So you can see the map? What kind of searches are you running? Are there any Javascript errors? ... View more

You have to edit the view (which is advanced XML) and set the param autoPostProcess to false: false ... View more

Can you add the csv data and the search your're using to map it to your question? ... View more

You can find the relevant documentation here: http://www.splunk.com/base/Documentation/4.1.7/Admin/Routeandfilterdata You need to send those events to the nullQueue via transforms. ... View more

What the transaction command does is simply grouping/merging events with the same value of the specified field(s) into one event. sourcetype is just another field for this command. So a simple search like this would create transaction events from multiple sourcetypes: sourcetype=my_sourcetype1 OR sourcetype=mysourcetype2 | transaction myTransactionField The only thing that matters is that the content of the field(s) used to build the transaction has the same value in those events that should get merged. ... View more

The multikv command helps you to split the tabular formatted events in to separate ones. You can use a query like this: sourcetype=ps | multikv | stats sum(pctCPU) as sumPctCPU by _time,host | timechart span=1m avg(sumPctCPU) by host ... View more

Yes, with limitations. The module setting autoPostProcess has to be turned off and the field _geo_count has to be populated with the value to be displayed. And the value can only be an integer number. ... View more

Plotting events on a map does not depend on an IP address. The current version of the module need the fields _lat (latitude) and _lng (longitude) to available in the final results. The content of the fields has to be the degrees of latitude/longitude as a floating point number: eg 47.11 Other notations (eg. degrees°,minutes',...) are not supported. The geonormalize command helps when the location information is not present in the _lat and _lng fields as it detects different patterns of field names where the information could be found and populates the _lat/_lng fields. When using the maps view (the default view of the app) or any other view where the module setting autoPostProcess is turned on, the geonormalize command is automatically added to the search. Note: In the upcomming 1.1 release of the app, the module will use a single field called _geo containing the combined latitude and longitude information instead of the 2 fields (_lat and _lng). The values have to separated by a comma. So for example a _geo field value of 47.11,8.15 would be valid. ... View more

Probably the most straight-forward way to do this is to use a regular expression. It's quite easy to translate such a substring expression to regex. In order to see the altered message, you have to change the content of the _raw field. eg. substring(message, charindex(message, "foo"), 20) would be translated as sourcetype=mysourcetype | rex "(?<_raw>foo.{17})" You can as well use the eval command to extract substrings, but there's no charindex equivalent available: sourcetype=mysourcetype | eval _raw=substr(_raw, 5, 25) ... View more

You can check yourself how much series are logged per interval by executing a search like this: index=_internal source=*metrics.log group=per_host_thruput | timechart span=30s dc(series) as dc_hosts | stats avg(dc_hosts) max(dc_hosts) min(dc_hosts) ... View more

This is a feature that will be included in the upcoming Splunk 4.2 release. ... View more

No, you don't need to seperate the fields with a comma. Any whitespace characeter is sufficient. ... View more

Try to explicitly require the fields you use, using the fields command: sourcetype="cloudfront_http" ... | fields + cdn_bandwidth cdn_tpmid tp_media_object_id ... | ... ... View more

You could calculate the seconds by hand: ... | rex field=myField "(?<myFieldHrs>\d+):(?<myFieldMins>\d+):(?<myFieldSecs>\d+)(?<myFieldSub>\.\d+)" | eval myField= tonumber(myFieldHrs)*3600 + tonumber(myFieldMins)*60 + tonumber(myFieldSecs) + tonumber(myFieldSub) ... View more