try something like: protocol="TCP" | transaction maxpause=1m dest | search info="SYN" info="FIN" info="ACK" the transaction will create a multivalue field on info, so the seach above makes more sense. ... View more

okay. I understand ... View more

OK, no worries.. there was no rush, as I say it helps others (those looking for questions to answer, and those looking for answers to questions) 🙂 ... View more

i asked again because i thought my question wasn't clear enough. ... View more

I'm running into the same things - did you ever find a result? In my casae my alerts from perfmon work - but files don't. David ... View more

And I quote; "If you want to look at DoS attacks you might be better getting a dedicated solution for DoS and feed logs from that into Splunk. Packet capture on Splunk consumes ALOT of a license. Sadly at the moment Splunks licensing model isn't geared up for things quite like this. You can also quite easily block the indexQueue" Drainy, 17th April. To which you asked what feature of TCPDUMP makes it suitable as an IDS? My answer above was a reply to a question asking about getting packet data into Splunk. You need to go away and do some reading and research, you really cannot keep coming back and repeatedly asking questions about things that people have answered or tried to help you with. Also please stop asking a question and if you get no answer then posting the same question again but with more detail. Simply edit your previous question, this will also bump it back to the top of the forum. Finally, as a step up here are some resources to go and read, if you have read and learnt about these topics then please come and ask for more specific help. Asking if a DPI tool can detect DoS or if a DoS is an intrusion or infact if a DPI is an IDS shows a lack of understanding of the subject. This is not an area you should take lightly or jump into, if you are looking at these tools and services then you clearly have a need for them and so you should treat them as seriously as you require them with some solid research and understanding. After some reading hopefully you will be able to answer your own questions and then maybe come back with some other ones relating to how you can then use Splunk to enhance or improve visibility on these issues 🙂 http://en.wikipedia.org/wiki/Denial-of-service_attack http://www.windowsecurity.com/whitepapers/faq_network_intrusion_detection_systems_.html#1.10 http://en.wikipedia.org/wiki/Intrusion_detection_system ... View more

The common information model has it's own manual in particular you may wish to refer to using the CIM and the examples of using the CIM ... View more

Okay. Understood. ... View more

Well the txt version will still hold the same data. The actions that determine the content are your capture settings in the first place and what you choose to save. To perform useful extraction from the above data you could write your own regular expressions and then use a combination of a props.conf and a transforms.conf to performthe extraction at search or index time ... View more

okay i see. I go check them out. ... View more

i uninstalled Splunk and reinstalled Splunk before you replied me. i didn't mind uninstalling splunk and i am alright at resuming Splunk at its default state. The info you gave me would come in handy for me. Thanks. ... View more

now we have the PCAP Analyzer for Splunk APP 🙂 https://splunkbase.splunk.com/app/2748/ ... View more

You need to URL-encode any form data that you post. You can use the java method java.net.URLEncoder.encode() for this. Incidentally, you're not really using the Splunk Java SDK here. You are actually just working directly with the REST API from Java here. That's fine, as the REST API is fully supported. But the SDK in general should not require you to be getting into the details of making HTTP/REST calls work. ... View more

please see my answer to your other similar question: http://splunk-base.splunk.com/answers/44955/create-new-field-extraction-regex-expression-via-rest-api-java-sdk ... View more

Current release is scheduled for June 2012. ... View more

SplunkJavaLogging is bundled with a build of the SDK in splunk.jar ... View more

If your original question was answered it would be good if you could start "accepting" answers. It helps out splunkbase. ... View more

Like I said, without search-time field extractions there would be no fields for you to retrieve. Splunk extracts some fields automatically - if it finds text like "fieldX=valueX" in the raw event, the field "fieldX" will be created with the value "valueX". This is also a search-time field extraction that is done automatically for you. If you're already getting all the fields you need through this technique, it is true that you don't need to define any more field extractions yourself. ... View more

This is an internal field that specifys which Splunk Indexer the event was retrieved from. In a distributed architecture you might have several Splunk Indexers (aka Search Peers) that your event data is stored across. ... View more

you can also edit the role to include other indexes that will be included by default, hence no need to use index=xyz ... View more

Okay. I understand now. I won't ask the question anymore. ... View more

How to disable - extracting the fields based on key=value format in splunk, this is messing up my fields information, as i have defined columns in transform.conf file. ... View more

Yes. You need to make sure to specify which fields you want to be returned in your search request, but the extractions will be persistent, yes. ... View more

You can access individual sections. Read docs: http://docs.splunk.com/Documentation/Splunk/4.3.1/RESTAPI/RESTknowledge#data.2Fprops.2Fextractions ... View more

okay.kkkkkkk ... View more