This is not a question, but I wanted to share... If you are running Enterprise Splunk and would like an alert sent via text... Create the search, have Splunk send an email. I un-check the send results (mixed results. text might not come through). The email address will vary depending on who your carrier is: I have verizon, so my to would be: 5555555555@vtext.com If you have another carrier, reference below: Alltel @message.alltel.com AT&T @txt.att.net ST @txt.att.net Nextel @messaging.nextel.com Sprint @messaging.sprintpcs.com SunCom @tms.suncom.com T-mobile @tmomail.net Verizon @vtext.com ... View more

I am trying to pass a greater than to my search, but when it gets passed to the search the search looks like this: =">3" There are two problems, (1) the "=" and (2) the "" The "=" is part of my search, so I removed it and changed the choices to "=1" but this passes everything with the "" Select Priority (5 is high suspect) 0 1 2 3 4 5 >3 ... View more

If I run the All Sourcetypes dashboard, the MB received panel for the past 24 hours, the panel takes just over nine minutes to complete. I studied the search and it is made up of three macros that form this search: index="_internal" source="*license_usage.lo*" type!=*Summary | eval lastReceived = _time | rename s as source st as mysourcetype h as host b as bytes o as originator | eval my_splunk_server = splunk_server | fields lastReceived source mysourcetype host bytes pool originator my_splunk_server source | bin _time span=10m | stats sum(bytes) as bytes max(lastReceived) as lastReceived by mysourcetype _time pool host | eval kb = bytes/1024 | eval mb = kb/1024 |timechart minspan=10m bins=200 sum(mb) as mbytes by mysourcetype If I run this search manually the results are returned within 1 minute. Any idea about what is going on???? ... View more

My workflow actions do not show up in the pulldown next to the event within dashboard? What do I need to change to get this to work. Also, view results is missing? My title <searchTemplate>my search </searchTemplate> </event> </row> ... View more

I am using the following to clean up output: rex mode=sed field=search_google2 "s/\%20/ /g";"s/\%5B/[/g" | rex mode=sed field=search_google2 "s/\%22/\"/g" | rex mode=sed field=search_google2 "s/\%5B/[/g" | rex mode=sed field=search_google2 "s/\%5D/]/g" | rex mode=sed field=search_google2 "s/\%2B/+/g" | rex mode=sed field=search_google2 "s/\%2C/,/g" | rex mode=sed field=search_google2 "s/\%3A/:/g" | rex mode=sed field=search_google2 "s/\%27/'/g" | rex mode=sed field=search_google2 "s/\%40/@/g" | rex mode=sed field=search_google2 "s/\%3B/;/g" | rex mode=sed field=search_google2 "s/\%25/%/g" I am new to regex.... can I combine the regex into one statement instead of the multiple pipes? ... View more

I would like to analyze two different sources to determine how much data is being indexed. index="_internal" source="*license_usage.log" s=*win*| stats count sum(b) by s | rename "sum(b)" as total_bytes | stats sum(total_bytes) | rename "sum(total_bytes)" as total | eval gb=total/1024/1024/1024 For the search above, there are 5 or 6 sources, so I want a count of the total gb used and this works. What I really want is to be able to change the search to something like this... index="_internal" source="*license_usage.log" s=*win* s=abc| stats count sum(b) by s | rename "sum(b)" as total_bytes | stats sum(total_bytes) | rename "sum(total_bytes)" as total | eval gb=total/1024/1024/1024 BUT, I want a sum of the s=*win* and a sum of s=abc Ideas? ... View more

Not sure how to really explain this.... I would like to look in my windows logs for new installed products and list the products, then look back and see what installed products have never been installed. I know how to create the search and I know how to create a subsearch, but how do you search for items that are not in the results of the subsearch? For example if I had a search that returned productA, ProductB, ProductC for the current week, and I want to see if any products other than "productA, ProductB, ProductC " were installed last week - how would I go about this? I am trying to basically create a whitelist. I might eventually just make a lookup to take care of this, but I would like to have a search for testing and validation. Thanks- ... View more

I have been using the following to give me a estimate of license usage for the day: index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" earliest=@d+30M | eval GB=b/1024/1024/1024 | search | stats sum(GB) by pool | eval used='sum(GB)' | eval GB_Used_Today=round(used, 0) | fields GB_Used_Today This search used to match fairly closely to what the manager would report under licensing, but now the search above is always much higher? Does anyone know what the search is that the manager->>licensing uses? ... View more

Is there a simple way to have splunk assign field names based on ":"? For example, Splunk does a good job of picking up the field name if the format is... myfield=testvalue I have the following tyoe of log entry and I want to report on the fields. I do not want to define/extract each field. Event message: A configuration error has occurred. Event time: 2/12/2013 4:08:20 PM Event time (UTC): 2/12/2013 9:08:20 PM Event ID: e60329dcbe45472593eba4629aa020ae Event sequence: 84 Event occurrence: 3 Event detail code: 0 Application information: Application domain: /dadadadadad Trust level: Full Application Virtual Path: / Application Path: D:\Web\dadadada\ ... View more

From the field...... customers with large deployments, what is your ratio of UFs to HFs. We had about 2500 UFs reporting to 2 HFs (one had a dual role HF/DS). We now have 3 dedicated HFs. We will eventually have about 10k UFs reporting to the 3 HFs. From field experience - does this ratio sound ok? If not, what should the ratio be? I know hardware can make a difference, but I am really concerned with the max established connections. ... View more

Not sure how to accomplish this.... First search: index="airtight" message=quarantined eventtype="airtight_intrusion" NOT Agere | stats count by client_mac If results are returned from first search, take the results "client_mac" and perform this search sourcetype="nac" client_mac display results does this look correct? sourcetype="nac" [search index="airtight" message=quarantined eventtype="airtight_intrusion" NOT Agere | return 100 client_mac] | stats count by client_mac, Users_Name, Company, _time ... View more

I am using the following within a search to create a field called link. eval link=uri_scheme+"://"+dest_host+uri_path I really just want the field to be an available field for the sourcetype. Is this possible, and if yes how? ... View more

More info.... I am now getting... Script for lookup table 'geoip' returned error code 1. Results may be incorrect. (this message is repeated for each of my indexers. Maybe I am doing something wrong??? I am trying to use the google maps application. According to the documentation I need a field called _geo that includes lat and lon, so I use the following to create this field: eval _geo=client_lat.",".client_lon The field is not created, but if I use: eval geo=client_lat.",".client_lon , I get the field? Not sure what I am doing wrong here? Some clarrification... I changed the search to this.... index=mail | lookup geoip clientip as srcip | eval geo=client_lat+","+client_lon | search client_country="Spain" | table geo I am getting results such as.... 37.3379,-5.8395 But the google map does not have any data/plots???? debug info: DEBUG: Incompatible set of indexes specified DEBUG: No matching index found for 'index=mail' DEBUG: [indexer16] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905" DEBUG: [indexer17] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905" DEBUG: [indexer21] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905" DEBUG: [indexer22] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905" DEBUG: [indexer23] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905" DEBUG: [indexer24] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905" DEBUG: [indexer25] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905" DEBUG: [indexer26] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905" DEBUG: base lispy: [ AND index::mail ] DEBUG: search context: user="admin", app="maps", bs-pathname="/opt/splunk/etc" ... View more

I am using the following to tell me what my license usage is when I run this search. index=_internal source=*license_usage.log earliest=@d+30m| eval GB=b/1024/1024/1024 | stats sum(GB) by pool | eval used='sum(GB)' | eval GB_Used_Today=round(used, 0) | fields GB_Used_Today I would like to do the same, but use a timechart to show license usage per day for the past X days. Ideas? ... View more

I have the edit button on some dashboard, but not all? How can I get this button on all my dashboards. ... View more

eventtype=bluecoat [| inputlookup wfap_lookup | where wfap_priority=2 | fields wfap_indicator | rename wfap_indicator as search| format "" "(" "OR" ")" "OR" ""] user="test" The lookup will contain values such as: string priority car 0 "red car" 2 "blue car" 1 red 3 The problem I am having is with the multi-string values. For example, if I am looking for "red car", the search above will find within an event red and car, but not always as the string "red car". The event might have someting like, "Red is a nice color. A fast car is fun to drive". ... View more

index=webproxy | top 10 link I have a workflow assigned to link, that will allow me to open the link. I do not want my users to see the entire string, only the field "link" and allow the users to quickly open the link. Does anyone know if from the table view, you can enable the event options menu? ... View more

I am using the following: eval link=http_referrer+uri_path | top link and I get http://www.foxnews.com//static/includes/partners/dma/520.html I want to remove the double "//" and replace it with just one "/" I cannot get my regex to work??? ... View more