Damn 20 sec too late ... View more

Hi Andyk, that should not have caused a problem. You may have another configuration issue. It may be worth looking through splunkd.log for error messages. ... View more

You can cause splunk to reload these and many other config files by going to the following URL http://localhost:8000/debug/refresh obviously replace localhost with your server. ... View more

Splunk tracks which file it has seen in it's thefishbucket index. On a heavyweight or lightweight forwarder, you can run the following ON THE FORWARDER to clean data that was previously collected. splunk stop splunk clean eventdata -f splunk start on a universal forwarder you need to delete the fishbucket folder. delete $SPLUNK_HOME/var/lib/splunk/fishbucket splunk restart ... View more

Hi Muralee This sounds to me like a permissions problem that will need to be sorted in the local.meta configuration file. Searches in some apps are not allocated an owner which would happen if they were created in the UI. This prevents issues if the account doesn't exist when the app is installed but occasionally it gets confused when it has been modified a couple of times by other users. I would look in your $SPLUNK_HOME/etc/apps/SplunkPCIComplianceSuite/metadata/local.meta file for a stanza [savedsearches/PCI%201.2%20-%20Rule%20-%20Detect%20Communication%20Directly%20To%20Untrusted%20From%20Trusted] and add the following line below it replacing admin with a valid administrator account. owner = admin BUT I think the underlying issue is more serious. You are masking a potential threat by changing this. There are three potential scenarios. 1) you have an ip address marked as trusted that shouldn't be. 2) you have an ip address marked as untrusted that should be trusted. 3) Someone or something is making connections that shouldn't be allowed. The first two can easily be remedied by editing your lookup file network_domain_list.csv the third should be investigated and possibly blocked by your firewall. Do you really want to ignore up to 5 instances of scenario 3. ... View more

Hi Sahil. This question is a bit vague. What port are you interested in monitoring (Router, Switch Firewall, Windows or Unix Server)? Is it being logged and is splunk picking up the events? Once you have identified the events, you can write a search and save it as an alert. This can be done through the GUI (web) or in a config file. If you are new to splunk, I would do it in the web interface, search app. You should never edit the files in a /README/ or /default/ folder. If you decide to do it in the config file, I would recommend you edit (or add) it in $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf Bob ... View more

adding limit=10 to the sort command does the same as head but is more efficient as splunk doesn't have to sort all lines. The top comand by default returns 10 but you can change it by adding limit=xx to any number you want. ... View more

The only thing I can see wrong (assuming the fields exist in your data) is the sort command. Try | sort - cnt limit=10 but it would probably be easier to use the top command. ...| eval time_sec = round(time_taken/1000) | where time_sec > 100 | top cs_uri_stem showperc=f Bob ... View more

You can use $description$ but I have not found anything else. ... View more

oops. That last line should have been TRANSFORMS = ... View more

This is the default action for syslog data. It overwrites the host with whatever it finds after the timestamp. You can get round this by changing the sourcetype to something else or turning off the default processing for syslog data. To stop the default processing add the following two lines to a local/props.conf file. [syslog] TRANSFORMS ... View more

Please can you tell us the sourcetype and paste a couple of lines of the log. I suspect it is similar enough to syslog that splunk is trying to extract the host field from the data but where syslog would normally have a host, your data has the weekday. If so, setting the sourcetype to something else should fix it. Bob ... View more

if you add " | reverse " to the end of your search it will reverse the order and show you the oldest ones on the first page. ... View more

Your search includes < and > which are not legal the way you have used them in XML so I am surprised you get anything. I recommend you surround your search in a cdata construct (See below). You also have square braces [ and ] in a rex that should be escaped \[ and \]. And also you have "| where Delta > 0" which will filter out any zero values. < searchstring > < ![CDATA[ ((sourcetype="Cron_SendNotificationEmail") OR (sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record")) source="" NOT host=".bmp2." earliest=-1d@d latest=-0d@d | rex "send_to_email ?\[(?P < send_to_email > S+)\]" max_match=1000 | rex "(?P < inserting_a_record > Inserting a record.)" max_match=1000 | search inserting_a_record="" OR send_to_email="*" | eval Delta = inserting_a_record - send_to_email | eval status = if(Delta==0, "OK", "ERROR") | rangemap field=Delta low=0-0 default=severe ]]> < /searchstring > It is also good practice to tell the single value which field you want displaying by adding. < option name="field" > Delta < /option > ... View more

Yes. You need to move the eval to after the timechart. |timechart distinct_count(Stuff) |eval Time=strftime(_time, "%m/%d/%Y %H:%M:%S") but this will leave you with both _time and Time and in my case Time was at the wrong end of the table so I added the following. | fields - _time | table Time * ... View more

All savedsearches are related to an app. There is no system context for them so splunk does not look for a file in the system/local directory. ... View more