Hi Tony, You can use any programming language of your choice ( which has capability to work with REST API calls ) and then use the REST API depending upon your requirement. For details on REST API, you can refer the Splunk REST API documentation at http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTcontents . Note : As "davecroto" has mentioned in later post, you can also use Splunk SDK available in few languages which acts like a wrapper over REST API to do the tasks thus simplifying the overall tasks. Let me know if you have more queries on this. Regards, Amit Saxena ... View more

Hi, How about using "dedup ComputerName, User" ? Regards, Amit Saxena ... View more

Hi, Check "splunkd.log" for the following pattern to check if forwarder resends a data block. WARN TcpOutputProc - Possible duplication of events with channel= Regards, Amit Saxena ... View more

Hi, Let me know if the my latest suggested solution to both the scenarios work for you. Regards, Amit Saxena ... View more

Hi, Thanks, that worked for me ! Regards, Amit Saxena ... View more

Hi, The regular expression rex "(?i)(?P<var> : [0-9]+)$" extracts space followed by a colon and then a space and then series of digits in the end of the line. If you just want to extract only the digit, then you should use the regular expression rex "(?i) : (?P<var>[0-9]+)$" . Let me know if it works for you this time. Note : Hopefully the characters in my regular expression should not get truncated. Regards, Amit Saxena ... View more

The characters in my post are truncated. I will try to post my answer as reply to the post instead of the comment. ... View more

Hi, rex "(?i)(?P : [0-9]+)$" will extract both the spaces including the colon character and then the digit. If you want to extract only the digit, then you should use rex "(?i) : (?P [0-9]+)$" . Let me know if it works for you. Note : Hopefully the character are not truncated from my regular expression while submitting the post. Regards, Amit Saxena ... View more

Hi, Do confirm it the above solution worked for you ? Regards, Amit Saxena ... View more

Hi, I feel this can be done by SimpleXML by using "drilldown" tag for dynamic drilldown. You have to use "click.value" or "click.value2" depends upon whether the chart is bar chart or non-bar chart. Let me know your views on this. Regards, Amit Saxena ... View more

Hi, Clustering seems to work exactly in your case but you don't want to have more than 2 VMs / hosts in your infrastructure. Either increase the number of nodes and opt for Splunk supported clustering or use external HA solution like VMotion etc. Regards, Amit Saxena ... View more

Hi, I am not sure why "mktime" instead "ctime" was used here. I would suggest the following search command. ... | convert timeformat="%m/%d/%y %H:%M:%S" ctime(Time) as NewTime | where now() - Time < 604800 Let me know if it works for you. EDIT: Just realized that earliest will work for "_time" field only which is not the time field for your case. So modified the search query to use "now". However the newer search might not work in all cases. The number 604800 is equal to number of seconds in a week. Regards, Amit Saxena ... View more

Hi, I would suggest using the following modified query. (XXXXXX OR XXXXXXX) | rex "for [\w\d\-\.]+:(?<src_ip>\d+\.\d+\.\d+\.\d+)/(?<src_port>\d+)\s+to\s+[\w\d\-\.]+:(?<dest_ip>\d+\.\d+\.\d+\.\d+)/(?<dest_port>\d+)" | rex "bytes\s+(?<bytes>\d+)" | eval mbytes= round((bytes/1024/1024),3) | table dest_ip, mbytes | sort -mbytes | head 15 | rename mbytes as "Total MBytes", dest_ip as "Destination Address" This will help in getting the data in tabular form as you want. I haven't tried this but I feel that the search results in tabular format can be directly converted into chart also. Let me know if it works for you. Regards, Amit Saxena ... View more

Hi, Can you post the contents of props.conf and transforms.conf here ? That will help in debugging the issue. Regards, Amit Saxena ... View more

Hi, I agree with you on that it's not the best solution Regards, Amit Saxena ... View more

Hi, Instead of sending an email, call a script while referring the "Scripted Alerts" section mention in my earlier post. The variable SPLUNK_ARG_8 will hold the value of a file where the message is stored. You can use the script to open the file, get an access to the contents and then send the same to the syslog file which in turn is read by the syslog probe in Netcool. Let me know if still there are some queries. Regards, Amit Saxena ... View more

Hi Putting the expression inside a code block. rex "(?i)(?P<var> : [0-9]+)$" l Hopefully this time, there are no characters that gets truncated Let me know if it works for you Regards, Amit Saxena ... View more

Hi, Refer the section "Configure scripted alerts" in Splunk Alert guide. Splunk currently enables you to pass arguments to scripts both as command line arguments and as environment variables. This is because command line arguments don't always work with certain interfaces, such as Windows. The values available in the environment are as follows: · SPLUNK_ARG_0 Script name · SPLUNK_ARG_1 Number of events returned · SPLUNK_ARG_2 Search terms · SPLUNK_ARG_3 Fully qualified query string · SPLUNK_ARG_4 Name of saved search SPLUNK_ARG_5 Trigger reason (for example, "The number of events was greater than 1") · · SPLUNK_ARG_6 Browser URL to view the saved search SPLUNK_ARG_8 File in which the results for this search are stored (contains raw results) · SPLUNK_ARG_7 is not used for historical reasons. These can be referenced in UNIX shell as $SPLUNK_ARG_0 and so on, or in Microsoft batch files via %SPLUNK_ARG_0% and so on. In other languages (perl, python, and so on), use the language native methods to access the environment. These values are also available as positional arguments passed on the command line of the script. You can use these as well if they are more convenient. Relatively old versions of Splunk do not provide the environment variables. However, due to platform reasons, they are not entirely reliable in Microsoft Windows. The command line arguments that Splunk passes to the script are: · 0 = Script name · 1 = Number of events returned · 2 = Search terms · 3 = Fully qualified query string · 4 = Name of saved search · 5 = Trigger reason (i.e. "The number of events was greater than 1") · 6 = Browser URL to view the saved search · 7 = This option has been deprecated and is no longer used · 8 = File where the results for this search are stored (contains raw results) Note: Splunk encourages Windows users to use the $SPLUNK_ARG_ environment variables when passing arguments to scripts. You can then use the values supplied as an argument in the script to populate the data which will be used by the probe. Let me know if that helps. Regards, Amit Saxena ... View more

Still the characters in my post are getting truncated and I don't know why 😞 ... View more