Yes, if your data contains blank spaces, you need to account for them. ... View more

If you use GUI, under Search, there's an option "Refresh indicator". Select "None". In Simple XML, <option name="refresh.display">none</option> ... View more

The vertical bars (|) in your events are literal, but when you use them in regex as shown, they become logical ORs. You need to escape such special characters if they are literal. rex (?<num1>\d)\|(?<num2>\d)\|(?<num3>\d) In fact if you are only interested in Z, you don't have to extract num1 and num2. ... View more

If values in $myinput$ can be interpreted as numbers, it will be used as a number. Have you tried' | where velocity >=$myinput$ instead? There should be no convert needed. ... View more

Unless you have some customised field extraction for EVENT_MESSAGE, Splunk will automatically assign "Number" to EVENT_MESSAGE instead of "Number of Offers ready to send: 6" that @codebased seems to expect. The above should work. (field=_raw is assumed by default so no need to specify.) ... View more

If you use the dashboard GUI, you can "Add input" and select "time" (the last in drop-down). In Simple XML, it looks like <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> This is not to say that you cannot define custom tokens to achieve what you intend to do. It just requires a bit more work. ... View more

Splunk's fieldset tries to do some smart matching when possible. "Last 30 days" is a predefined token in Splunk's global time picker, so Splunk uses that information to reasonably guess that $earliest$ = -30d@d and $latest$ = now is your intention. There is no predefined "Last 90 days" so Splunk doesn't know what you mean by that. In Splunk 6, it is much easier to simply use time picker rather than use your own token definitions. ... View more

Though most of the time it is desirable to have multiple hosts on the same chart, I do see occasional urge for individual charts - on a dashboard. (Especially when you have many hosts. Same goes with some other metrics.) In fact I had proposed this for my previous group who wanted such a separation-aggregation. I didn't implement this but here's my proposed solution: Compose the XML elements for each of the charts you want to produce using tstats , then incorporate the output into your dashboard source. Obviously this will have severe limitations if the number of hosts grows very fast and you'll have to update your dashboard constantly. But for many environments, this should suffice. | tstats count by host where index=abc sourcetype=def | eval Panel=" <row> <panel> <chart> <title>Chart for " + host + ": avg(cpuUse)</title> <search> <query> index=abc sourcetype=def host=" + host + " earliest=-6h |timechart avg(cpuUse) </query> </search> </chart> </panel> </row>" | table Panel Output would look like these: <row> <panel> <chart> <title>Chart for host1: avg(cpuUse)</title> <search> <query> index=abc sourcetype=def host=host1 earliest=-6h |timechart avg(cpuUse) </query> </search> </chart> </panel> </row> <row> <panel> <chart> <title>Chart for host2: avg(cpuUse)</title> <search> <query> index=abc sourcetype=def host=host2 earliest=-6h |timechart avg(cpuUse) </query> </search> </chart> </panel> </row> <row> <panel> <chart> <title>Chart for host3: avg(cpuUse)</title> <search> <query> index=abc sourcetype=def host=host3 earliest=-6h |timechart avg(cpuUse) </query> </search> </chart> </panel> </row> Note the output is "flattened" in terms of line breaks and indentations so you may want to employ some pretty-print for readability in the final dashboard source. (You can still use the output as is, just not as pretty.) ... View more

I'll just convert the quad string representation to the numeric address. After this, you can decide which representation to use for this value. | regex field=ip "(?<quad4>\d+)\.(?<quad3>\d+)\.(?<quad2>\d+)\.(?<quad1>\d+)" | eval NumericIP=quad4*pow(2,24) + quad3*pow(2,16) + quad2*pow(2,8) + quad1 There is no printf conversion to convert this numeric value into a binary representation, so you'll have to write your own using / and %. ... View more

I think it means to convert a quad format string representation of the numeric IP address into a binary representation of the numeric value. For example, the numeric value of 255.0.0.1 is 255*2^24 + 0*2^16 + 0*2^8 + 1*2 = (dec)4278190081 = (bin)11111111000000000000000000000001. Sometimes it is useful to use decimal string or hexadecimal string of the address value, but I really don't see what benefit could it be to use a binary string representation. ... View more

A subsearch cannot be used in assignment. I can kind of guess what you try to do but you need to explain the intention if the following is not what you need: If "keyword" is found in the first record, you want no return ("no alert"); otherwise you want to return the histogram of numeric values of keyword1 but only if that value is less than 5. Several additional assumptions: "keyword1" is both a literal in events and must be a numeric field that is already extracted Regardless of what "keyword" is, I cannot imagine why you want to do count(eval(searchmatch("keyword"))) then test if this count>0. Because index=index host=host source="source" "keyword" has already determined that if there is no match, the count won't even happen. Similarly, the last filter where value<5 AND value!="no alert" seems redundant because all previous results precludes the opposite. Because keyword1 is already extracted as a numeric value, index=index host=host keyword1<5 will do exactly the same as index=index host=host keyword1| where keyword1<5 , only faster. Lastly, I cannot figure out the intention of the second head 1 (inside the subsearch) followed by stats count by value because the two head 1 will limit output to only one or zero. I will assume that your intention is to actually perform count by value . If my understanding of the intentions is correct, the following should work: index=index host=host (source="source" "keyword") OR (keyword1<5) | eventstats count by keyword1 | eventstats count(eval(searchmatch("keyword"))) AS searchmatchresult | where searchmatchresult=0 | table count keyword1 ... View more

I have the exact problem. Following link text and link text, I tried | fields * as well as eventstats as opposed to stats. It made no difference. Only verbose will give the correct result. (I also need to do this in Simple XML.) ... View more

Got it. That's quite a layout:-) ... View more

Thank you, @abeeber_2. I have deleted older Splunk installers. When I go back to Download -> Older Releases, I can only find 6.2.4. Do you have a link or navigation path? ... View more

How do I roll back? (I got the same error, on OS X 10.10.5) ... View more

Agree that multiline events are your enemy, especially when every line has a valid timestamp. ... View more

To close the loop. After reviewing @lgnuin's comment about the doco being wrong and discovering the correct note in the same doco page, the above example can be explained - as kind of expected behavior. Here, syslog is not logging year, so Splunk discarded "Mar 29 17:54:11" and supplied indexer timestamp . Per the correct part of the doco: "If you have ... changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that." In this sense, it is not a bug. ... View more

http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/UseDefaultFields - scroll down to "Default datetime fields". The statement surely is wrong in the sample that I just examined. Interestingly, closer to the top of the doco, there is a correct note: Note: Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that. ... View more

I have this example, where _time is not from an epoch time in the source event, a syslog entry Mar 29 17:54:11 amiohdrmp1 snmpd[14773]: Connection from UDP: [127.0.0.1]:46920 In this particular case, syslog uses EDT without printing zone info. Splunk correctly dates this event at 3/29/16 9:54:11.000 PM, i.e., 21:54:11. As a result, %H correctly gives 21. However, date_hour is 17, the split output from source text! Whereas this case looks like a fixable bug, the designer may have other use cases in mind. You have sufficiently scared me, so I'll just accept "in date_* no trust" as answer:-) ... View more

You want to post what have you been trying, and explain what particular expectation is not met by your method. ... View more