Hi @rlaan, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the Contributors;-) ... View more

Thank you for the suggestion, I will have to do some reading into these components and how to configure them, I currently do not have clustered search heads or indexers replicating the data so i did not think they were required.  It provides me with a direction to investigate, thank you! ... View more

You can use time buckets and do stats on that, like this ...search... | bin _time span=5m | stats range(_time) as duration earliest(_time) as first latest(_time) as last by _time which is using an arbitrary 5 minute time bucket - you could do some post processing of that stats to then "group" the buckets together where there is a non empty bucket, so you can collect a larger group.   ... View more

We are setup with a following main servers 1- search head 1- deployment/license server 2- heavy forward 2- indexer (no replication)  ... View more

For the Windows part, i'd take in account how long they will be around. When only a few months then this can be your path, when longer then i'd upgrade the windows ufw as well, to have a clean environment. ... View more

Nice, thanks for posting your solution. Fixed the code. Yeah, I always have to check my wheres for capital letters on OR and AND, double == on equals, and % versus *. I know too darn many languages... ... View more

As with most objects in Splunk, you can control a tag's sharing between private (default), app (requires write permissions for the app), and global (requires admin) as well as per-role read and write permissions - just go to Settings -> Tags -> All unique tags -> Permissions for the tag you want to share. For adding a large list I'd drop down to tags.conf and insert them there in bulk - whether you do that on your search head, or through a deployment server managed app doesn't really matter. Just do it like you manage all your Splunk configuration. Alternatively, you could maintain a lookup file that resolves hosts to a stage field, and have users search using that field. Should be easier to maintain for large lists, but can be slower to search for. ... View more

I have finally heard back from the Engineering team, and understand that the behaviour is as per design. In order to explain this, may I request you to please take a look at the following links: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Segmentersconf http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Create_a_field_from_a_subtoken Now, let me take an example each of working and non-working case: Event in Set A: 10.2.0.1 - - [16/Aug/2015:14:52:25 -0600] "GET /%2e/WEB-INF/web.xml HTTP/1.1" 302 388 Event in Set B: 10.2.0.1 20.10.2.2 [21/Aug/2015:03:08:30 -0600] [pid 15599:tid 46921285732672] "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0" 404 188 1187 Now, when you search for %2E, event in Set A would get listed, but event in Set B wouldn't. This is because, %2e in Set A is in between delimiters (minor breaker / ), hence becomes a token. In case of Set B, %2e is part of a larger token, hence wouldn't get listed in the results. Next, if you search for %20, again event in Set B wouldn't get listed, as it is part of larger token. However, if you search for %2C, it will get listed because, it is adjacent to minor breaker ( / ). In summary, when you search a string, and don't want to make it greedy, then the same needs to be a token, or a sub-token(if configured the way it has been explained in the above link). If your string is a subset of a larger token, then you either need to search for the whole token, or make your search greedy, or extract it as a sub-token. To make your search non-greedy in this case, you would have to extract the required sub-tokens (%2E, %C1, %1C, %C0, %AE etc) using props.conf into a field, and then search for the field. For example, this is what I did (for %2e and %20 case): In props.conf, I created the following: [segment] EXTRACT-hex1 = (?%2e) EXTRACT-hex2 = (?%20) In fields.conf: [hex_code1] INDEXED = False INDEXED_VALUE = False [hex_code2] INDEXED = False INDEXED_VALUE = False Next, when I search for, say hex_code1=%2e, the results returned is same as the greedy search %2e*. The same with hex_code2=%20. ... View more

If you are trying to figure out how which app contains the setting which are being set use btool. ./splunk cmd btool --debug inputs list or ./splunk cmd btool --debug deploymentclient list Also search your _internal index for downloads from your deployment server. The peer field should have ip address of the host in question with which serverclasses are being applied. index=_internal PackageDownloadRestHandler I am assuming you are sending your deployment server logs to your indexers and your are running 6.3 or higher. ... View more