Hi Splunkers, Considering delayed syslog data, I have tried the following scripts which output messages to the monitored file by Splunk. echo -n "Mon Sep 22 17:18:22 2014 +80:00 SESSIONID: "155" ENTRYID: "7" STATEMENT: "7" " >> sample.log sleep 3 echo "USERID: "GHOST" USERHOST: "Oracle10gR2_linux" TERMINAL: "pts/1" ACTION: "3" RETURNCODE: "0" OBJ$CREATOR: "SYS" OBJ$NAME: "DUAL" OS$USERID: "oracle"" >> sample.log props.conf is following. [sample] LINE_BREAKER = ([\r\n]+)\w{3}\s+\w{3}\s+\d+\s+\d+\:\d+\:\d+\s+\d{4} TIME_FORMAT = "%a %b %d %H:%M:%S %Y" Among 0 to 3 seconds as a sleep command argument, Splunk indexed this sample.log properly and it came to be a single event. However, from 4 seconds, Splunk indexed it as two events. So I was wondering how to expand this interval? If you know anything about it, please let me know. ... View more

Hi Splukers, I cannot get a search to produce what I want. Please help me. I tried the following search and got results. index=* app="*" | chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app | addtotals fieldname=total_byte sum_* | sort - total_byte Results app sum_send sum_rcv total_byte HTTP.BROWSER 7775148 50982187 58757335 Yum 300136 13395774 13695910 SSH 5558054 6727574 12285628 Wget 1029059 10632394 11661453 DNS 9008 3125787 3134795 Next I want to get top 3 apps and others list by total_byte like the following. app total_byte HTTP.BROWSER 58757335 Yum 13695910 SSH 12285628 Other 14796248 I tried this search, but I lost the app name.. And I also tried top total_bytes by app commands etc..but no good. index=* app="*" | chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app | addtotals fieldname=total_byte sum_* | sort - total_byte | top limit=3 total_byte showcount=f showperc=f useother=t So, how do I get what I want? Thank you very much. ... View more

Hello Splunkers, We plan to get NetFlow data from Cisco routers and switches by using the Splunk Add-on for NetFlow. https://splunkbase.splunk.com/app/1658/ We are now sizing Splunk architecture and cannot find any information about it. If you have already used the Splunk Add-on for NetFlow, please help me by answering following questions. How many flows can this Add-on process? How have you scaled your system, and how many routers and switches have you used with this Add-on? What can be the bottlenecks if incoming NetFlow data increases, like CPU cores or memory ? Of course, we appreciate other information about this add-on. Thank you for your help. ... View more

Hi Splunkers, I tried the new feature, Geospatial Visualization in Splunk V6.3 as "Option 1" posted on splunk blog. http://blogs.splunk.com/2015/10/01/use-custom-polygons-in-your-choropleth-maps/ But I cannot find any featureID after I put tutorial data to splunk and configured Xpath as posted on blog. KML file "cb_2014_us_cd114_500k.zip" is the same as posted in blog and splund.log said nothing about this. Can anyone try tutorial data and get a featureID ? Thank you for your help. ... View more

This post is not a question, but an enhancement request for Splunk Add-on for NetFlow Ver 3.0.1. I installed Splunk Enterprise 6.2.5 and Splunk Add-on for NetFlow Ver 3.0.1 on a Linux server and configured it by "configure.sh" in this add-on. Though I've done this almost default settings and transferred netflow packets to this UDP receiving port, I could not get any netflow packets in Splunk. ... View more

Hi Splunkers, I got the following multi-line event. # Time: 150601 17:30:31 # User@Host: sample[sample] @ SAMPLEAP [192.168.1.3] # Query_time: 3.295358 Lock_time: 0.000139 Rows_sent: 271 Rows_examined: 229938 SET timestamp=1433147431; SELECT YYYYYYYYYYYYYYYYYYYYYYYY # Time: 150601 17:30:32 # User@Host: sample[sample] @ SAMPLEAP [192.168.1.3] # Query_time: 3.278466 Lock_time: 0.000115 Rows_sent: 271 Rows_examined: 229942 SET timestamp=1433147432; SELECT ZZZZZZZZZZZZZZZZZZZZZZZZ # User@Host: sample[sample] @ SAMPLEAP [192.168.1.3] # Query_time: 3.487538 Lock_time: 0.000079 Rows_sent: 271 Rows_examined: 229942 SET timestamp=1433147432; INSERT BBBBBBBBBBBBBBBBBBBBBBBB I want to split this log into three events as followings. A "Time" record need to be always top of each event if it exists. But if it doesn't exist, event need to be split to a event beginning with a "User" record. # Time: 150601 17:30:31 # User@Host: sample[sample] @ SAMPLEAP [192.168.1.3] # Query_time: 3.295358 Lock_time: 0.000139 Rows_sent: 271 Rows_examined: 229938 SET timestamp=1433147431; SELECT YYYYYYYYYYYYYYYYYYYYYYYY # Time: 150601 17:30:32 # User@Host: sample[sample] @ SAMPLEAP [192.168.1.3] # Query_time: 3.278466 Lock_time: 0.000115 Rows_sent: 271 Rows_examined: 229942 SET timestamp=1433147432; SELECT ZZZZZZZZZZZZZZZZZZZZZZZZ # User@Host: sample[sample] @ SAMPLEAP [192.168.1.3] # Query_time: 3.487538 Lock_time: 0.000079 Rows_sent: 271 Rows_examined: 229942 SET timestamp=1433147432; INSERT BBBBBBBBBBBBBBBBBBBBBBBB How to make it ? Thank you for your help. ... View more

Hi Splunkers, I want to capture local mysql packet from redmine by Splunk App for stream. But we cannot capture it. This server includes apache server of redmine, and I can capture it. Why I cannot capture mysql packet ? Is it because Splunk stream app cannot capture on loop back interface ? ... View more