the rex command has a max_matches option so you could try something like: | rex "Path (? .*)" | rex field=temporary_field max_match=10 "(? [a-z_]+)" Update To do this automatically you will have to use the regular expression in a configs file called props.conf & transforms.conf. You can place those files in $SPLUNK_HOME/etc/system/local to start. props.conf [my_sourcetype] TRANSFORMS-tempfield = tempfield TRANSFORMS-mv_field = mv_field transforms.conf [tempfield] REGEX=Path (.*) FORMAT=temporary_field::$1 [mv_field] SOURCE_KEY=temporary_field REGEX=([a-z_]+) FORMAT=mv_field::$1 MV_ADD=true There is more information here --> documentation. I also suggest that you read about Technology Add ons the ESS and PCI Apps/Suites from Splunk are built on this approach. The idea is to put all the configuration that is necessary to parse & extract fields for a technology into an app that can be used by all the splunk users/apps at your site. Does that make sense? ... View more

Hi you could append the following stats command to your base search that results in the table you describe: <base search> | stats count(eval(isnotnull(Col1))) as Col1Entries count(eval(isnotnull(Col2))) as Col2Entries If this does not help some sample data would be great to better understand your problem. Chris ... View more

Hi keinoda No you can't set a daily limit for a single index. If you want to do that you would have to set up a seperate indexer machine and create a single index on it and then assign that machine to a pool. You can set the maximum size of an index but that does not have anything to do with the licensing. Chris ... View more

The base search is returning results right? index=msexchange Username="*" Then this should work: index=msexchange Username="*"| timechart partial=f fixedrange=f limit=0 span=30d count by Username ... View more

Unless I am totally missing the big picture here this is a pretty standard setup. Splunk recommends to use a agent called universal forwarder to get windows data from remote machines: http://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindowsdata If the 2 new computers can reach the splunk enterprise installation over the network this should work. Monitoring the event log and the security log is not a problem. 1.) Set up a TCP data input on your splunk enterprise server (where the indexes are, 9997 is the standard port): >> Documentation: Configure you inputs >> Documentation: Get data from TCP and UDP ports 2.) Install the forwarder on the 2 computers configure them to send the data to your splunk enterprise: >> Documentation: Deploy a Windows universal forwarder via the installer GUI >> Documentation: Install a universal forwarder on a Windows server ... View more

+1 same problem here ... View more

Thanks for posting this. ... View more

I do not know, I've added a tag ... View more

Thanks for your answer I do not have access to the splunk installation anymore, since I do not work for that company anymore.This could have been the reason. ... View more

Thank you for the answer I asked this question a while ago and do not have access to that particular splunk installation any more, so I can't verify but I don't think that this was the issue. ... View more

What you usally do is define search time field extractions, which are defined on the search head. The search head will then push those configurations (called knowledge bundle) to the indexers when you search. The bundle is updated when you update the configuration. You can add fields at index time on the indexers when data is indexed this is usually not recommended because of possible performance issues, but it depends on your use case. http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Configureindex-timefieldextraction ... View more

Maybe you could start by copying one of the commands in the search app. uniq.py a very basic example. ... View more

Have you had a look at the sideview-utils app http://sideviewapps.com/apps/sideview-utils/ it will provide the $foo$ keys you can use and make developing views/dashboards a lot easier. There are a lot of demos of the features the app adds to the standard Splunk UI possibilities. ... View more

You can use the firebug (http://getfirebug.com/css) extension for the firefox browser to easily find out which css class has to be modified in your application.css that is describen in the proposed link. ... View more

If the information is redundant in one single event I would configure the field extraction to only extract one value (if that is an option). If you extract the same field from different logs/sources it makes sense to use the same field throughout your entire splunk installation. Splunk proposes the Common Information Model (CIM) to help you. I'm afraid that checking (whether it is redundant data in single event, or verifying field content/names from different sources) your data is a manual process. ... View more

Thank you. ... View more

Glad you found the answer to the issue, I didn't think of that. ... View more

Hm my bad, sorry. I updated the answer. The streamstats part was not correct. This is a search that works on internal splunk data: index=_internal source="metrics.log" largest_size="" | table name,largest_size | sort -largest_size | streamstats count by name | stats list(eval(if(count<11,largest_size,null()))) as Values by name ... View more

Hmm, this should work ... I just tried the same on an a Splunk instance i have acces to. I tried with different user roles admin,power,user all worked. Do you have a distributed environment (Seperate servers for search head & indexers)? Then you should create the file on the search head. Oh and by var/run/splunk you mean $SPLUNK_HOME/var/run/splunk right? Oh and the splunk process does have access to the file names.csv. You're probably good an all those basic things, just trying to help you pin down the problem. ... View more