I want all results from a search to be the default for a multiselect input box. I don't think it can be done with SimpleXML but I suspect it can happen with JavaScript using the val method. How would I run the search from the search manager, retrieve the results and fill in the Multiselect box? ... View more

I have a chart which has a time picker to look at the the volume of data indexed on all our master license servers. When you click on one of the hosts, a new panel appears with a chart and table based on the previous panel. I want to provide a timepicker for that panel and set the defaults to the time selected in the previous panel. <input type="time" token="all_master_time" searchWhenChanged="true"> <label></label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input> ... <panel ... > <input type="time" token="slavetime" searchWhenChanged="true"> <label></label> <default> <earliest>$all_master_time.earliest$</earliest> <latest>$all_master_time.latest$</latest> </default> </input> Is this possible? ... View more

In the blog posting "Making a dashboard with tabs (and searches that run when clicked)" http://blogs.splunk.com/2015/03/30/making-a-dashboard-with-tabs-and-searches-that-run-when-clicked/ On tab 5, the author uses a fact that appears undocumented, if a token is undefined, the search will not happen. I have looked all over the web for info about this feature and wonder if someone knows where this is documented as a feature. I know it is mentioned in the article but it would be nice if this was put in documentation. ... View more

I did the two following searches using the same license_usage.log file and got different results for yesterday's total bytes used by that indexer. Why are they different and which is more accurate? index=_internal host=splunk source=*license_usage.log type="RolloverSummary" slave=09F538B3-E658-4C42-A213-EE89679465E0 | eval _time=_time - 43200 | bin _time span=1d | eval TotalBytes=b/1024/1024/1024 Result: 63.288 GB index = _internal host = splunk source = *license_usage.log type = "Usage" i=09F538B3-E658-4C42-A213-EE89679465E0 | stats sum(b) as TotalBytes | eval TotalBytes=TotalBytes/1024/1024/1024 Result: 63.2525 GB Same time span - different result. ... View more

I want one total for the bytes sent to both the main and default index since they are both the same index. The license_usage.log file records them as different indexes because I believe we have forwarders not configured to send to a specific index. 02-17-2016 05:07:19.006 -0500 INFO LicenseUsage - type=Usage s="WinEventLog:System" st="WinEventLog:System" h="WS-Piano" o="" idx="default" i="09F538B3-E658-4C42-A213-EE89679465E0" pool="auto_generated_pool_enterprise" b=5922 poolsz=204010946560 02-17-2016 05:07:20.488 -0500 INFO LicenseUsage - type=Usage s="udp:514" st=syslog h="129.6.79.11" o="" idx="main" i="E3E369A5-DE83-47BC-804E-153BC246D021" pool="auto_generated_pool_enterprise" b=94889 poolsz=204010946560 Here is the search used by the Usage over 30 days for index use via the licensing selection under settings. I have removed the eval's that are not pertinent to the question. | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st,idx Is there a way to rename those idx called "default" to "main" before doing the sum and then be able to sum both default and main into one total for my report? ... View more

We had to put the log files in the /san/splunk/var/log/splunk directory vs the /opt/splunk/var/log/splunk directory. Of course, I can modify apps that have hard coded the path to files in that directory. Is there a way to use props or transform on the indexer with the awkward path so the source will show up as /opt/splunk/var/log/splunk on the search head? That way, I don't have to modify the search in apps needing to find files in the /san/splunk/var/log/splunk directory. ... View more

I want to keep more than 5 copies of eventgen.log. The log file is located in /opt/splunk/var/log/splunk, but is not one of the standard log files. How do I configure Splunk to keep more copies of this file? It looks like $SPLUNK_HOME/etc/log.cfg has specific lines for each log file and I don't know what to add to this file to manage eventgen.log. ... View more

Apache log data has out of the box sourcetypes, but no tag file to associate a tag of web to Apache log entries and I can't find an add-on which defines all the extractions for Apache logs. This is important because the Enterprise Security App uses that tag to store web data into the proper data model. How have other ES users dealt with Apache log data? Is there an add-on for Apache or a default file to define the web tag for Apache web servers? ... View more

We are getting requests for apps which haven't been updated since Splunk went from 5.x to 6.x. Besides the fact the app may not run (not an issue with this particular app), is there any reason to believe that such an app would impact our splunk infrastructure because it is a 5.x app? I know some apps will cause performance issues because they have poorly designed searches or didn't use such things like summary indexes. I would argue that even Splunk 6 apps could cause similar issues. ... View more

The sourcetype for udp514 is set to syslog. Where is this defined? Is it hard coded in Splunkd or is it defined in a file in /opt/splunk ? If the latter, where is it defined? Thanks, Sean Coleman ... View more

When I load data as described below, the indexed timestamp does not match the timestamp in the event. I finally figured out it had to do with the the MAX_TIMESTAMP_LOOKAHEAD=1 being set in the props.conf file. Basically, the indexed timestamp is the time when the data was indexed. (This file was written by Splunk). When I commented out the MAX_... line, Splunk starts to correctly record the proper index time. Please explain why that line messes up the data indexing. From the Splunk_TA_Mcafee add-on, the props.conf file has the following entry: [source::....mcafee_epo] sourcetype = mcafee:epo SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+ MAX_TIMESTAMP_LOOKAHEAD=1 TIME_FORMAT=%Y-%m-%d %H:%M:%S TZ=UTC # McAfee EPO DB Connect # [mcafee:epo] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+ MAX_TIMESTAMP_LOOKAHEAD=1 TIME_FORMAT=%Y-%m-%d %H:%M:%S TZ=UTC Here is part of the data in the sample: 2010-09-01 22:34:38 AutoID="87760225" signature="none" threat_type="none" signat ure_id="1038" category="ops.task.end" severity_id="2" event_description="Scan fo und infected files." received_timestamp="2010-09-01 22:32:24" file_name="None" d etection_method="(g\xE9r\xE9e) acme OnDemand Scan (VSE 8.7i) (N)" action="none" threat_handled="1" logon_user="Syst\xE8me" user="t_charlyc" dest_nt_domain="acme tech" dest_dns="PARLCHARLYC01" dest_nt_host="PARLCHARLYC01" fqdn="PARLCHARLYC01. acmetech.net" dest_ip="10.72.5.39" dest_netmask="" dest_mac="0018de7ccd03" os="W indows 7" sp="" os_version="6.1" os_build="7600" timezone="Paris, Madrid" src_dn s="None" src_ip="10.72.3.164" src_mac="None" process="None" url="None" logon_use r="None" is_laptop="1" product="VirusScan Enterprise" product_version="8.7" engi ne_version="5400.1158" dat_version="5400.1158" vse_dat_version="6091.0000" vse_e ngine64_version="" vse_engine_version="5400.1158" vse_hotfix="3" vse_product_ver sion="8.7.0.570.Wrk" vse_sp="" antispyware_version="8.7.0.129 2010-09-01 22:34:28 AutoID="87760224" signature="none" threat_type="none" signat ure_id="1038" category="ops.task.end" severity_id="2" event_description="Scan fo und infected files." received_timestamp="2010-09-01 22:30:43" file_name="None" d etection_method="(managed) acme OnDemand Scan (VSE 8.7i) (N)" action="none" thre at_handled="1" logon_user="SYSTEM" user="peteh" dest_nt_domain="acmetech" dest_d ns="LONWPETEH02" dest_nt_host="LONWPETEH02" fqdn="LONWPETEH02.acmetech.net" dest _ip="10.30.160.39" dest_netmask="" dest_mac="b8ac6fa02447" os="Windows 7" sp="" os_version="6.1" os_build="7600" timezone="GMT Standard Time" src_dns="None" src _ip="10.30.160.39" src_mac="None" process="None" url="None" logon_user="None" is _laptop="0" product="VirusScan Enterprise" product_version="8.7" engine_version= "5400.1158" dat_version="5400.1158" vse_dat_version="6091.0000" vse_engine64_ver sion="5400.1158" vse_engine_version="5400.1158" vse_hotfix="3" vse_product_versi on="8.7.0.570.Wrk" vse_sp="" antispyware_version="8.7.0.129 ... View more

The sample data which comes with the TA-sav add-on has its timestamp in a weird hexadecimal format. It looks like this: 2701140D2636. This number contains 6 hexadecimal octets. The first (27) is hex for the number of years since 1970, 2nd (01) month, 3rd (day), 4th ( hour), 5th (minute) and 6th (seconds). Can Splunk, via its transforms and props, convert this date to something which can be indexed or searched? If so, how? ... View more