You could perform Double Transforms (add a second stanza for each sourcetype and set the _MetaData:Index to the index you want). But to better utilize the processing power, you probably should just collect the syslog onto the server, and index from there. ... View more

You'll probably want an index-time transform to do this. You can chain the transforms, and use REGEX to match which IPs you want to have specific sourcetypes. props.conf [syslog] TRANSFORMS-forcesourcetype = cisco_asa_st, iron_port, i_as400 transforms.conf [cisco_asa_st] REGEX = 192\.168\.0\.1|192\.168\.0\.2 SOURCE_KEY = MetaData:Host DEFAULT_VALUE = cisco_asa DEST_KEY = MetaData:Sourcetype [iron_port] REGEX = 192\.168\.0\.1|192\.168\.0\.2 SOURCE_KEY = MetaData:Host DEFAULT_VALUE = iron_port DEST_KEY = MetaData:Sourcetype [i_as400] REGEX = 192\.168\.0\.1|192\.168\.0\.2 SOURCE_KEY = MetaData:Host DEFAULT_VALUE = as400 DEST_KEY = MetaData:Sourcetype http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf The other, probably easier way, is to use a syslog-ng server, use specific destinations for each ip, and then index the resulting output. http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/overview ... View more

Tedder, While it is not GWT, this: http://splunk-base.splunk.com/apps/69224/google-apps-for-your-domain is for Google Apps. Perhaps I could extend it to other non-Google Apps specific functions. What options of the API did you want to log? ... View more

Yep, I do the same thing in My MIs. I check for grandparent pid on non-windows OS and if 1, exit. I wanted to see who else was seeing this, thanks! ... View more

You are most welcome, please mark the answer as accepted if we have answered your question. Thanks! ... View more

Like This: | rex field=_raw "(?<LOC>S\w*E)" ... View more

From what I gather, you can do both in the same search. your_search | stats avg(numbers) stdev(numbers) by trans_id If you want it over all events, exclude the by trans_id clause. http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Commonstatsfunctions ... View more

It is not done native-ly. You may want to check out this app: http://splunk-base.splunk.com/apps/64088/x-ray-splunk-knowledge-objects . I don't know if it has what you are looking for, but might come in handy. A bash script would also work. ... View more

There are a few ways to save this. You can add it to your props.conf [your_sourcetype] EXTRACT-uniq = ^(?<uniqueid>...) REF: http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Inline_.28props.conf_only.29_search-time_field_extraction_examples You can use the UI to add it. See the documentation here for information. http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Managesearch-timefieldextractions ... View more

Firstly, I'd suggest using a JSON validator to make sure you are using correct syntax. I ran your JSON through a validator and it failed (http://jsonlint.com/). Once I corrected the syntax, Splunk began to automatically parse the JSON in the UI and auto extracted a lot of fields. I then noticed another issue. With the way the JSON is structured, the "event" array item may or may not have "event" listed first. This poses a problem with splitting using LINE_BREAKER. In this case, I would suggest using spath and xpath to parse the information you need. If you want the timestamps to correctly index each individual event, the JSON should probably be rewritten to allow a more specific extraction. Example: Rewrite JSON to : { "events": [ { "event": { "list": [ { "type": "W8021X" }, { "rssi": "97" } ], "id": "ONE", "systemdate": "2012-10-0910:33:39-0700" } }, { "event": { "systemdate": "2012-10-0910:35:30-0700", "list": [ { "rssi": "97" }, { "id": "TWO" } ], "id": "TWO" } } ] } This syntax allows you to use some props/transforms to break the events, without having to worry about which order the variables show up in the JSON. The MAX_TIMESTAMP_LOOKAHEAD needs to have enough characters to grab the systemdate variable. I'll have to play with it to get the props.conf right. ... View more

This can be done, but not with a button. Workflow Actions allow for these kind of setups, and will pass parameters to your ticketing system. Check out the links below for some examples/documentation. http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/CreateworkflowactionsinSplunkWeb#Set_up_a_POST_workflow_action http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Aboutlookupsandfieldactions#Workflow_actions ... View more

You sure can! You will need to use TCP_ROUTING in your inputs. So it might go something like this: [outputs.conf] [tcpout:UDP10001] server=server1:9997 [tcpout:UDP10002] server=server2:9997 [inputs.conf] [udp://10001] _TCP_ROUTING = UDP10001 [udp://10002] _TCP_ROUTING = UDP10002 http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data.27s_input ... View more

Per the documentation, the following is what is allowed: Valid characters for field names are a-z, A-Z, 0-9, or _. Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk's internal variables. International characters are not allowed. In your extract, you will want to do this: EXTRACT-osuserid = OS$USERID:(?<os_userid>[[0-9]+] "[^"]+") This creates a field "os_userid" which conforms to the standard. http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Use_proper_field_name_syntax ... View more

What OS are you running? ... View more

You may want to review some Branding Policies from Splunk before you do this. According to the page below, you have to have either "Splunk" or "Splunk Powered" logos visible somewhere, even when exporting charts to a web page. http://www.splunk.com/view/SP-CAAAFT9 ... View more

Yannk, Try This: id | transaction id startswith="start" endswith="stop" maxpause=3600 |concurrency duration=duration|timechart span=5m max(concurrency) as concurrency|fillnull value=0 concurrency ... View more

This should return the contents of your CSV: |inputlookup Brands.csv|rename VALUE as Brand|table Brand|format "(" "" "" "" "OR" ")" . ... View more

Look in the $SPLUNK_HOME/var/log/splunk/splunkd.log and $SPLUNK_HOME/var/log/splunk/web_service.log files. What errors do you see at the times that you attempt the connection? Have you confirmed that both the splunkweb and splunkd services are running? ... View more

Have you made sure Splunkd is actually running? Another problem I see is that you are creating two different indexes (MyIndex and dg) that use the same location. If the dg index is App specific, I wouldn't put it in etc\system\local . If you still want to use the "MyIndex" index, it needs to be in a different location than $SPLUNK_DB\dg\db . Also, make sure your slashes are the correct way "\" for windows. ... View more