I have one index with a field "MessageId" that is common with another index. I need to got through all the values of MessageId in index1, and then search index2 to make sure they are also there. I was trying to use an outer join to do this with the following syntax: search index=index1 sourcetype=sourcetype1 Function=SubscriberFunction ClockTypeId=1 OR ClockTypeId=2 earliest=-5d@d latest=-4d@d | eval ClockPunchID=MessageId | eval Status1="Received" | join ClockPunchID type=outer [search index=index2 * | eval ClockPunchID=MessageId | eval Status2 = "Received" ] | eval Status = if(match(Status1,Status2), "Complete", "Incomplete") | table ClockPunchID ClockTypeId Status1 Status2 Status The problem I am getting is I get no results at all from my index2 search. All values of Status2 are blank. If I manually copy and paste the subsearch syntax into a separate search window I get exactly what I would expect, but as part of a join I get nothing, only the index1 results. ... View more

I am trying to come up with the search syntax that would get me the the values of a field that exist in one search that don't exist in another search. IE: SourceIP="*" earliest=-48h@h latest=-24h@h | stats count by SourceIP | fields SourceIP and SourceIP="*" earliest=-24h@h | stats count by SourceIP | fields SourceIP I'm looking for the values of SourceIP that were present in search 1 that are not present in search 2. Is there a way to do this that can process quickly? There should be about 11,000 unique values coming from each search. I just want to know which ones didn't occur today. ... View more

I have a group of Universal forwarders deployed in our DMZ to relay logs from UF's in the field to our indexing cluster inside our network. The splunkd.log from the DMZ servers shows errors on those inbound connections when they occur, but it does not appear to log successful inbound connections, which would be helpful in performance tracking and iplocation of clients. It does seem to capture successful outbound connections to the indexers, so I would have to imaging this information is available. Is there a logging level switch somewhere that would trap that information in the splunkd.log in the DMZ? ... View more

We have tried using the Universal Forwarder for sending logs from one of our servers to our Splunk indexer cluster using auto load balancing, but it appears to be putting too much of a load on the server causing application availability issues. This same server was running perfectly when logs were being collected via a directory monitor by a standalone Splunk indexer. Is using a directory monitor a supported configuration for inputs in a cluster, or do I need to do something like set up a standalone UF that monitors the folders on that particular server remotely and sends them to our indexers? ... View more

I have a primary search that finds all the events that indicate a failure of a process and presents a list of unique values. I then want to take those unique values and submit a subsearch for each value to obtain a field value from the subsearch (only need 1 result, many exist), and then display a table of Search1Field and SubSearchField. For example: index=subex-ldds StatusCode=PUBLISH_FAIL | rex field=_raw "Endpoint: (? \d+)-\d" | dedup StoreNumber This might yield results such as: 123 445 480 1012 I would like to then search for 1 event for each StoreNumber to extract the value of a different field (applicationversion) that occurs in a different set of events and display them side by side in a table. So the second search would need to recurse the list, something like: search index=subex-ldds applicationversion StoreNumber=123 | rex field=_raw "ApplicationVersion=\"(? \S+)\"" ... and get back a value for store 123 such as: 123 5.1 445 5.0 480 5.1 1012 5.1 I have tried a foreach command but it is not yielding the desired results, so I'm not sure if the syntax is just wrong or if I am using foreach improperly. ... View more

Is there a way when creating a table of syslog results that I can convert a value such as "17" to "udp" based on a set of predefined mappings, i.e. 1=icmp,6=tcp,17=udp,47=gre,50=esp? Thanks! ... View more