I am new to regex - so...... I want to filter out all events that contain the word sendmail My messages look like the following type=SYSCALL msg=audit(12/13/2011 05:41:01.898:11192536) : arch=x86_64 syscall=unlink success=yes exit=0 a0=2afe55cbc340 a1=2afe60dea7a6 a2=2afe55cbc352 a3=2afe55cbc340 items=2 ppid=5655 pid=5656 auid=unset uid=root gid=smmsp euid=root suid=root fsuid=root egid=smmsp sgid=smmsp fsgid=smmsp tty=(none) ses=4294967295 comm=sendmail exe=/usr/sbin/sendmail.sendmail key=(null) This is what I have in my transforms.conf [auditdNullsendmail] # filter auditd, multiline, comm=sendmail REGEX=(?ms)^comm=sendmail.+exe=/usr/sbin DEST_KEY=queue FORMAT=nullQueue Does this look like it will work? When I search for sendmail in realtime - I am seeing events come in, but they are from the past (like Splunk is catching up???) ... View more

I would like to have just the value from the search below displayed from all my views. It would be extremly useful if it could be included somewhere like where the logged in as ......, but could labeled as Splunk usage "some number" Another option would be like on the splunk search landing page - where the "all indexed data" is. My search below gives me my total splunk license for the day. index=_internal source=*license_usage.log earliest=@d| eval GB=b/1024/1024/1024 | stats sum(GB) by pool | eval used='sum(GB)' | eval GB Used Today=round(used, 0) | fields "GB Used Today" ... View more

I need to create an email alert when at a specified period in the day, if our license usage is > #, send an email. So for example if at 14:00 license usage > 9000, alert I am using the following search to get my usage. index=_internal source=*license_usage.log earliest=@d| eval GB=b/1024/1024 | stats sum(GB) by pool | eval used='sum(GB)' | fields used Also how do I remove the decimals? ... View more

Can I add descriptive text to a chart on a dashboard. If yes - how. The only way I can get this work is by adding a new row. I really want the text to be with the chart. ... View more

I have a dashboard with a few table views. I want the first event to be the most recent event (so sort by most recent event) - like the way they are displayed by default when you do a search. I do not have a time stamp field. ... View more

We're trying to exclude a machine from receiving an app through the Deployment server. In the serverclass "Windows Inputs-events" we want all machines except "WORKSTATIONA" to receive the app. The machine previously had the app installed before we added the blacklist entry. Will adding the blacklist entry remove the app from the machine? How can we exclude it? Windows Inputs-events [serverClass:Windows-events] restartSplunkd = true machineTypes = windows-intel,windows-x64 filterType = whitelist whitelist.0 =* blacklist.0 = WORKSTATIONA* [serverClass:Windows-events:app:WinEvents] [serverClass:Windows-events:app:WMI] ... View more

This is my search.... index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country | search client_country!="United States" search client_country!="" | stats count by client_country This will only show me a count of 10 for each country. How can I get the top count per country? I saw something about limit=0, but I do not know where to put this??? ... View more

My results are like... src_ip src_geo count 55.89.12.11 US 25 I want the result to be like... src_ip and src geo count 55.89.12.11 - US 25 I want this so I can create a chart that shows the src_ip associated with a country and the count. the src_ip and src_geo - I want this to be a new field ... View more

The following search is not giving me what I want.. sourcetype="sidewinder" action="blocked" direction="internal" | top 100 src_ip, dest_port, dest_ip What I really want is the top src_ip, and then all the destination ip(s) associated with the src_ip. Better yet, with the dest_port. So I would like for it to look something like this... src_ip dest_ip dest_port count 122.22.15.51 58.25.66.95 53 200 95.55.41.55 443 178 85.99.55.32 1935 87 125.55.98.52 128.22.19.23 443 925 125.15.15.89 53 839 ... View more

My search looks like this: index=webproxy | regex user=".+a" | top 100 user results are j9999la I want to list the real result, but also remove anything after the first 5 character and display this also. The result j9999 can be used in a lookup to give me a person's name. So what I really want to see is user user_name real_name j9999la j9999 John Doe If I get the everything after the 5th character removed - I can handle the rest UPDATE This does exactly what I want it to do, but I thought I would be able to figure out the second part - not really... So, the results of user_name relate to a person. If the results of the user_name were part of the original data and it was called user - I would have additional fields returned with information on the user, such as full name, location, phone, etc. We query an employee database twice a day to populate a csv containing all the employees. How can I pass my results of user_name to the csv to populate the employee data? BTW - not sure how we do this, but I do not pass anything to the csv now - it is just part of my data. This was setup by professional services. ... View more