That implies TimeLoggedInSecs is null. Can you post an extended example with source events, if applicable? ... View more

Hi @achauhan2098, Your whitelist should work, but if you have other WinEventLog stanzas present and do not want to index their events, do set disabled = 1 in those stanzas. By default, all events in the referenced event log will be indexed. ... View more

Hi @willryals, Have you tried converting the field to a number first? | eval TimeLoggedIn=tostring(tonumber(TimeLoggedInSecs), "duration") strftime treats 25595 as a Unix epoch value, which is why it's converted to (1970-01-01) 07:06:35 UTC or a time dependent on your locale, e.g. 01:06:35 for US Central Time. ... View more

Hi @aaronhernandez, Did you review the contents of the peer's search log? What were the last errors logged before the process terminated? ... View more

Similar to @woodcock's answer, Splunk 8.1 adds the mvmap function to iterate over multi-valued field values. This makes it easy to replace characters in a string: | makeresults | eval value="randomize this" | eval mask=" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~" | eval random_value=mvjoin(mvmap(split(value, ""), substr(mask, random()%len(mask), 1)), "") The replace function and rex command can also be used to mask values, but the replacement value is only evaluated once: | makeresults | eval value="randomize this" | eval masked_value=replace(value, ".", "*") | makeresults | eval value="randomize this" | rex field=value mode=sed "s/./*/g" Hash functions, lookup tables, and other methods are also useful, depending on why you want to randomize, mask, or deidentify your data. ... View more

I don't think you can do this in a column chart. The tooltip HTML is created from a single series using the point value (X,Y) under the mouse pointer. Are you open to custom solutions, or are you restricted to pure SimpleXML? ... View more

You raise a good point about data models. I've purposefully modified the event types to 1) constrain the data models to a specific index and 2) allow users with varying default indexes to search by event type independent of the data model. ... View more

Can you provide more context? The search contains no tokens, and as written, the search will fail with an unbalanced parentheses parsing error. ... View more

Can you clarify your question? "Totips" isn't a field in your search. If you want to display e.g. "Totips: 19" in place of "C: 19" in the tooltip, then simply replace C with Totips in your search: sourcetype="securitycenter" asset=AMER_MS_SRV OR asset=EMEA_MS_SRV OR asset=APAC_MS_SRV | rex field=asset "(?.)_MS_SRV|" |chart eval(round(latest(crit),0)) as **Totips* by name |eval pos = case(name=="AMER","1",name=="EMEA","2",name=="APAC","3",name==name,"4") | sort pos| eval target=1 | table name, Totips, target ... View more

Create a simple lookup file, e.g. sourcetype_ghi_lookup.csv, with two fields, sourcetype and ghi. E.g. For sourcetype=1 and sourcetype=2: sourcetype,ghi 1,"some ghi value" 2,"another ghi value" | lookup sourcetype_ghi_lookup.csv sourcetype output ghi You can use the file in both a lookup and automatic lookup definition to omit the lookup command in searches and populate the ghi field automatically. ... View more

The Palo Alto add-on and app also assume the index is in your default index list for search. If you're not using main or if the index is not in your default index list, you'll need to copy and modify all event types in both apps in addition to enabling data model acceleration, e.g.: SplunkforPaloAltoNetworks/local/eventtypes.conf: [pan_wildfire_report] search = index=your_index (sourcetype=pan_wildfire_report OR sourcetype=pan:wildfire_report) Splunk_TA_paloalto/local/eventtypes.conf: [pan] search = index=your_index (sourcetype=pan_* OR sourcetype=pan:*) Replace "your_index" with your actual index. These are just examples. There are more event types in both apps. ... View more

Try adding MAX_TIMESTAMP_LOOKAHEAD to your props stanza: MAX_TIMESTAMP_LOOKAHEAD = 320 if the content length varies, use a value appropriate for the variance: MAX_TIMESTAMP_LOOKAHEAD = 512 I use multiples of 64 on x86-64 "just in case" Splunk allocates this as a separate buffer. Different architectures have different cache line sizes. ... View more

Yes. The limiting factor would most likely be the subsearch, not the lookup. After the subsearch executes, Splunk translates the outer search to: | inputlookup url_lookup where NOT (url=foo OR url=bar OR url=baz OR url=qux OR ...) up to the number or live URLs. Internal Splunk limits apply, but the search string itself can be quite long. I don't think the limit is documented, but it's probably related to the maximum request size accepted by splunkweb for manually typed searches and splunkd for derived searches. ... View more

If Splunk won't detect the source type for *.log, try sourcetype = log4j in inputs.conf. The *.json files may work automatically as _json, but if not, you can use a custom source type with either INDEXED_EXTRACTIONS = json or KV_MODE = json In props.conf. ... View more

(Edit: Removed note about limit option. It's only applicable to split-by groups.) If your goal is to display 86400 points, you'll need a browser viewport at least 86400 pixels wide plus chart overhead. On smaller displays, the chart will show a subset of evenly distributed values across the timeline. Depending on your desired chart width, you may want to optimize how data is aggregated in the timechart command rather than letting the chart drawing code handle it. ... View more

The original poster. "This" was shorthand for agreeing with you. ... View more

This. You don't want to lose precision by rounding before the aggregation. You may also want to look at sigfig, various rounding modes, and the settings and capabilities of floating point math on your architecture, all depending on your use cases. ... View more

What sort of problem are you having? If you don't have access to Splunk support or if the zip installation doesn't work as expected, folks here can help with Windows issues, too. ... View more

I've been under the impression that both the = and IN operators require that a field be defined. If you want to include events where username is not defined, i.e. null is valid but not in your value set, add the following to your search: NOT username IN (Johndoe Mikesomeone Jennifersomeoneelse) OR NOT username=* The search optimizer itself may treat =, IN and !=, NOT IN as equivalent and expand IN to = internally irrespective of the search bar formatter. Perhaps a Splunk employee can confirm. ... View more

If your switches support the feature and you have the capacity, yes, you should be able to use RSPAN to send traffic to a monitor port on the core switch. You can install Stream as a standalone Stream forwarder (no local instance of Splunk necessary), as an add-on on a Universal Forwarder, or as an add-on on a full instance of Splunk Enterprise (a heavy forwarder). Where and how you install Stream depends on your requirements. If you install the app and add-on on a single instance of Splunk Enterprise, you can manage everything locally and forward to indexers as needed. Whether or not this will meet your performance requirements depends on the volume and type of traffic you need to analyze. Since you're planning to install Stream on a virtual machine, the amount data you can process depends largely on whether you dedicate a physical interface--which is not always possible in converged environments--and pin CPU and memory resources. ... View more

Compatibility with Splunk Enterprise 7.2 was documented with the release of Splunk Stream 7.1.3 in April. ... View more

It depends on your topology or what you intend to capture. In the most basic configuration, you would define a monitor session (SPAN) destination interface on each switch and physically connect those interfaces to your VMware host hardware. If you have trunk interfaces between your switches, you can define an RSPAN VLAN to forward traffic to an interface on one switch and connect that interface to your VMware host hardware. You would couple either solution with an appropriate virtual switch configuration to bring the physical traffic to your virtual machine. With RSPAN, you can also forward traffic between virtual switches on multiple VMware hosts, which is desirable if you want to see VM-to-VM traffic. All of this comes at a cost, of course. You're increasing utilization of your switches, both physical and virtual, by mirroring or copying frames. Your switches will prefer live frames over monitored frames, so you'll likely see drops on your monitor interfaces. You also can't exceed the capacity of your monitor interfaces. I.e. It's not possible to monitor two fully utilized 1 Gbps interfaces over a single 1 Gbps monitor interface. I haven't used ERSPAN, but if your switches support it, the tunnel may mitigate drops during periods of increased activity. ... View more