Could you do something like this? | eval isLocal=if(cidrmatch("10.0.0.0/24",ip), "local", "not local") You could try 0.0.0.0/24 and see if that matches any IP address? http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions ... View more

You can also download this app, that gathers all the data about apps into Splunk! https://splunkbase.splunk.com/app/2919/ ... View more

Only Admins see the notifications, Power User and User do not. ... View more

What use is Splunk running as? Local System? ... View more

the deploymentclient.conf will have the server:port in it and the outputs.conf will have the indexer server:port in it too. Additionally the indexer and DS are only listening on those same ports. http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Deploymentclientconf http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Outputsconf ... View more

Yes, When you install the forwarder just specify the DS server & Port like this: msiexec.exe /i Splunk.msi DEPLOYMENT_SERVER=host:port /quiet Then you should create an outputs App on your DS that will push just an outputs.conf to all your Forwarders. Make sense? http://docs.splunk.com/Documentation/Splunk/6.5.0/Installation/InstallonWindowsviathecommandline ... View more

sendCookedData=true in outputs.conf ... View more

According to http://docs.splunk.com/Documentation/Splunk/latest/admin/indexesconf you can define the following stanzas, so Yes you should be able to shutdown Splunk, move the files and make the change. tstatsHomePath = * Required. * Location where datamodel acceleration TSIDX data for this index should be stored * MUST be defined in terms of a volume definition (see volume section below) * Must restart splunkd after changing this parameter; index reload will not suffice. * CAUTION: Path must be writable. * Defaults to volume:_splunk_summaries/$_index_name/datamodel_summary, where $_index_name is runtime-expanded to the name of the index summaryHomePath = * An absolute path where transparent summarization results for data in this index should be stored. Must be different for each index and may be on any disk drive. * May contain a volume reference (see volume section below). * Volume reference must be used if data retention based on data size is desired. * If not specified, Splunk will use a directory 'summary' in the same location as homePath * For example, if homePath is "/opt/splunk/var/lib/splunk/index1/db", then summaryHomePath would be "/opt/splunk/var/lib/splunk/index1/summary". * CAUTION: Path must be writable. * Must restart splunkd after changing this parameter; index reload will not suffice. * Defaults to unset. ... View more

Check this as well.. https://answers.splunk.com/answers/105106/splunk-for-infoblox.html ... View more

PROPS: [source::....bluecoat] sourcetype = bluecoat:proxysg:access:file [bluecoat] rename=bluecoat:proxysg:access:syslog [bluecoat:proxysg:access:syslog] pulldown_type = true category = Network & Security description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog KV_MODE = none SHOULD_LINEMERGE = false MAX_DAYS_AGO = 10951 TIME_FORMAT = %F %T TIME_PREFIX = [A-Z][a-z]{2}\s+\d+\s+\d+:\d+:\d+\s+[a-zA-Z0-9]+\s+ TRANSFORMS-TrashHeaders = TrashHeaders #REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3 #REPORT-auto_kv_for_bluecoat_v6 = auto_kv_for_bluecoat_v6_5_x REPORT-auto_kv_for_bluecoat_v6_6 = auto_kv_for_bluecoat_v6_6_x REPORT-categories = bluecoat_categories REPORT-bluecoat_header = bluecoat_header FIELDALIAS-cookie = cs_Cookie as cookie FIELDALIAS-duration = time_taken as duration FIELDALIAS-src = c_ip as src FIELDALIAS-src_port = c_port as src_port FIELDALIAS-user = cs_username as user FIELDALIAS-http_referrer = cs_Referer as http_referrer FIELDALIAS-status = sc_status as status FIELDALIAS-action = s_action as vendor_action FIELDALIAS-http_method = cs_method as http_method FIELDALIAS-content_type = rs_Content_Type as http_content_type FIELDALIAS-dest_host = cs_host as dest_host FIELDALIAS-dest_port = s_port as dest_port FIELDALIAS-user_agent = cs_User_Agent as http_user_agent FIELDALIAS-dest_ip = cs_ip as dest_ip FIELDALIAS-dvc = s_ip as dvc FIELDALIAS-bytes_in = sc_bytes as bytes_in FIELDALIAS-bytes_out = cs_bytes as bytes_out FIELDALIAS-uri_path = cs_uri_path as uri_path FIELDALIAS-uri_query = cs_uri_query as uri_query FIELDALIAS-protocol = cs_protocol as protocol FIELDALIAS-packets_in = c_pkts_received as packets_in FIELDALIAS-session_id = s_session_id as session_id EVAL-dest = coalesce(dest_ip, dest_host) EVAL-bytes = bytes_in + bytes_out EVAL-url = coalesce(cs_uri, if(isnull(cs_uri_scheme) OR (cs_uri_scheme=="-"), "", cs_uri_scheme+"://") + cs_host + cs_uri_path + if(isnull(cs_uri_query) OR (cs_uri_query == "-"), "", cs_uri_query)) EVAL-product = "ProxySG" EVAL-vendor = "Blue Coat" EVAL-vendor_product = "Blue Coat ProxySG" LOOKUP-vendor_traffic_action = bluecoat_proxy_action_lookup vendor_action OUTPUT action, transport [bluecoat:proxysg:access:file] pulldown_type = true category = Network & Security description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog KV_MODE = none SHOULD_LINEMERGE = false MAX_DAYS_AGO = 10951 TRANSFORMS-TrashHeaders = TrashHeaders REPORT-auto_kv_for_bluecoat_v6_6_r2 = auto_kv_for_bluecoat_v6_6_x ###ORIGINAL VALUES COMMENTED OUT #pulldown_type = true #category = Network & Security #description = Data from Blue Coat ProxySG in W3C ELFF format thru file monitoring #INDEXED_EXTRACTIONS = w3c #SHOULD_LINEMERGE = false #MAX_DAYS_AGO = 10951 #TRANSFORMS-TrashHeaders = TrashHeaders REPORT-categories = bluecoat_categories REPORT-bluecoat_header = bluecoat_header FIELDALIAS-cookie = cs_Cookie as cookie FIELDALIAS-duration = time_taken as duration FIELDALIAS-src = c_ip as src FIELDALIAS-src_port = c_port as src_port FIELDALIAS-user = cs_username as user FIELDALIAS-http_referrer = cs_Referer as http_referrer FIELDALIAS-status = sc_status as status FIELDALIAS-action = s_action as vendor_action FIELDALIAS-http_method = cs_method as http_method FIELDALIAS-content_type = rs_Content_Type as http_content_type FIELDALIAS-dest_host = cs_host as dest_host FIELDALIAS-dest_port = s_port as dest_port FIELDALIAS-user_agent = cs_User_Agent as http_user_agent FIELDALIAS-dest_ip = cs_ip as dest_ip FIELDALIAS-dvc = s_ip as dvc FIELDALIAS-bytes_in = sc_bytes as bytes_in FIELDALIAS-bytes_out = cs_bytes as bytes_out FIELDALIAS-uri_path = cs_uri_path as uri_path FIELDALIAS-uri_query = cs_uri_query as uri_query FIELDALIAS-protocol = cs_protocol as protocol FIELDALIAS-packets_in = c_pkts_received as packets_in FIELDALIAS-session_id = s_session_id as session_id EVAL-dest = coalesce(dest_ip, dest_host) EVAL-bytes = bytes_in + bytes_out EVAL-url = coalesce(cs_uri, if(isnull(cs_uri_scheme) OR (cs_uri_scheme=="-"), "", cs_uri_scheme+"://") + cs_host + cs_uri_path + if(isnull(cs_uri_query) OR (cs_uri_query == "-"), "", cs_uri_query)) EVAL-product = "ProxySG" EVAL-vendor = "Blue Coat" EVAL-vendor_product = "Blue Coat ProxySG" LOOKUP-vendor_traffic_action = bluecoat_proxy_action_lookup vendor_action OUTPUT action, transport TRANSFORMS: [bluecoat_proxy_action_lookup] filename = bluecoat_proxy_actions.csv case_sensitive_match = false ## Automatic kv [auto_kv_for_bluecoat_v6_6_x] REGEX = (?:"([^"]+)"|(\S+))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s*$ FORMAT = date::$1 date::$2 time::$3 time::$4 time_taken::$5 time_taken::$6 c_ip::$7 c_ip::$8 cs_username::$9 cs_username::$10 cs_auth_group::$11 cs_auth_group::$12 s-supplier-name::$13 s-supplier-name::$14 s-supplier-ip::$15 s-supplier-ip::$16 s-supplier-country::$17 s-supplier-country::$18 s-supplier-failures::$19 s-supplier-failures::$20 x_exception_id::$21 x_exception_id::$22 sc_filter_result::$23 sc_filter_result::$24 cs_categories::$25 cs_categories::$26 cs_Referer::$27 cs_Referer::$28 sc_status::$29 sc_status::$30 s_action::$31 s_action::$32 cs_method::$33 cs_method::$34 rs_Content_Type::$35 rs_Content_Type::$36 cs_uri_scheme::$37 cs_uri_scheme::$38 cs_host::$39 cs_host::$40 cs_uri_port::$41 cs_uri_port::$42 cs_uri_path::$43 cs_uri_path::$44 cs_uri_query::$45 cs_uri_query::$46 cs_uri_extension::$47 cs_uri_extension::$48 cs_User_Agent::$49 cs_User_Agent::$50 s_ip::$51 s_ip::$52 sc_bytes::$53 sc_bytes::$54 cs_bytes::$55 cs_bytes::$56 x_virus_id::$57 x_virus_id::$58 x_bluecoat_application_name::$59 x_bluecoat_application_name::$60 x_bluecoat_application_operation::$61 x_bluecoat_application_operation::$62 cs-threat-risk::$63 cs-threat-risk::$64 [bluecoat_categories] SOURCE_KEY = cs_categories REGEX = (?[^;]+) MV_ADD = true [bluecoat_header] REGEX = ^(#) FORMAT = bluecoat_header::$1 [TrashHeaders] REGEX = ^# DEST_KEY = queue FORMAT = nullQueue INPUTS: sourcetype = bluecoat:proxysg:access:syslog ... View more

The web_input works really well for tailing a web page. It works in 6.0+ too. ... View more

So what size should I increase MaxTcpSessionCount too? And what are the ramifications of increasing it? Should I be increasing it 10K blocks until the messages go away? Thanks ... View more

Yes, there is a box:events sourcetype. The inputs.conf has [box_service://events] rest_endpoint = events duration = 20 the props.conf has [box:events] FIELDALIAS-action = event_type AS action FIELDALIAS-src = ip_address AS src FIELDALIAS-src_user = created_by_name AS src_user FIELDALIAS-src_user_category = created_by_type AS src_user_category EVAL-object = case(isnotnull(source_item_name),source_item_name) EVAL-object_category = case(isnotnull(source_item_type),source_item_type) EVAL-object_id = case(isnotnull(source_item_id),source_item_id) ... View more

host=myhost* source="WinEventLog:application" EventCode=* | lookup exchangecodes.csv EventCode |where isnotnull(Message) | table EventCode, Message, Type ... View more

Something like this....You dont want inputlookup (the whole file), you only want the fields that match your search host="" source="WinEventLog:application" CategoryString="" | lookup exchangecodes.csv | eval EventCode=EventCode | eval SourceName=SourceName | eval Message=Messages | table SourceName,EventCode,Message,host Sample: EventCode=* |lookup EventCodes.csv EventCode | table EventCode,LogName, desc ... View more

try this: eval n=strptime(_time," %Y-%m-%d") ... View more

Your outputs.conf on the forwarder seem to be sending to itself as "localhost"? My forwarder looks like this, my indexer is .103 OUTPUTS: [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 192.168.1.103:9997 [tcpout-server://192.168.1.103:9997] I also suspect that you enabled the windows-TA when you installed the forwarder, those .conf files are inside C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\etc\apps\ That is why you are getting Windows data but not your datagateway log. ... View more

At home, I'm collecting firewall data with Splunk installed on a ESX server. This data I'm collecting is from Sonic and it has packet captures in it. My hope is to use the free version of NetWitness and use that for packet inspection. But right now I have it just capturing firewall traffic . The search I use is looking at all the images that anyone (kids) download. A link to some screenshots is unavailable . It's gonna be so cool when I have Splunk alerting on the kids wasting time and not doing homework. ... View more