Short question. i have a directory that contains log files that look somethign liek this: aaa.2012-05-22.log but the system will compress them up after they go cold i.e. aaa.2012-05-22.log.gz in this case, will Splunk detect this new file in the directory that its monitoring and index the file? or would it still ignore it as the exact same log has already been indexed before. ... View more

sourcetype="typea" "Change in Working IP" | join Equipment_ID overwrite=false [search sourcetype="typeb" ErrorType = "POWERDOWN" | top Equipment_ID | fields + Equipment_ID _time | rename _time as toggletime] | table _time toggletime Equipment_ID here is my searchstring whereby my subsearch retrieves 'powerdown' error types from typeb sourcetype. returns it to typea which has events that changed IP addr. this is to check if the IP change is due to a powerdown(aka reboot). however, im unsure if there is a constraint on the time window from my searchstring. i need some advice if this constraint is possible timewindow: typeb's event must occur first before typea's events. EDIT: ive attempted to use join and it works. however, is there a way to constraint this Before events to within a specified timewindow instead now (e.g. A happens 5 min before B, reject late instances)? and im having trouble converting toggletime's timestring("1339519632.644") back to actual time. using ctime() gives me a totally different value from its original 😞 ... View more

Is there a way to trigger different displays depending on certain conditions? for example: if the count for this particular event exceeds 50. i wont want to have a list view. instead, a line chart would be better to show and track the behaviour trends or (event storm) within that hour.. while if its less that 50, perhaps a list is enough to observe if the anomalies. It doesnt seem possible but i would still like to throw this question out to more splunk savvy folks. Thanks! ... View more

the default _time are actually at the time of indexing. however my logs have another time string which i have to separately extract now. e.g _time Date Time 05/06/2012 13:19:00.000 7/24/2011 1:47:05 basically im trying to create a timechart but span=1h seems to only affect _time. Any one has encountered such a situation before? I wan to apply it to "Time" field at the very least? or is there any way to change _time to reflect the new time. ... View more

EDIT1: ive tweaked my regex abit. now i can extract the 'optional' fields i want. but im stumped at this particular log. ill post it here while i continuing to work on it as well 🙂 Summary: {a}{b}{c}{d}{msg} are fields. {a}{b}{msg} can be extracted {a}{b}{c}{msg} can be extracted {a}{b}{c}{d}{msg} can be extracted having trouble with {msg} field that makes some 'message' unextractable. (i suspect this is the cause) Details: here are some sample logs:(extracted the specific portion) my regex is as follows: (?i),"?\[(?P<Instance>\w+)\] (?P<System>[^\.]+)\.(?P<Subsystem>[^\.\s]+)\.*(?P<Application>[^\.\s]*)?\.*(?P<Object>[^\s]*)?\s(?P<Message>.+)"?,(CLOSED|OPEN) event 1: ,"[cng2] CIT.COS.MW (QUEUE.MANAGER)citos.cos.m msg pending, oldest 346s (exceed threshold) 04:15",CLOSED Instance: cng2 System: CIT Subsystem: COS Application: MW Object: Message: (QUEUE.MANAGER)citos.cos.m msg pending, oldest 346s (exceed threshold) 04:15 event 2: ,"[OPS-TPTCC02] CIT.SS.COMMONS TException: [TS07] Disable sending function to TS, please contact administrators to resolve the issue.",OPEN, Nothing extracted. However, there is actually another field after "Open" called severity that was extracted from this. So i found out about this missing event. event 3: ,[cng1] CIT.Monitor Server is not being monitored,CLOSED, Instance: cng1 System: CIT Subsystem: Monitor Application: Object: Message: Server is not being monitored ... View more

ok. so i uploaded this log once. let's call it logA.csv with sourcetype: temp the monitor looks something like this: [ ...desktop\folder\logA.csv] so ive done my field extractions and everything and am pretty confident to get on with monitoring the entire directory. so i changed my monitor in inputs.conf to: [...desktop\folder\] blacklist = *.xls disabled = false followTail = 0 sourcetype = temp and restarted splunk. now i have several sourcetypes inside: temp, temp-2, temp-3, temp-4 is there anyway to fix this? temp-2, temp-3, temp-4 doesnt show up in props.conf at all as well. was there any step that went wrong? ... View more

A sample sequence of my log goes something like this 07/03/2011 15:26,07/03/2011 15:26,...,... Refresh Process is starting up,CLOSED,UNKNOWN,Smarts-Appmon,0,,,,etcetc OR 07/03/2011 15:06,07/03/2011 15:06,...,... Monitor ...,CLOSED,WARNING,Appmon,0,etcetc OR 07/03/2011 14:55,07/03/2011 14:55,...,..,...,CLOSED,NORMAL,SNMP,0,etcetc so.. im trying to extract the [warning] which varies from "Warning","Normal","Major","Minor","Critical","Unknown" however Web extraction gives me: "(?i),CLOSED,(?P [^,]+)" but the field before it could be "OPEN" as well. I tried to add a CLOSED|OPEN but it became an error. can someone enlighten me? another field im having trouble is [source] the regex was based on the number of commas, however, from the 2 examples i given, this is not necessarily true as well. they vary from 5(1st and 2nd) to 6 (3rd log). this problem is similar to my first question. Thanks for taking your time to read! ... View more