You could try using the transaction command with startswith and endswith params. Each transactional event will have a new field called duration. You could then do a stats command summing the duration by Account_Name to get the total for the day. People may log in and out many times during the day. I haven't tested this, but hoping it leads you in the right direction. index= source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name="" | transaction Account_Name startswith=eval(EventCode=4624) endswith=eval(EventCode=4634) | stats sum(duration) by Account_Name ... View more

The data coming from a Universal Forwarder would not be considered cooked. Cooked data would come out of a Heavy Forwarder and would be much larger than the original data. Heavy Forwarders used to be more commonly used as an intermediate forwarder, but it is better to use a Universal Forwarder as you have described. This is the commonly recommended way of limiting the egress points to Splunk Cloud. I believe the rule of thumb is 2 threads (see docs on multiple processing pipelines: http://docs.splunk.com/Documentation/Forwarder/7.2.1/Forwarder/Configureaforwardertohandlemultiplepipelinesets), per indexer. This could be 2 forwarders per indexer, or one forwarder with multiple pipelines. Here are the docs for setting up an intermediate forwarder: http://docs.splunk.com/Documentation/Forwarder/7.2.1/Forwarder/Configureanintermediateforwarder ... View more

See the following answers post: https://answers.splunk.com/answers/481263/how-does-splunk-define-and-assign-urgency-in-splun.html ... View more

Try something like this: index="scratchpad" sourcetype="ans1129" source="ans_1129*" | stats dc(source) as distinctsource values(f1) as f1 values(f2) as f2 values(f3) as f3 values(f4) as f4 by id | where distinctsource>1 | sort f1 | table f1 f2 id f3 f4 This is the output of this search using your data. I used f1 - f4 as the other fields that weren't the common id. ... View more

In a clustered environment, you should use the cluster master to push out indexes to all search peers (indexers). See page 195 of this document for more info on creating and deploying the indexes.conf file from a cluster master. This has to be done by editing the indexes.conf directly. http://docs.splunk.com/Documentation/Splunk/7.2.1/Indexer/Setupmultipleindexes ... View more

I have seen some of my customers use Windows Event Forwarding to send the logs to a single Windows box, where you would have a Universal Forwarder. I don't know how performant this is though, compared to running a forwarder on each DC, which would be the optimal solution. The Universal Forwarder is very lightweight and uses minimal resources if configured properly, which makes it the preferred way to collect the logs. ... View more

Is there a common value in each event that could link them? If not, is there a way you could enrich the events so that they are associated. System mapped to section for example? If there is a common value, or you could provide a common value via a lookup file and enrichment of the event, you could use the transaction command. Transaction has parameters around the time window for a transaction (span) as well as startswith and endswith so you can identify the events that start and end the transaction. The missing link (pun intended) would be a common value between them to identify that they are related. This could also be a third event that somehow links the other two as well. The transaction command will group all of the related events into one transactional event. ... View more

If your indexers are currently not clustered, you could use a Deployment Server to push the app to all of your indexers. In a clustered environment, you would use the Cluster Master to do this. Do you currently have a Deployment Server? ... View more

Try using the punct field. This pulls out all of the punctuation in an event, which can be helpful in identifying similar events. ... View more

One challenge I would see is, Splunk would typically read a file in real-time. Until the file hit the 10MB point, Splunk would have now way of knowing if it would meet that mark. You would most likely have to write a script, that looks for files in a directory, that are 10MB or larger. The script could then copy the file to another directory that Splunk was monitoring. You would also have to wait until the file is complete for this to work. ... View more

See this post: https://answers.splunk.com/answers/86/how-do-i-share-all-of-the-field-extractions-defined-in-a-given-app-with-all-other-apps.html ... View more

This is a simple example, but give something like this a try: sourcetype=access_combined action=addtocart | stats sum(bytes) as bytes_atc by clientip | appendcols [ search sourcetype=access_combined action=purchase | stats sum(bytes) as bytes_purch by clientip] | eval sum_all=bytes_atc + bytes_purch ... View more

You will need the account rep to send you a reset license. If you exceed your license 5 times in 30 days, Splunk will lock you out from searching. It will still ingest data, just not let you search it. Even though you have a valid trial license, you also need to unlock it. The order in which you apply the trial license and the reset license is unimportant, so get the reset key from the rep and apply it and you should be good. ... View more

Do you need the events to remain separate? If not, you could use the transaction command, along with the common field and the startswith and endswith parameters to indicate that you want the transaction event to start with the USER_AUTH event and end with the USER_LOGIN event. This will combine both events into one transaction event for each user. You can also specify the maxspan to indicate the time window for these two events to happen. Not sure if this is what you are looking for or not. ... View more

Is it always the same columns? You could do something like the following if so: ... | eval avgbylevel=(Month1 + Month2 + Month3)/3 | table Level Month1 Month2 Month3 avgbylevel ... View more

You can limit the set of events using the base search (the part before the first |). Also, the way transaction works is, it takes a field or fields as arguments to identify all events where those fields match. For example, you may want to group all of the events with the same IP Address, into a single transaction. It will need a common value in order to associate them. The startswith and endswith would be used when there are different events that are happening in a sequence, like, a login, some other stuff happens, then a logout. Another example would be parts of a transaction that could even span different event sources. Is there a common thread between the 500 error and the error that follows it? I'm guessing IP or host or something? ... View more

In order to open a case with support, you will have to be designated as a support contact. The number of support contacts you are allowed to designate is based on your license size. For example, for a license size of 10-99 GB per day you are alotted 3 support contacts. At 100GB you get 5. If you haven't used up all your spots for support contacts, you can speak to your Splunk Sales rep to add you. Otherwise, someone who is already designated will have to open the ticket. Here are the 3 ways to contact support: 1. Splunk Support Portal - http://www.splunk.com/page/submit_issue 2. Email - support@splunk.com 3. Phone – (855) SPLUNK-S (855-775-8657) ... View more

You need to log into your cloud instance and download the credentials app, I believe it is under the Universal Forwarder app on the left hand side. This app will point to your cloud instance and also contains the certificates for secure sending of your data. ... View more

You could have a universal forwarder monitor for the new csv file that gets generated. As soon as the file is dropped into the monitored directory it will be ingested. ... View more

What is your indication that they aren't being ingested? Are you not seeing a dashboard populate? Are you running a search and not able to find the data? ... View more

This is on a per index basis. It's possible you have other indexes that don't roll after 120 days. http://docs.splunk.com/Documentation/Splunk/7.2.0/Indexer/Setaretirementandarchivingpolicy ... View more

Have you seen this: https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Splunkbase/Monetizeyourcontent ... View more

Have you tried doing it through the GUI? ... View more