current indexes? instead of recreating one? We are in the process of depoying Splunk. Once the spunk install is all complete, we would like to reset, flush all the indexed data. Is it there a way to do this? or can I just empty out the /opt/splunk/var/lib/splunk/INDEX_NAME/db/ folder? I just want to reset all the indexed data with out touching the current configuration. Appreciate your help, in advance~. ... View more

Hey Gurus! I am processing F/W log such as below which I recieve through syslog server. 2010-06-29T20:48:26.742950+10:00 10.91.30.1 1 0 1 1 0decf4 20100629 20: 49:10 Deny 17 090223182612 192.168.100.1 1024 10.91.50.43 514 eth0 eth5````197 1``` I am using rsyslogd daemon to process syslog packets, and somehow in the date field it looks like this, 2010-06-29T20:48:26 You realize that there is "T" in between the date and time. I don;t know if this is the cause but Splunk seems to process the date as 1 hour behind. 2010-06-29 07:48:26 PM in splunk. Instead of 2010-06-29 08:48:26 PM Have anybody seen similar problem? How can I fix it? YhC. ... View more

I have changed input.conf and restarted Spulnk, but I can't see any event generated for changing /etc/hosts file. The the procedure was Added inputs.conf for fschange conf. Restarted Splunk. Changed /etc/hosts file to see splunk generated event logined to Splunk for fschange log. And the I coould find the fs change log. Am I missing any procedure? ===================================== [root@splunk local]# pwd /opt/splunk/etc/system/local [root@splunk local]# cat inputs.conf [default] host = splunk [fschange:/etc] index=os recurse=true followLinks=true pollPeriod=60 fullEvent=true =====================Splunk Restarted ... View more

Let's say we want to process the typical data input like below : 12|Jones Indiana|76|223-33-3323|US|CALIFORNIA|MARRIED In splunk, I have to use "rex" and do a whole bunch of regex to parse out the fields. Is there a way in Splunk to process these kind of structured log like in awk manner? awk manner, meaning awk -F"|" '{print $1" "$2" "$3}' and so on... In another words define pattern for delimiter which is "|" and just assign values with field number like $1, $2 I thought powerful engine like splunk would have a similar way to process. Field parsing without doing while bunch of regex. YhC. ... View more

Does Splunk have problem showing Language data from Windows server? It's Korean data that we are indexing, but after the data got indexed the data got changed to Hex code like string. Any idea How I can prevent Splunk to change the data? BELOW is actual LOG: Information 2010-05-07 인터넷접속 12:59:44 DB Pool BELOW is after Splunk absorved the data: Information 2010-05-07 \xBF\xC0\xC0\xFC 12:59:44 DB Pool ... View more

For the AMMAP application for the map, I followed the instruction and installed MAXMIND and the AMMAP app, but I can't make the splunk to plot the points on the map. When I enter the search command like below, | rex "(?\d+.\d+.\d+.\d+)"| stats count by ip | head 100 | eval count_label="Event" | eval iterator="ip" | eval iterator_label="IP" | eval movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval app="amMap" | lookup geoip clientip as ip | mapit I get the below error message and a chart like view instead of map plots. Here is the error. /opt/splunk/etc/apps/amMap/bin/map_results.py:76: SyntaxWarning: name 'app' is assigned to before global declaration /opt/splunk/etc/apps/amMap/bin/map_results.py:77: SyntaxWarning: name 'outputFile' is assigned to before global declaration ANybody any tip on how to get this problem resolved? ... View more

It it possible to get the result of current splunk index to a new index files as a new source type? [ Already indexed Data ] -----Use Splunk Search to move the result----> [ New "Index_file" as new index "source type" ] ... View more

Anyone have a good working python DB table dump scripts that keeps track of last row marker? I guess it would be in-efficient for every Splunk users to come up with their own scripts. Which I already have spent quete some to the get it to work since I am not a hardcore develper, but I am not quote 100% satisfied with the result. ... View more

Would I be able to rename a "Source Type" after the data got already indexed into Splunk? Can I rename a type of pattern data into another "Souce Type" or I have to delete the type of source and reindex? ... View more

A simple licensing question. let's assume the environment is like this: There are 2 different indexers installed [ Indexer 1 ]------Distributed Search Link---------[ Indexer 2 ] Q. In this case above, do I need 2 different indexer license / or can I have 1 large indexer license seeded into both indexers? [ Search Head ]----Distributed Search Link----[ Indexer ] Q. In the case above, Does the search head need a license too? Is there such thing as search head license? Thanks for your help in advance~! ... View more

I want to chop multiline events like below. I had splunk to automatically process the data, but it didn't quite work where the event started with "Begin_Event". How can I define custom event separation rule so that the each evens starts after "Begin_Event" tag? (Begin_Event) environmentFailureEvent - EAS - KG-079, Cab 1, Pos 1, active ACG, EAS 0 - May 3, 2010 00:02:55. [247] Rectifier Module Fail - Clear (EndEvent) (BeginEvent) processingFailureEvent - IHLR_ALARM_APP - KTIHLR1_B, IHLR_ALARM_APP 1 - May 3, 2010 00:02:49. [17260] Subscriber Not In iDEN HLR - Minor. RC:77 imsi=450079680700513 (EndEvent) ... View more

How can I process tables like below where Data is spread across multiple lines. and Top start set defines Field name and a data set starts with "0 CP1_LS" and the next set beibg "1 CP1_LS" and so on. This by the way is a data-set that gets produced every 30 min. TABLE LABEL : KEY (C7_LINKSET_NUMBER) INFO (C7LINK_OMINFO) C7MSUTX C7MSUTX2 C7MSURX C7MSURX2 C7BYTTX C7BYTTX2 C7BYTRX C7BYTRX2 C7BYTRT C7BYTRT2 C7MSUDSC C7ONSET1 C7ONSET2 C7ONSET3 C7ONSETV C7ABATE1 C7ABATE2 C7ABATE3 C7ABATEV C7MSUDC1 C7MSUDC2 C7MSUDC3 C7STRET C7MSBRET C7MSGLOS C7MSGMSQ C7MSUOR C7MSUOR2 C7MSUTE C7MSUTE2 C7MSUTS C7MSUTS2 0 CP1_LS 0 4582 0 3493 0 1783 1 16130 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 4583 0 3492 0 0 0 1 CP1_LS 1 4800 0 3525 0 7121 1 17754 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 4800 0 3524 0 0 0 2 CP6_LS 0 5760 0 4890 0 1088 2 15420 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 5762 0 4889 0 0 0 3 CP2_LS 0 7367 0 5320 0 31485 2 58433 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 7366 0 5324 0 0 0 So from the above data set, I want to be able to timechart "C7BYTTX" by "CP6_LS" element. ... View more

Let assume the following, the data source for analysis is Firewall traffic log. I guess It could be applied to any firewall since they all have smilar info in the logs. From the above firewall log, I need to investigate the following : Get a list of hosts that are sending packets to exccesive amount of hosts (in number of sessions) Basically I need to create a dashboard that sums up hosts that are making excessive number of sessions. In order for me to do this, I guess I need to count the number of Destination IP based on Source IPs. I want to create splunk search critiria to accomplish this. I guess process pattern blow : IP SRC=10.1.1.7, DEST=211.123.23.4, IP SRC=10.1.1.7, DEST=121.33.13.7, IP SRC=10.1.1.7, DEST=21.13.32.3, IP SRC=10.1.1.7, DEST=172.23.185.5, IP SRC=10.1.1.7, DEST=231.53.2.82, IP SRC=10.1.1.7, DEST=23.35.78.2, IP SRC=10.1.1.7, DEST=221.73.5.123, IP SRC=10.1.1.7, DEST=81.33.98.44, IP SRC=10.1.1.7, DEST=78.19.21.25, IP SRC=10.1.1.7, DEST=62.53.76.89, IP SRC=10.1.1.7, DEST=2341.3.2.125, To get results like : 10.2.7.32 87 Connections 10.1.1.7 11 Connections etc.. ... View more

Anybody out there had experience trying to correlate events with Splunk. A scenario would be like this: (Source : A Event XXX) + (Source : B Event YYY) = ( Result : kick off an event using a scipt ) Is correlation supported with Splunk? ... View more

Instead of file being appended, if the file gets overwritted or rewrited, does splunk re-evaluates the entire file data and figure-out whether to index the already indexed data? ... View more