I think, that the easiest way to "integrate" a ticketing tool with Splunk ist to set up alerts and trigger a script that will create a ticket in your existing ticketing tool ( via whatever interface the tool offers).There is documentation here The Enterprise Security app does have a workflow implemented to deal with the notable events(which are more or less incidents) that are created. Both of those are part of ES though and not available out of the box in a standard Splunk installation. ... View more

What does your company do? There are lots of different use cases. Have a look at the apps section of splunk base to get some ideas. Connecting to databases, becoming PCI Compliant, monitoring VMware or Exchange there is a lot .... a lot of apps are free and you can learn from the saved searches in the apps. This might also be interesting http://demos.splunk.com/ ... View more

Hi jalfrey, you can apply props stanzas to sources or sourcetypes. The source is the path to a file the sourcetype is used to classify different sources with the same format. It is a good thing to work with sourcetypes. Splunk comes with predefined sourcetypes but you can also create your own if you have home grown applications with special log formats. I posted the example with the [source::xy] stanza because I thought it's the easiest way to start. Here is more Info: http://docs.splunk.com/Documentation/Splunk/latest/Data/Whysourcetypesmatter ... View more

You're welcome. By the way if you just accept the answer I will get points for that and you don't have to award extra points to me that are deduced from your account ... View more

I'm assuming that splunk recognizes the time stamp for the events. Splunk has internal time Fields that you can use. You can add the following to your search: date_hour>8 date_hour<17 ( date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday) To sum out you can try to append the following: | stats count by status_field,date_month ... View more

Hi agody, I just ran the following search on a test instance and it worked fine index=* | head 10 | rename _time as time | map search="search index=* earliest=$time$" what version of Splunk are you running on ... View more

Hi, you could use a search similar to this (the status field contains the http status code an host would contain the ip for your example): sourcetype="access_combined" | eval status_category=substr(status,0,1)+"xx" | stats count as total count(eval(status_category="4xx")) as bad_status by host | eval Percentage=100*round(bad_status/total,2) | where Percentage>10 Schedule the search to run in realtime over a window of 10 minutes and create one alert per result. If you need help creating the alert let me know. If you need help with the search -> post some example events and let me know if the source ip & status are extracted as fields (if you do not know what a field is yet I'll explain). ... View more

This is probably not what you want but you may be able to use the map command to get some results: index=_internal | stats count by host | addinfo |eval info_min_time=info_min_time-3600 | eval info_max_time=info_max_time+3600 | map search="search index=_internal host=$host$ starttimeu=$info_min_time$ endtimeu=$info_max_time$ | fields _raw" stats is used to return a list of the hosts in the base search addinfo adds the search timess of the search the evals change the span to whatever you want (+1h and -1h of the original searchspan) the map command will loop through every result (the list of hosts with the modified inf_min/max_time fields and do a search you want Someone else is going to have a better idea ... ... View more

To refresh props & transforms search time configs you can use the following command in splunk "| extract reload=True" (or restart Splunk). If you do a search are the fields that you defined in EXTRACT recognized? This has to work for the automated lookup to work. To check if the lookup configuration is ok you can use the following splunk comman "| inputlookup registrants". ... View more

There are 2 things that i can see here the stanza in props.conf should match the sourcetype of your events you are searching it is not related to the name in props or the lookup table if this is on purpose then you are ok. The 2nd thind is the automatic lookup definition it should be LOOKUP- =registrants applicationid. The error you get is probably because there is a lookup called registrant that is referenced in one of the props files somewhere. You can use $SPLUNK_HOME\bin\splunk btool props list --debug to see if registrant is referenced somewhere. ... View more

If you put your registrant.csv file in $SPLUNK_HOME/etc/system/lookups your command should work and you should see "John Doe" in the fields sidebar in a field called fullname. You will probably get an info message that looks similar to this: Assuming implicit lookup table with filename 'registrant.csv'. The 'proper/complete' way to do this is described in Configure field lookups in the Knowledge Manager Manual. You will have to create a transforms.conf file and optionally a props.conf file for automated lookups. Those files can also be used to do the field extraction that you're doing in the command for you. Both files can be created in $SPLUNK_HOME/etc/system/local/ To make things easier it makes sense to use sourcetypes in your searches and config files (all your inputs with the same log format should have the same sourcetype) your log looks almost like the predefined access_combined sourcetype but I do not think that the registrant field which is important for you is standard. So I suggest you set it to a custom value e.g. access_custom transforms.conf [registrant] filename = registrant.csv props.conf [access_custom] EXTRACT-fields=^(?<client_ip>[0-9\.]+) (?<user>[0-9\-]*) (?<profile>[0-9\-]*) (?<timestamp>\[[^\]]+\]) (?<url>\"[^\"]+\") (?<http_status>[0-9\-]+) (?<bytes>[0-9\-]+) (\"[^\"]+\") (?<user_agent>\"[^\"]+\") (?<processing_time>[0-9\-]+) (?<registrant>\"[^\"]+\") (?<forward_for>[0-9\.\-]+) LOOKUP-registrant=registrant registrant ... View more

This should work, I have just tried this on a Splunk 5.02 instance. What kind of error do you get with your environment? ... View more

If, you have further questions let me know. ... View more

Based on the table you have you can just add the following to your search: | timechart span=1d last(Occurences) by Attribute I'm assuming that the table is created by a splunk search and that the Date column is the _time field. ... View more

Hi fizwit, this is possible have a look at the documentation of the timechart command (Example 5) you were pretty close there is just an eval missing: index=logs | timechart count(eval(Error_Type="WARN")) AS WARN, count(eval(Error_Type="ERROR")) AS ERROR Good luck Chris ... View more

Hi, you could try something like this: source="/location/to/file" | rex "(?<special_error>This is one error)" | rex "(?<special_error>this is another error)" | eval error_type=if(isnotnull(special_error),special_error,"other") | stats count by error_type Just a few thoughts on the search it usually makes sense to search for a sourcetype instead of a source rex will extract a field by chaining 2 (or more rexes) for events with a differen format a field with the same name will be created if the error message ist always in the same position of your events a regular expression can be used to catch all the special error messages you want to automate things you can configure the props.conf & transforms.conf to extract fields automatically (step 2) If you can post some sample events it will be easier to help. Good luck ... View more

I don't think so ... but maybe someone will come up with a creative solution ... View more

Revised Answer: The short answer is: Yes splunk is designed for such tasks The following steps are required to reach your goal: Prepare the raw data (set the sourcetype, download & install the cisco app, create a firewall Index or modify the cisco app) Create Alert To reach your goal a few steps have to be accomplished but don't worry they're not that hard. You have Cisco ASA events in Splunk, there is a technology add on that you can download (it's free): >> Get it The app contains the necessary regexes and will extract a lot of fields by default for you. In order for the app to work the sourcetype of your logs have to either be "syslog" or "cisco:asa". From the sample that you posted in the question it appears as though you are forwarding the events over port 514:udp at some point. So on the Splunk Instance where the you configured the udp input you can set the sourcetype to cisco:asa if the cisco logs are the only logs that are sent to that port or maybe syslog if lots of sources with syslog sourcetype are sent to that port. If the udp transmission is only an intermediary step and you have an inputs.conf with a monitor stanza somewhere set the sourcetype there. The technology add on will try to send all the log files to the "firewall" index if your original sourcetype is syslog. You can either create that index or delete the following lin in $SPLUNK_HOME/etc/apps/TA-cisco_asa/default/props.conf: [syslog] TRANSFORMS-force_sourcetype = force_sourcetype_for_cisco_asa TRANSFORMS-force_index = force_index_for_cisco_asa -> delete/comment this line [cisco:asa] LOOKUP-vendor_action = cisco_asa_actions vendor_action OUTPUT action LOOKUP-app_type = cisco_asa_apptype sourcetype OUTPUT app ... .. . Then you can create the alert. This search will give you a list of source ips that occurred more than once: index=firewall sourcetype=cisco:asa 106100 | stats count by src_ip | where count>10 Then when you create the alert: By chosing to get an alert when the number of results is greater than 0, you will be notified whenever the list that search creates contains at least one row. There are different ways of doing this, but I think this is enough to get started. ... View more

You could try this over all time, but it can take a long time: | metasearch | stats dc(host) by index ... View more

Hi Nick, it's not just the comment (at least not on my Computer). It took me a while to find out that the problem is browser specific because I randomly switch between Browsers when creating views so I run into (visual) problems quickly. ... View more