Hi, I am using a props/transforms TRANSFORM to add the source (log file) name to the _raw log event line. props.conf: [GC_throughput] TRANSFORMS-GC_throughput = GC_add_source transforms.conf [GC_add_source] SOURCE_KEY = MetaData:Source REGEX = ^source::(.*)$ FORMAT = $1 $0 DEST_KEY = _raw For some reason an "extra", event is being created on the Splunk server which is empty apart from the added source field. It doesn't even have a timestamp or anything, so is given a timestamp at the time it was indexed. Ie. when not using the props/transforms, there are two events: 2012-02-17T13:19:43.101+0000: 1906587.847: [GC [PSYoungGen: 261184K->608K(261440K)] 422309K->161797K(1047872K), 0.0133890 secs] 2012-02-17T12:45:13.623+0000: 1904518.369: [GC [PSYoungGen: 261024K->384K(261504K)] 422093K->161509K(1047936K), 0.0166770 secs] [Times: user=0.01 sys=0.00, real=0.01 secs] When I use the props/transform: /tmp/verboseSunGC.log /tmp/verboseSunGC.log 2012-02-17T13:19:43.101+0000: 1906587.847: [GC [PSYoungGen: 261184K->608K(261440K)] 422309K->161797K(1047872K), 0.0133890 secs] /tmp/verboseSunGC.log 2012-02-17T12:45:13.623+0000: 1904518.369: [GC [PSYoungGen: 261024K->384K(261504K)] 422093K->161509K(1047936K), 0.0166770 secs] [Times: user=0.01 sys=0.00, real=0.01 secs] Why is this, and/or what am I doing wrong? ... View more

Hi, We need to calculate mean, median, perc95 and stdev statistics for multiple fields from a huge log every day. Each search takes a long time, and we plan to use summary indexing to record the stats. We have encountered a problem when trying to come up with the summary search syntax. We originally tried to use a search like this: eventtype="Livehosts" sourcetype="WLSDealStats" dealToConfirm confirm NOT manualDealResponse | ua2os | geoip client_address | strcat lsHwPlatform "_" lsOperatingSystem "_" lsMaxDelayMillis lsConfigType | stats mean(totalTime) median(totalTime) perc95(totalTime) stdev(totalTime) mean(initialDealResponse) median(initialDealResponse) perc95(initialDealResponse) stdev(initialDealResponse) by lsConfigType web_site_id browser client_address_countryname However, this produces quite a large table, containing a stats entry for each possible combination of all of the by clauses, eg. lsConfigType web_site_id browser client_address_countryname mean(totalTime) … G5_RH5_50 aum Chrome Europe 556 … G5_RH5_50 aum Chrome France 637.8 … G5_RH5_50 aum Chrome Netherlands 732.4 … G5_RH5_50 aum Chrome United Kingdom 677.653846 … G5_RH5_50 aum Firefox 1 Europe 2493.333333 … G5_RH5_50 aum Firefox 1 France 616.857143 … G5_RH5_50 aum Firefox 1 Netherlands 889 … G5_RH5_50 aum Firefox 1 United Kingdom 1252.6 … G5_RH5_50 aum Firefox 3 Netherlands 526.5 … G5_RH5_50 aum Firefox 3 United Kingdom 571.75 … It is not actually possible to work out the overall mean(totalTime) for say, the Chrome browser type from this information. What we really need is a table containing only the overall stats for each of the specified fields, not each combination of all possible fields OR a way to run different post-processing over a data set multiple times (I know post processing is available within a dashboard, but remember this is for summary searching, not to mention it is limited to 10k results). An example could be this, which is like four separate tables merged together: mean(totalTime) median(totalTime) web_site_id aum 123 234 web_site_id sgx 345 456 client_address_countryname Europe etc … client_address_countryname France … … client_address_countryname United Kingdom … … browser Chrome … … browser Firefox 1 … … browser Firefox 3 … … We can run the search four times, each time specifying a single by clause only, but this seems inefficient as we have to search over the same (large) data set four times just to do different stats calculations. Also it is not scalable - every time someone wants to report on a new field, we have to create new searches for it rather than just add the field to a single search. ... View more

...or do I need to raise an enhancement request? Allowing only horizontal text labels only on x-axis point labels means that more often than not for the kinds of things I am charting, labels are compressed to a useless "start...end" name. A common example is when creating distribution graphs with buckets named like "0-100", "1000-2000" etc. When you have more than a few of these, the number (and length) of the labels required means that the labels are unreadably truncated to "0...00" or "10...0", and you have to mouse over a data point on the chart to see what the value is. Having a vertical label option would solve all of these problems as you then have a very small fixed width for all x-axis labels (ie. the height of one character). ... View more

I am trying to create a histogram/distribution graph of deal durations, for comparison between where the user is accessing a website from. This search works more or less OK: "search that returns reults with deal durations in field totalTime" | chart count(_raw) as "Num Deals" by totalTime span=100 totalTime is returned as an integer 0-3000, meaning ideally I would have 30 buckets. My problem is that some locations are very slow, and there are no durations below 800. The chart command does not create any rows for durations lower than 800 (ie. 0-100, 100-200, 200-300 etc up to 700-800 are all missing). This makes direct comparisons between graphs difficult, as they do not show the same scale. Is there any way to force Splunk to create empty buckets (starting from zero) for charting as per my requirement? Splunk version 4.1.5. Cheers, Glenn ... View more

We have new Cisco UCS kit and would like to process its syslogs in Splunk. Has anyone already established a set of field extractions or dashboards that they would like to share? Are there any plans for Splunk to provide any within the product? I think this is likely to be a hardware options that will grow significantly in popularity over time. Example (scrubbed) logs: Oct 26 16:33:02 pgce0-su-0j-b.tia.sn.local : 1001 Oct 26 16:33:02 LON: %OTIS-6-EVENT: [G2140204][054002][transition][internal][] [REX:STAGE:STALE-SUCCESS]: MARY profile configuration on peer fabric(REX-STAGE:rea:bev:OrrgYfpxhgnFowZerley:Peer) Oct 26 16:32:52 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:52 VAN: %OTIS-3-PORT_FAILED: [D0047][cleared][port-failed][sys/switch-B/slot-1/switch-ether/port-3] ether port 3 on fabric interconnect B gwyn state: link-up, reason: Link failure or not-connected Oct 26 16:32:52 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:52 VAN: %OTIS-3-PORT_FAILED: [D0047][cleared][port-failed][sys/switch-B/slot-1/switch-ether/port-1] ether port 1 on fabric interconnect B gwyn state: link-up, reason: Link failure or not-connected Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:svc_rhonda,!!!!!!!!!!!,03030.000000,01263.000000 - jefferson Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:max-dorinda,$1$K1jNUXPu$1bpsCt0/xDbsWSwrfHXi//,-1.000000,01263.000000 - jefferson Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:admin,$1$lnRiXnQe$VQ0qXvmM0CfaJBU36ZLMk/,-1.000000,01263.000000 - jefferson Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:ronnie,!,-1.000000,01263.000000 - jefferson Oct 26 16:32:51 pgce0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %OTIS-3-OPERATIONAL_STATE_DOWN: [Y0231][major][operational-state-down][fabric/hal/A/tp-100] hal port-channel 100 on fabric interconnect A gwyn state: failed, reason: No operational members Oct 26 16:32:46 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:46 VAN: %OTIS-3-MEMBERSHIP_DOWN: [T0025][cleared][membership-down][fabric/hal/A/tp-101/ai-slot-1-port-3] hal Member 1/3 of Port-Channel 101 on fabric interconnect A is down, membership: down Oct 26 16:32:46 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:46 VAN: %OTIS-3-MEMBERSHIP_DOWN: [T0025][cleared][membership-down][fabric/hal/A/tp-101/ai-slot-1-port-1] hal Member 1/1 of Port-Channel 101 on fabric interconnect A is down, membership: down Oct 26 16:32:30 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:30 VAN: %OTIS-3-LINK_DOWN: [Y0035][major][link-down][sys/switch-B/slot-1/switch-ether/port-3] ether port 3 on fabric interconnect B gwyn state: link-down, reason: Link failure or not-connected Oct 26 16:32:30 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:30 VAN: %OTIS-3-PORT_FAILED: [D0047][major][port-failed][sys/switch-B/slot-1/switch-ether/port-3] ether port 3 on fabric interconnect B gwyn state: link-up, reason: Link failure or not-connected ... View more