Hi Glenn, There are two approaches for getting the information joined together, using stats or transaction, assuming you can extract your "thing A" into a field called step : sourcetype=process | stats values(step) as step values(_time) as times by id sourcetype=process | eval time2=_time | transaction Xid id mvlist="step,time2" If you can't extract a field, an alternative is to define eventtypes which you can use as a step description or numbering. Subsequently we can start looking analysis, and one common use case is to look at flow paths or steps taken to determine if there are stuck IDs, and a neat way of doing so is to use mvcombine: | mvcombine step | stats count by step Additionally you want to compute step duration, which is hard to do in pure SPL, but can be achieved using a custom search script helper, like stepstats: From the transaction example above | stepstats step,time2 which will compute the durations. If you need the stepstats command, drop me an email on dart@splunk.com Additionally, if you're looking to make different expected duration steps comparable, Apdex may be of interest. ... View more

If you don't want to use DB connect you will have to build your own scripted or modular input - essentially you would have to reimplement DB Connect. ... View more

Hi, When you're asking about login to IIS, do you mean logging onto Windows, or logging into a web page/app? If it's the former, then the Splunk App for Windows includes setup for looking at windows logins, if it's the latter, and you're recording authentication in the IIS logs, then the Splunk Add-on for Weblogs can help you set up field extractions for pulling out the user field, which should get you most of the way to a report on logged in users. ... View more

Hi, You're correct about the file origin. If you grab the Splunk App for Netapp it includes SA-Utils, which contains handling for tsidx retention. configurable with tsidx_retention.conf. ... View more

Are you able to install the Splunk On Splunk app? It's possible that you are getting queue congestion which will shut down the receiving port. Splunk on Splunk's Queues views and Errors and Warnings should give us some more information for working out what's happening. ... View more

You can see what is being returned if you use the search job inspector - it will have an entry like subsearch returned that should fill you in on what came through ... View more

I think your issue is your match: [local_ip] filename = local_ip.csv max_matches = 1 min_matches = 1 match_type = CIDR(clientip) As the field in the lookup is called clientip. ... View more

I'd be tempted to extract both the original exception, and the optional 2nd one if it exists as seperate field extractions, then handle it in your search, with something like coalesce. ... View more

Hi Cesar, Looks like you might be character encoding issues - can you try manually specifying a character set? dart ... View more

I like to use tags for this use case. Tags can be applied to any field, or can be applied to an eventtype for a more complex exclusion. ... View more

Are you hitting the regular /services version of the endpoint or the namespaced /servicesNS one? For this I'd suggest you might need to use the namespaced one. This search worked for me: | rest /servicesNS/-/-/scheduled/views According to the documentation the scheduled/views endpoint should give you all the schedules. ... View more

I tried hitting that URL, and all I got back in my browser was a search page with this: "> alert(document.domain) Set as the search. I don't think there is an exploitable vulnerability here, but I will file this with the Splunk Product Security Vulnerabilities ... View more

In general you can also do this by setting the ttl globally for all saved searches: # in $SPLUNK_HOME/etc/system/local/savedsearches.conf # set default artifact time to live to 1h dispatch.ttl = 1h ... View more

Most D3 chart objects can be styled with CSS. Use your favourite web browsers development tools to try changing the CSS properties. For example this is some of the css from nv.d3.css: .nvd3 .nv-axis path { fill: none; stroke: #000; stroke-opacity: .75; shape-rendering: crispEdges; } You could change the stroke property. ... View more

The bucket names Splunk assigns have two timestamps, giving the time range of events in the bucket. You'll need all the buckets that cover the time range you are interested in. For restoring multiple buckets you might want to have a look at shuttl. ... View more

I'd strongly suggest you use the timewrap command for this use case. The documentation should give you some guidance on how to contruct the searches you are after. ... View more

Another possibility is the Splunkit app. ... View more

Does this one work: index=storage | timechart max(storage_cap_consumed) by storage_pool ... View more

Your commands.conf should look like this: [samplePython] filename = SavedSearch.py Then you can call it like so: | savedsearch UsersCount_byDomain_Pie | samplePython ... View more

You should be able to with a search like this: sourcetype=my_sourcetype | timechart min(AvailableCapacity) by Pool Assuming you called the fields the same names as your header. ... View more

I'd strongly suggest that you get the application to log complete timestamps (ideally in ISO format with timezone). If you are unable to do so, are you able to remove the date from the filename? If you are unable to do so, you can try modifying your props.conf like so: [my_application_source_type] TIME_FORMAT = %H:%M:%S,%3N MAX_DAYS_AGO=1 If none of those options are viable, you can just use the current time: [my_application_source_type] DATETIME_CONFIG = CURRENT ... View more

A few problems I have seen in deployments of the VMWare app: Data Collection Node not set to forward to your indexers Hydra Workers not having all roles enabled What do the health views contain in the app? ... View more