Currently I have many logs in most of which there are random IPs. I want to perform e search which will filter all these logs 2. Then to put all these IPs in a variable so I can create dashboards or reports by these. 1) I manage to achieve this like this: index=ourindex | regex "(\b(?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])\.){3}(?:(?:2([0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9]))\b)" So now I have all events in which there are IPs, but how I should get these now and put them in a variable. I guess I should use "eval" function or something else? Does macros will help here? Any assistance will be much appreciated. ... View more

Hello, Below you can find our configuration: Universal Forwarder installed – EXCH – Windows Server 2008 R2 Splunk Enterprise 6.2 installed – Windows Server 2008 R2 What we are trying to do is to filter(or not index) older events from the MSExchange APP - TA-Windows-2008R2-Exchange-IIS. We have logs(C:\inetpub\logs\LogFiles\W3SVC1) from 2010 which we don't need, what we only want is to indexed events from the last 5 days. We already tried by using MAX_DAYS_AGO = 5 in props.conf file - this was set in both Universal Forwarder and on the Web Splunk server(indexer), how ever it didn't worked: Web Splunk server(indexer) CProgram FilesSplunketcappssplunk_app_microsoft_exchangelocalprops.conf [MSWindows:2008R2:IIS] MAX_DAYS_AGO = 5 For some reason it indexed the events from the last 5 days(2014), but it also indexed events from 2012, don't know why it decide to take events from this particular year. Could you please help us on this? What we need is to index data from the last 5 days - [MSWindows:2008R2:IIS], all data older than the current 5 days needs to be deleted(frozen/nullQueued). The events from the other sourcetypes from the MSExchange APP are fine to be indexed, only the IIS is the problem one, because it is reaching our license limit. Do we need to create separate index for IIS or do you suggest something else? Thanks in advanced for your support. ... View more