I would start by reviewing this troubleshooting section of the documentation related to the Splunk App for AD. ... View more

Ok, I will give it a test run and let you know how it turns out. Thanks again for the pointers @Ayn and @somesoni2 ... View more

I am not positive but I think we require index time to populate the dashboards for Splunk App for ES if I am not mistaken, which could definitely be the case. If this is not the case then field aliasing would work fine. ... View more

Isn't Field Aliasing at search time? We require index time field extraction/re-write. ... View more

This is a great tutorial: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial You can also download a copy of this free book: http://www.splunk.com/goto/book Here is more info about the Interactive Field Extractor (IFX): http://docs.splunk.com/Documentation/Splunk/6.0.1/Knowledge/ExtractfieldsinteractivelywithIFX ... View more

To answer your question... Yes, it is possible. This is the documentation you require: http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setupmultipleindexes#Route\_specific\_events\_to\_a\_different_index You would have to modify your REGEX statement in your transforms.conf to grab the events you require: [<transforms_A>] REGEX = EventCode:([0-9]{1,3}|1000) DEST_KEY = _MetaData:Index FORMAT = indexA [<transforms_B>] REGEX = EventCode:1(0[0-9]{3}|1000) DEST_KEY = _MetaData:Index FORMAT = indexB You might have to play around with the regex statements provided in example ... View more

One of the searches to populate that dashboard is Critical Network Traffic Analyzer: search = eventtype="ip_check" | stats count by src_ip dst_ip dst_port protocol | lookup threatscore clientip AS dst_ip | sort -threatscore Do your fields match the search? It would help if you could provide some sample log data as well. FYI: make sure to comment under my answer/post not your question otherwise I don't receive alert. ... View more

You can use instructions here to get Ubuntu on a 1st gen ATV you can obviously skip the XBMC portion: http://wiki.xbmc.org/index.php?title=HOW-TO:Install_Ubuntu_and_XBMC_on_Apple_TV_1 The above instructions worked flawlessly on an old 1st gen I had laying around that I re-purposed. Once you have Ubuntu running you can use the standard 32bit Splunk installer. Considering the 1st gen ATV only has 256mb of RAM and and a 1Ghz Intel processor I hope you don't expect much performance. I believe there was a 40Gb and 160Gb hard drive model. If you have a 40Gb model space may become an issue. ... View more

Good point... I was assuming retention was necessary when in fact it is not a requirement. ... View more

As long as you specify coldToFrozenDir in your indexes.conf you shouldn't have any problems using frozenTimePeriodInSecs and set it to 1555200 (seconds in 18 days) Here is the documentation: http://docs.splunk.com/Documentation/Splunk/6.0.1/Indexer/Configureindexstorage and here: http://docs.splunk.com/Documentation/Splunk/6.0.1/Indexer/Setaretirementandarchivingpolicy ... View more

I had to adjust the search parameter portion of the Threat_Map_Overview view in Settings » User interface » Views » Threat_Map_Overview to something like this: index=firewall | rename src as clientip | lookup threatscore clientip | where threatscore>0 | geoip clientip You might have to do the same for the dashboard in question. ... View more

I would suggest doing a packet capture on the Heavy Forwarder to understand what in fact is occurring. This appears to be anomalous behavior and could indicate you have a compromised system. ... View more

I have a similar setup and instructions here that could be of assistance: deepimpact.io/blog/splunkandfreeopen-sourcethreatintelligencefeeds ... View more

Yes, it was released on December 21st for use with Splunk 6. A maintenance release for Splunk was also released (6.01). Here are the "Known Issues" for ES 3.0.0: http://docs.splunk.com/Documentation/ES/latest/RN/KnownIssues ... View more

I also upgrade and was presented with the same error. I believe it is an artifact left behind from previous installation. You have to comment out your entries in /opt/splunk/etc/system/local/serverclass.conf The entry that was present in my serverclass.conf was the following: [global] # whitelist.0=* at the global level ensures that the machineTypesFilter attribute # invoked later will apply. whitelist.0=* [serverClass:AppsByMachineType] machineTypesFilter=linux-x86_64 [serverClass:AppsByMachineType:app:unix] # Deploy this app only to unix boxes - 32/64 bit. machineTypesFilter=linux-x86_64 After commenting it looked like this: #[global] # whitelist.0=* at the global level ensures that the machineTypesFilter attribute # invoked later will apply. #whitelist.0=* #[serverClass:AppsByMachineType] #machineTypesFilter=linux-x86_64 #[serverClass:AppsByMachineType:app:unix] # Deploy this app only to unix boxes - 32/64 bit. #machineTypesFilter=linux-x86_64 I then restarted /opt/splunk/bin/restart and the error message disappeared. ... View more

It is a very generalized question so hard to give you specific advice. What is it you are trying to monitor specifically? You can start here: http://www.splunk.com/view/infrastructure-monitoring/SP-CAAAHXJ Or here: http://apps.splunk.com/app/352/ ... View more

Thanks for the help... Timechart seems to be a more elegant solution. I was also able to find an answer using the search below your answer (it worked but it's ugly) ... View more

I think I just answered my own question with a little insight from Ayn: index=test sourcetype="traffic" earliest="-1q@q" latest="@q" | stats sum(packet_count) as packets | eval PPS = packets/7776000 ... View more

Ayn, thanks for the quick response, but I am receiving: Error in 'stats' command: The argument 'per_second(packet_count)' is invalid. packet_count is a fieldname with a respective value... The reason which I was trying to sum first. Sorry I left that out of my question. ... View more

Final search looked something like this: sourcetype="x" NOT src="0.0.0.0" (host="a" OR host="b" OR host="c" OR host="d")| stats dc(host) as dc by src | where dc>1 | sort - dc | lookup geoip clientip as src | fields - client_lat,client_lon,client_region,client_city | rename dc as "Clients Attacked" | rename client_country as Country ... View more

Thanks Martin. That pretty much gets me where I need to be. ... View more