I've just configured fschange on a lab test environment with a windows 7 forwarder, a W2k8 server and splunk 4.1.5. This is to duplicate a customer environment. I've set up fschange forwarding, and it's working as well as it can at the moment. It is, however, irritating that sourcetype and index cannot be set. I hope splunk get around to fixing this some time. What I'm finding is that however I manipulate the file modes in windows, I'm not getting any events from fschange. I am seeing heaps of audit events via the Security Event Log, but the windows file permission mechanism and masking is complex and I'm having trouble sifting out the interesting events in a concise way. What I need to show is not just that a file changed, but also when the access mode changes. I observe that the "mode" field from fschange only ever shows "rwxrwxrwx". This looks like a rather crude attempt to shoehorn windows file modes into unix-like ones, and it doesn't seem to work properly. Note that if you disable all file access modes but don't actually remove the file, this shows up in fschange as a 'delete' action, which is wrong, but I can see how splunk got there. Does anyone know a reliable way to show when windows file access modes change, either with fschange or some other way? ... View more

Is there any way to get popup or lite mode AccountBar WITH the logo clickable? This would be very useful for turning off all nav except reloading or stopping a restricted dashboard... ... View more

I'd like to be able to drop specific users into a custom dashboard WITHOUT modifying the defaults for e.g. the Search app. Also I don't want to have to make an entire copy of the Search app just to do this. How can I go about this? Is it a Request For Enhancement maybe? ... View more

I have the following query which almost does what I want: sourcetype="cisco_wsa_squid" | lookup teamlookup cs_username | search tl_logon != "" | stats count(s_hostname) AS Hits, sum(sc_bytes) AS Bytes by tl_display, m_display, s_hostname | eval MBytes=round((Bytes/(1024*1024)),2) | fields - Bytes | dedup tl_display,m_display sortby tl_display, m_display, -num(MBytes) keepevents=t What this is supposed to do is summarise hits and traffic by site, team member and team leader. I obviously don't want see line items except for the combination of site, Hits and MBytes. teamlookup just works out what team the user belongs to. Not all staff are in teams for splunk reporting purposes. But I want to limit my output to 15 rows per group. Both dedup 15 ... and dedup ... limit=15 produce a broken result which is correct for the first 15 rows, then omits the leading field but shows all the events that I'm trying to suppress. Has anyone else seen anything like this? Is is a bug? Splunk v 4.1.4 on Linux. ... View more

I find myself continually mystified by Splunk's strategy for placing things like event types, saved searches etc. How can this behaviour be controlled, and how can I tell splunk e.g. I do not want my saved search to be saved in etc/users/username/[app]/local but in the app savedsearches.conf itself? Is there any enhancement in prospect to be able to control where a new is object is placed when you create it? Or at least display the current context so you can find the darn thing easily later? ... View more

Hi all, We use google apps in the office and it requires ssl/tls. Splunk sendemail.py does not seem to be able to cope with this; does anyone else have email alerts working with google apps, and if so, how? We're running splunk on linux so I suppose configuring a local MTA is an option, but this seems like a lot of apparatus. We've only just finished turning off all the internal mail servers 🙂 ... View more

I have a source which is csv but has no headers. I'm trying to set up props.conf and transforms.conf to supply these rather than have to edit every csv file to add them, but the darn thing won't work. Here is props.conf: [winsec_csv] TRANSFORMS-winsec = extract_winsec transforms.conf: [extract_winsec] DELIMS="," REGEX=* FIELDS = "logtype", "time", "logtype1", "eventcode", "status", "actiontype", "userid", "dc", "message" Sample events: SEC,06/05/2010 10:31:24,Security,540,Success,Logon/Logoff ,UNISUPER\MEPUTIL04$,MEPDOM02,Successful Network Logon:^ User Name: MEPUTIL04$^ Domain: UNISUPER^ Logon ID: (0x0 0x27048EFB)^ Logon Type: 3^ Logon Process: Kerberos^ Authentication Package: Kerberos^ Workstation Name: ^ Logon GUID: {4fff3638-0ad5-b2d7-7358-2ae3dd4509b3}^ Caller User Name: -^ Caller Domain: -^ Caller Logon ID: -^ Caller Process ID: -^ Transited Services: -^ Source Network Address: 10.3.37.101^ Source Port: 0^ SEC,06/05/2010 10:31:26,Security,540,Success,Logon/Logoff ,UNISUPER\WS-02241$,MEPDOM02,Successful Network Logon:^ User Name: WS-02241$^ Domain: UNISUPER^ Logon ID: (0x0 0x2704BA25)^ Logon Type: 3^ Logon Process: Kerberos^ Authentication Package: Kerberos^ Workstation Name: ^ Logon GUID: {268894b4-e2a0-3b99-b2a8-c446da5c7eca}^ Caller User Name: -^ Caller Domain: -^ Caller Logon ID: -^ Caller Process ID: -^ Transited Services: -^ Source Network Address: 10.3.0.160^ Source Port: 0^ The REGEX I have added in frustration because of the error 'REGEX must be specified'--don't see why, it's not used. Now no data is being indexed at all, but I don't get the error message... Yes this is windows security event log but for complicated reasons I can't use it directly--have to have this. How do I do this? I can use a generic solution to this for other scenarios anyway. The documentation shows this to be straightforward--so why won't it go?? ... View more

Has anyone else been getting logged out of splunk in only a few minutes, regardless of the settings for session timeout? I'm using splunk 4.1.3/4 and firefox 3.6.8 but this problem has been around since version 4 came out. It's driving me nuts. I don't like IE but it doesn't do this at least. I can't be the only person this is happening to surely! ... View more