I don't understand why this should be so difficult....okay, here is my search: host=* index=_internal OR index=main | stats count(_time) by host index This does generate the data I want - for each host, there is a count of number of events in each of the two indexes. I want to split the bar graph by index, and display the count(_time) in each index for each host. So host x should display one bar, split as two colors - one for each index - and each color indicating the number of events in that index. And all of the hosts should comprise the x-axis. So that way I can compare the ratio of fill of each index, for each host. I can't find any examples of stacked charts online that help me much. Liked I said, seems like this should be easy.... ... View more

Windows Security Event Log eventid 4738 has multiple fields that Splunk extracts values for, which is great, but we're talking about 19+ fields, many of which usually have only a useless "-" for a value. That's too many fields to display all in one table on a dashboard. I want to build a table that displays only the values that are NOT "-"; I am only interested in the values that have actually been changed. Here's an example of good 'ol 4738: A user account was changed. Subject: Security ID: ACME-FR\administrator Account Name: administrator Account Domain: ACME-FR Logon ID: 0x20f9d Target Account: Security ID: ACME-FR\John.Locke Account Name: John.Locke Account Domain: ACME-FR Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x4010 User Account Control: 'Not Delegated' - Enabled User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: - ....So, the first problem is that I want some Splunk search commands that will go through all of the fields, discarding anything with "-" for a value, but adding anything else to a table, which will ultimately only show what's changed. Second problem is: in the example, notice that the User Account Control: field has a value listed not on the same line, but instead underneath it, apparently on another line. Splunk does NOT see that text as a value for the field. I have tried using regex to capture that value, including things like new line ^ , EOL $ , multiple spaces \s+ , but am unable to capture that text!! Any suggestions? ... View more

I want to extract a field that has multiple email addresses, each one followed by an IP address, all of which appear at the very end of a MS Windows event. My ultimate goal is to capture all of the email addresses in one field, up to the end of the event, but then remove the IP addresses, so I am left with just the email addresses. My regexes so far will not capture beyond the first "Authorized Recipient" email address, and there could a hundred or more recipient addresses listed, depending on the size of a distro list. Here's a sample of the event, with the exact formatting for how Splunk displays it in search results: Time LogName=etc EventCode=etc etc etc Message=Message Validation Success This action was requested by blah.blah@blah.com. (-no problem extracting these other values to fields) Message Subject: blah Other info: blah blah blah text blah. Authorized Recipients: blah1.blah@blah.com (000.000.000.000) (- this is an IPv4 address) blah2.blah@blah.com (000.000.000.000) blah3.blah@blah.com (000.000.000.000) etc, etc, etc..... Here's the pertinent portion of my latest regex: rex "(?m)Authorized\sRecipients:\s+(?P.*)" ...but it only captures the first email address and IP under recipients. I want to capture all of them, regardless how many are listed. I'm still a regex newbie, but I know the capture should be greedy, up to the end of the event. ... View more

I've got input from a syslog source, that looks like this: 2012-10-10 04:04:52[connection-5] AUTH: User xxx authenticated. 2012-10-10 04:04:52[Scan Thread: document1.doc -> /127.0.0.1] MODULES: File analysis I want to extract the user (xxx) and document1.doc fields at search time, if possible, for inclusion in a table, and charts, etc, but am having trouble devising a rex statement in the search that can extract both values as different fields, yet from the same source. A conditional regex is what I am looking for. This would also be part of a transaction (the next step to undertake). Any suggestions would be great!.... ... View more

I don't have a lot of disk space on my indexers. I know that i can reduce the amount of logging and number of metrics.log files created by manipulating the appenders section of log.cfg, but the following messages still get logged far too frequently: -0400 INFO StatusMgr - sourcePort=XXXX, ssl=nnnnnn, statusee=TcpInputProcessor Apparently these get logged constantly, and although they help when a connection is lost, I honestly don't need to see them as long as everything is working fine. How can I reduce just this specific message type (INFO StatusMgr), or eliminate it altogether, and thereby save on disk space? ... View more