All saved searches, and other knowledge objects are written to various .conf files in the $SPLUNK_HOME$/etc directory. This list of configuration files and Overview of configuration files may be of interest to you as a starting point. Additionally there are some REST endpoints, such as /servicesNS/-/-/saved/searches, and /servicesNS/-/-/directory among others that you may be interested in invoking in a programmatic manner (or with the |rest command in splunkweb as well. ... View more

What does the job inspector say? Does sourcetype="something" extract_datetime=* return results? (Also I'm not sure if it matters or not but usually I've always written Splunk commands in lower case (e.g. | where instead of | WHERE ) ... View more

If your field is like "2015-02-08 02:15:24" there's no way that the format "%m/%d/%Y" could match that. For one thing, there are no slashes in your sample data, secondly I think the date fields are in the wrong order, thirdly, you will likely want to include the correct format string for parsing the time portion as well ... View more

Assuming your field is being extracted as a string I would use something along the lines of |where isnotnull(extract_datetime) and len(extract_datetime) > 0 and strptime(extract_datetime,"format string here, I'm on a cell phone so looking it up would be difficult") >= relative_time(now(),"@d") Basically we keep those results where the field is a value, and we parse the field to a timestamp (strptime), and keep those only after midnight today (now() taken back to @d). Depending on the behavior of the strptime function, the first two clauses may be unnecessary, but I'd need to try things out on my Splunk instance to be sure. ... View more

Converted! ... View more

I'm not entirely sure what you're asking here. To use fields with special characters in them in eval and where functions you'd use single quotes to refer to the fields. (E.x. 'lpd.TestRxSNR' ) If you're having trouble extracting a value, you could also consider the rex command to use a regular expression instead. ... View more

I could have the over and by clause reversed, (being on an iPad in the airport this is a bit off the top of my head) the contents of the if function are the same as yours, also I used an as clause to get rid of the rename clause. ... View more

Being just a Splunk customer, I don't know for certain, (hence the comment) but I believe the majority of Splunk Mint Express came from a company called Bugsense that Splunk acquired in 2013. There may be details to be gleaned from their tumblr blog: http://blog.bugsense.com/ or various news articles of the same ... View more

Given the banter that has gone though the #splunk IRC room today and this splunk reactions post, I'd say you are not alone. ... View more

One side note... consider if you want the stats in the appendpipe commands to use count(X) or distinct_count(X) the former would count duplicate pairings twice, whereas the latter woud count them once. ... View more

You could actually accomplish this with a macro that takes no arguments, assuming that you know the input search has fields src and dst to work on: Your search would be: source="trips" | table src dst | `computeInOutDegrees` and your computeInOutDegrees macro would be: fields - idx | appendpipe [stats count(src) as outDegree by dst | rename dst as idx] | appendpipe [stats count(dst) as inDegree by src | rename src as idx] | stats max(*) as * by idx | fillnull Step by step: fields - idx - ensures that the input does not have a field called idx appendpipe [] - adds the idx in-degree and idx out-degree pairings to the result set. stats max(*) as * by idx - combines the two parings together based on common idx fields fillnull - ensures any cell without a value is 0. ... View more

Yes it's unexpected, But if you think of your search as a series of steps, the next step can only operate what's given to it by the previous step. Therefore extractions for cLabel are only useful to timechart if they are extracted by the base search. Now part of how fast mode works is that it only attempts to extract fields as needed ( see the doc ). To successfully search for all events where index=x sourcetype=y Splunk needs to do no extractions as index and sourcetype are default fields. However adding the condition that the cLabel field exists, Splunk now needs to do the extraction of cLabel in order to determine if a result meets this additional criteria. (Remember, Splunk is schemaless, and as a result most fields are extracted at search time only. While you know that the field is always filled in, that is something Splunk needs to see for itself) ... View more

That will always be an error. In an eval like command, count is not a function, in a stats like command you use an as clause to rename the field not = ... View more

The issue at hand I think is an understanding of the differences between eval and chart. eval lets you assign a value to a new field on each result (row / record) based on values of other fields in each result and functions applied to the same. Because eval works on a row by row basis, attempting to count the number of times a field is a certain value across all records isn't possible with the eval function. Additionally, eval only sets the value of a single field at a time. If you want to set multiple values you need multiple eval statements Stats (and other functions) on the other hand lets you apply statistical functions across all records in your record set, including but not limited to count(eval(testLogic=="ADD_PASS")) as Add_Count for example. You can calculate these statistics across the record set as a whole (the default) or you can add a by clause to group over a set of other fields with the same corresponding value set for those fields allowing you to answer questions that require such division. chart is the same as stats but it let's you group by only two fields instead of arbitrarily many. The reason for this is to help you setup a visual chart with multiple series of statistics over a field containing the x-axis values. As bucketed time windows is often the preferred x-axis when it comes to data in Splunk, the timechart command is the chart command where the x-axis is simply the _time field, divided into buckets (every day, hour, minute, etc). Now with the basics out of the way let's look at your data. For this, I'm assuming that everything before the first underscore is a parent job identifier and that time is discrete strings as is in your question. So if we do base search to retrieve data | rex field=stepName "^(?[^_]+)_" | stats count(eval(stepStatus=="PASS")) as nPass by time,parentId | eval nPass=if(nPass>0,1,0) | chart max(nPass) by parentId over time this begins to get us an approximation of what you are looking for. If time is actually _time and a Unix time stamp value instead of a discrete string, the above will change as you'll need to solve bucketing issues (for example do I have 1 or multiple runs of my overall job in my bucket,if multiple pass is that 1 or potentially 2?). also think should a partial success be counted differently or not. But I leave that as an exercise to you dear asker, and hope this early morning explanation helps ... View more

It needs to be done on a Splunk instance doing parsing. That'd be an Indexer or Heavy Forwarder, but not a Universal Forwarder. ... View more

I'll admit I haven't used SA-ldapsearch yet, but according to its docs at least the sAMAccountName should be the member_name field in the output of the ldapgroup command? ... View more

Comment because I haven't tried it out yet, but are you passing the remaining indexes back as a semicolon delineated list? That's the format of that property in authorize.conf ... View more

In this case, tom's use of stats count and the first eval are just to setup a dummy event for testing. He's suggesting that you use the following rex and eval ... View more