Like Ayn I don't quite understand what you're after. Maybe you could post some sample events with the desired output format. Maybe one of those works for you: index=myindex | table execTime,objectName | sort -execTime | streamstats count by objectName | stats list(eval(if(count<11,execTime,null()))) as MaxTime by objectName index=myindex | table execTime,objectName | sort -execTime | streamstats count by objectName | where count < 11 ... View more

Hi yes this is possible, you have to define 2 groups in outputs.conf and specify which input (log path) you want to send to which group Link to routing documentation outputs.conf [tcpout:c] server=server1:9997 [tcpout:d] server=server2:9997 inputs.conf [monitor://path/file1.log] _TCP_ROUTING = c [monitor://path/file2.log] _TCP_ROUTING = d ... View more

I'm afraid your data is not searchable in splunk anymore. The _internal index has a frozenTimePeriodInSecs of 2419200 seconds which equals to 28 days by default, if haven't configured a coldToFrozenScript for the index the data was deleted. You can change that value by overriding the default in $SPLUNK_HOME/etc/system/local/indexes.conf. Jus add a [_internal] stanza and override any settings you want. To display the current settings you can use: /opt/splunk/bin/splunk btool indexes list _internal [_internal] . .. ... frozenTimePeriodInSecs = 2419200 .. . ... View more

Try this: | stats count by src_user,src_ip,category | sort -count | streamstats count as counter by src_user,src_ip | stats sum(count) as total_count list(eval(if(counter<4,category,null()))) as values by src_user,src_ip Explanation | stats count by src_user,src_ip,category -> you need the count of every category to find out the top 3 | sort -count -> get the most frequent categorys first | streamstats count as counter by src_user,src_ip -> add a rank/counter for the categories by frequency | stats sum(count) as total_count list(eval(if(counter<4,category,null()))) as values by src_user,src_ip ->only take the categories into the final result that have a rank that is smaller than 4 ( = top 3) ----- Udpate ----- You could use either the ranking based or a percentage based "base search": | stats count by src_user,src_ip,category | sort -count | streamstats count as counter by src_user,src_ip | where counter <3 | stats count by src_user,src_ip,category | eventstats sum(count) as total_hits by src_user,src_ip | eval percentage=count/total_hits | where percentage>0.33 And the filter for categories you are interested in. If you know the interesting categories you could append: | search category=xy OR category=yz or maybe | search category!=xy AND category!=yz If you want to include/exclude the categories based on the frequency they occur you could have a seperate search that populates a lookup with the categories you want to include/exclude (this would be a kind of baseline) and then use that to filter your results. But from what you wrote I am guessing that you know the NSFW categories ... View more

If the cart & rack combination are unique and the log is chronological then this could work: basesearch | rex "Cart(?<cart>\d)\srack\s(?<rack>\d)" | streamstats count by cart,rack onyl search for events containing INFO in your basesearch ... View more

Hi tradecraft, I would set up the different DNS logs to have different sourcetypes (info, more info) Then based on those sourcetypes I would configure automatic field (search time) extractions using props.conf and transforms.conf (info). The fields that you create should have the same names. The Common Information Model (CIM) suggests names (CIM info, field reference) that can/should be used accross all sourcetypes to make the searches easy. To make your solution reusable you should organize the configurations (props & transforms) in so called technology add ons (Info about TAs). This is a lot of work but it is worth it, you will have a solid Splunk installation that can easily fullfill future requirements. A lot of Work has already been done. Have a look at the bind app: download here And the Active Directory app contains an add on for windows DNS download here (unpack the tar.gz and search for TA-DNSServer-NT5 or TA-DNSServer-NT6 and put that folder into your apps directory). I'm not sure whether the field names of the AD App are CIM compliant but if the fields are extracted the can be aliased. I would only start using a summary index if the amount of events you have to process in one search is too big (if a single search takes too long to complete). Hope this gets you started ... View more

How about: sourcetype="WinEventLog:Security" | rex "(?i)Account Name:\s+(?<a_fire_account>.*fire.*)" I recommend that you download the Splunk for Windows technology add-on: http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on It does field extractions in windows events for you (so you don't have to worry about rex to much) Then you can search as follows: sourcetype="WinEventLog:Security" Account_Name="*fire*" ... View more

How about: (?i)humidity : (?P<fieldname>[\d\.]+) ... View more

Hi, Sigi Puchbauer helped me with this once. This is how he suggested to solve the issue: You create an additional internal lookup that you can use to lookup internal ips ... | lookup geoip clientip | lookup internal_geoip ip as clientip OUTPUTNEW _geo The internal_geoip Lookup is a CSV File with the following format: ip,_geo "10.1.1.0/24","47.11,8.15" "10.1.2.0/24","77.11,-8.15" In $SPLUNK_HOME/etc/system/default/transforms.conf the lookup has to be configured to make a CIDR match: [internal_geoip] filename = internal_geoip.csv match_type = CIDR(ip) You can then create a macro that does both lookup for you to make the searches easier ... | `geoip(clientip)` ... View more

The date you have is in csv format or has been reduced to a tabular format using the search language right? To play around I converted what is listed below src_type_data to user.csv and the list below src_type_scale to scale.csv The csv files were created in $SPLUNK_HOME/etc/system/lookups The following search does display a table with the fields you want, but I don't quite understand how the scale and data are related, the result doesn't have a lot to do with normal distribution... | inputlookup user.csv | stats mean(spent) as spent by type | map search="| inputlookup scale.csv | eval type=$type$ | eval dist=tonumber($spent$)-Scale "| chart avg(dist) by Scale,type ... View more