Yep, all of this is possible with Splunk. The community could provide a better, clearer answer if you asked a more definite question, but here are some ideas. First, I would put the AD info into a lookup table. You could update this lookup regularly - you could even update the lookup by running a search. Then the list of files would be easy to set up as follows: sourcetype=filelist | lookup AD_lookup userId OUTPUT deptName userName | sort deptName userName fileName | table deptName userName fileName fileSize lastUpdated Of course, you might want a completely different report, or a summary report. But once you have the report, you can put it on a dashboard. And from a dashboard, you can customize the drill-down. Also, remember that Splunk searches data based on a timestamp - all events must have a time (or else Splunk will assign a time). You should consider the time parameters of your search. The Splunk Tutorial covers everything through creating lookups and building a dashboard. Drill-downs from a dashboard (using simple XML) are discussed in the Dashboards and Visualizations manual. Given both a bit of experience in Splunk and a reasonable knowledge of the data, I would expect that this could be constructed in a few hours at most. Finally, you might want to pick up a copy of the book Exploring Splunk - which is available as a free ebook or as hardcopy from Amazon or Splunk. This book will give you a lot of ideas about what you can do with Splunk. ... View more

Thanks, this looks great for long term usage. ... View more

Good point. I use regex a lot. ... View more

in the "rex" you meant "regex", right? If "regex" what will be the proper Splunk statement to run your suggested answer? Thanks. ... View more

Thanks, that did it! I added it just before the formatting "NOT [|inputlookup groups.csv | fields User]" ... View more

Splunk Support answered this.. I agree that there's little reason to use a forwarder restart to manage the ingestion of Windows DHCP logs. In Splunk version 5, the inputs.conf parameter 'initcrclength' was added and certainly could be utilized once you're running on that version. As you're on 4.3.x the best way to manage the DHCP logs is documented here: http://splunk-base.splunk.com/answers/1568/windows-dhcp-log-files-too-small-to-match-seekptr-checksum Paying particular attention to the example monitor stanza with the whitelist entry and crcsalt: whitelist = DhcpSrvLog.(Sun|Mon|Tue|Wed|Thu|Fri|Sat)$ crcSalt = That should give you the bits you need to add to the existing inputs.conf monitor stanza. ... View more

A method I'm working on for this involves doing the following: Perform a search over a longer period of time and count your events, such as: source="mystuff" | timestats span=1m count | collect index=mysummary update the above search at regular, short intervals to keep the data in the summary index up to date perform a search against the summary index to do | timechart span=1h avg(count),stdev(count) ... as a subsearch ... inside a search that checks the the count across a short and current interval of time then eval whether the current count is 3 times stdev above or below avg Alert if above is true. I'm working out the exact technical details, but the above is the approach I'm currently experimenting with making work. ... View more