I am curious, does including an index help the search any when writing a search? This comes about as me and a friend are arguing over whether or not one is more necessary over the other. For example, lets say I do a search with just a Sourcetype and then on another search I include an Index. While I know this "limits" the data, Splunk still has to search data either way. Would including the Index in this case cause for any substantial gain in the effectiveness of the search, or could leaving it out be just as effective as I am specifying a certain index. What are your thoughts? ... View more

Is there any sort of syntax for me to be able to manipulate or get data on data that exists in the Values() field. So lets say that I do a | stats values(dest_port) by src_ip I then want to order the values in the values(dest_port), or I only want the top 10 of the list in values(), or I want to only get the top and bottom. Is there any sort of notation or syntax that I can use to do this? ... View more

I am pulling information from a search that I need to keep but update on top of. For example, my search is finding machines that contain a certain file path (via execution logs at this point) sourcetype=security_source FilePath="whatever_goes_here" | table HostName | dedup HostName | sort HostName It's a very simple search, but it gets me a list of machines that have had executions along that path, which is what I need. I want to set up an alert that will let me know when new machines enter the bunch. So if I had machines: D1234 D1414 L1312 Those would show up on, lets say, Search 18. When Search 19 comes around to happening, a new machine (L8564) had an execution along that path, meaning that it would be added to the list. I only want to alert on the new machine being added to the Table (L8564). Here's a few caveats: I cannot have this as a real-time search as this will bog down our system. That means that, if I run this as a cron job search, it will alert on all of the machines that are listed every time it is run. Instead, I want it to know that, "Oh, this machine hasn't been seen on this before "Triggers Alert" I am using the dedup command to find, essentially, a "values()" of the HostName's, and that way, it creates a new cell to which I can alert on. Another reason I am using dedup is because we have a lot of different sorts of executions happening along that path, meaning that we can have about 10 results on the table but about 4,000 results in the events. (I also cannot use a specific file as there is not exactly a common one that gets executed across the board, and also, the file's name can change.) TLDR: Is there any way that I can have this search made on a cron job, keep the historical data (all of the original table entries), and alert on any new entries (meaning we had 6 computers before this search was run and now we have 7 this time Alert on new Entry) ... View more