sourcetype="a" OR sourcetype="b" | eval blacklisted=if(sourcetype=="a",_raw,null()) ... View more

Officially, Splunk recommends that if you're going to virtualize, that you should use a many virtual cores/CPUs as for physical, and furthermore to avoid the problem you note (having to wait for 8 CPUs to come free before allowing the VM to run anything) that the CPU resources be dedicated to the VM, i.e., they are always available because they can't be used for anything else. I like say that you shouldn't be looking to save hardware via virtualizing Splunk, only to gain flexibility. This is because we find that Splunk actually does wind up using and needing the physical CPU resources. Now, it is possible that right now you are at a place where you only need 4 cores for your workload, and in that case you may find that you run into less CPU wait if you reduce the number of cores. But it should be noted that when Splunk uses the CPUS, it will actually use the CPUs and you need to have the underlying physical CPUs available to perform the work. People like to get all crunky about the waiting for free CPUs in VMware, but you may find that you actually need the physical resources to do the search work, so be prepared to bump it back up. (Also, I suspect that you may not be seeing problems because in fact the CPUs are busy enough that it never lets go of its 8 CPUs.) As for the messages you are seeing about "maximum concurrent searches", first, you should be sure that the messages are not coming from user role restrictions, but are in fact about the global system maximum. if that is the case, and you really aren't seeing problems, you should feel free to increase either the base or multiplier for the number of searches per CPU. The default in 5.x is 2+2xcores, but you can up to to 3x or possibly even 4x cores. It is possible depending on your search profile that you can run more of them, though a different workload may cause searches to backlog. ... View more

Probably easier to do: sourcetype="mail" [search sourcetype="mail" | top id | table id] | stats count by id,ip | eventstats count as totalcount by id ... View more

... | bucket _time span=1m | stats count by _time,punct | eval occurred=if(count!=0,1,0) | stats sum(occurred) by punct or ... | bucket _time span=1m | stats count by _time,punct | stats sum(eval(if(count!=0,1,0))) by punct ... View more

i am not actually sure what you are asking to count, but either ... | stats dc(c_ip) by ua_family or ... | stats count by ua_family,c_ip may be what you want. if not, perhaps you could clarify as i don't think i understand what you're looking for. ... View more

Search-time fields should not be on indexers, only on the search head. Are your fields search-time extractions? ... View more

Actually, it is working correctly, but I think you are incorrectly specifying your CIDR ranges. For example, 10.8.1.0/10 (which is the same as 10.0.0.0/10 ) will match anything in the range 10.0.0.0 thru 10.63.255.255 , which includes your other two ranges as well as your examples. 10.17.101.0/15 (which is the same as 10.16.0.0/15 ) includes everything in 10.16.*.* and 10.17.*.* . My guess (just a guess) is that your ranges should actually all be /24 ranges. Though of course I don't know your network topology, you are unlikely to want overlapping CIDR ranges for different departments. ... View more

You should use a subsearch instead of map : [ search sourcetype=joblog jobID=693 earliest=-2w latest=-2w+1d | eval earliest=strptime(startTime,"%m/%d/%Y %H:%M:%S") | eval latest=strptime(endTime,"%m/%d/%Y %H:%M:%S") | return earliest latest ] eventtype=windows_performance Host=ZSN* object=Processor instance=_Total | timechart max(Value) ... View more