While running splunk diag on an indexer, i received the following error messages. Any idea's as to what they mean or if there is a problem? [root@splunk bin]# ./splunk diag Ensuring clean temp dir... Selected diag name of: diag-splunk.domain.org-2013-08-22 Starting splunk diag... sh: lsb_release: command not found No directory separator found in index path: $SPLUNK_DB\fw\db No directory separator found in index path: $SPLUNK_DB\fw\colddb No directory separator found in index path: $SPLUNK_DB\fw\thaweddb No directory separator found in index path: $SPLUNK_DB\randomlogs\db No directory separator found in index path: $SPLUNK_DB\randomlogs\colddb No directory separator found in index path: $SPLUNK_DB\randomlogs\thaweddb Thanks in advance! ... View more

Splunkers, I have been trying to add commas to all the default charts on the Exchange app. A few particular searches are giving me issues. I usually just use "eval count=tostring(count, "commas")" and it works like a charm. I am still trying to understand how the following search works and how to add commas to it. Any ideas? This is the Environment Report - Mailboxes: eventtype="msexchange-mailbox-usage" User="*"|dedup User|eval mailbox=1|eval mailbox200m=if(TotalItemSize>200000000,1,0)|eval mailbox500m=if(TotalItemSize>500000000,1,0)|eval mailbox1G=if(TotalItemSize>1000000000,1,0)|table User,TotalItemSize,mailbox,mailbox200m,mailbox500m,mailbox1G|addcoltotals labelfield=User label=Totals|search User=Totals|eval avgmailbox=round(TotalItemSize/mailbox)|table mailbox,mailbox200m,mailbox500m,mailbox1G,avgmailbox|rename mailbox as "# Mailboxes", mailbox200m as "# Mailboxes over 200Mb", mailbox500m as "# Mailboxes over 500Mb", mailbox1G as "# Mailboxes over 1Gb", avgmailbox as "Average Mailbox Size"|transpose 5|append [ search eventtype="msexchange-mailbox-usage" User="*"|stats max(TotalItemSize) as maxmailbox|eval column="Maximum Mailbox Size"|eval "row 1"=maxmailbox|table column,"row 1"]|rename column as "Field","row 1" as "Value" Thanks in advance for any help with this. I-Man ... View more

Splunkers, I have events from our Helpdesk ticketing system that have two date fields, DateOpen and DateClosed, both with the following format: 2013-02-25 12:50 2013-02-26 12:58 I am trying to write a report that shows average time from when the ticket was opened and when it was closed. Based on research, i think i need to convert these to epoch time using mktime and then do the subtraction, then convert back to ctime. Unfortunately, i cant get mktime to return any values. convert timeformat="%y/%m/%d %H-%M" mktime(DateClosed) AS closedon_epoch | table DateClosed, closedon_epoch Am i missing something here or am i going about this the wrong way? Thanks in advance for any help. ... View more

So the following will add a $ symbol to the beginning of the value Revenue, like "$ 42" ... | eval Revenue="$ ".tostring(Revenue,"commas") How do you add data size notations like MB or GB to the end of a value like "42 MB" Thanks in advance for any help I-Man ... View more

We have a VIP setup to load balance and forward all our syslog events to a pair of Non-indexing Splunk Heavy Forwarders. The forwarders then send to a 3rd party IDS as well as a pair of load balanced indexers that are connected to a search head. We are about to send new syslog data to the VIP and want all data to go to a new index that we created. We would rather NOT create a new listening port on the Forwarders for this new traffic. How do we send the specific syslog events to the specific index? Would this have to be done on the indexing side? Thanks in advance for any help. ... View more

We are a 90% Windows environment. Since we upgraded to 4.3.1, the WMI log format has changed ever so slightly. While this is not an issue with splunk, it is an issue with the 3rd party MSSP we are forwarding logs to. As Splunk hasn't responded with a fix or workaround since we upgraded (3 weeks), i would like to downgrade my forwarders back 4.2.3. As the only way to downgrade it to re-install, this will collect everything in the windows event logs, not just where it left off. As this affect 500+ windows boxes, we do not want to do that. Is there an easy way to set current_only = 1 for all hosts in WMI.conf? Is it as easy as this? [default] current_only = 1 [WMI:host1] event_log_file - Application, Security, System interval = 5 server= host1 [WMI:host2] event_log_file - Application, Security, System interval = 5 server= host2 ... ... View more

Is there a way to send an alert if I exceed my license limit? Does Splunk generate a log when this happens? Thanks in advance! ... View more

I have code that displays a google map of successful vpn connections into our org. Currently, I can only access this dashboard/view by physcially typing in the URL as the name isn't showing up under the Views dropdown. XML noob here, what do i add so it's pulled under the View Dropdown in the search app? <view template="dashboard.html"> <label>Successful VPN Connection Source Locations</label> <module name="TitleBar" layoutPanel="viewHeader"> <param name="actionsMenuFilter">dashboard</param> </module> <module name="GenericHeader" layoutPanel="panel_row1_col1" autoRun="True"> <param name="label">Geographical Location</param> <module name="HiddenSearch" group="Map View" autoRun="True" layout_panel="panel_row1_col1"> <param name="search">"assigned to session" "REMACC-VPN" OR "VPNCLIENTS" earliest=-1d@d latest=@d | convert ctime(_time) as timestamp | table timestamp vpn_user vpn_assigned_ip vpn_external_ip | lookup geoip clientip as vpn_external_ip | geonormalize</param> <module name="GoogleMaps"> <param name="autoPostProcess">false</param> <param name="height">950px</param> <param name="mapType">terrain</param> <param name="mapTypeControl">on</param> <param name="navigationControl">on</param> <param name="scaleControl">on</param> <param name="scrollwheel">off</param> <param name="zoomLevel">3</param> </module> </module> </module> Thanks, I-man ... View more

I created a payload field that usually has about 8-20 lines of data. After the field was created, I clicked the field in the left hand section of the Search App and accidentally hit "Select/Show in results". Now I have a huge section of fields between each event due to the payload field containing so much data. How do i remove this from showing in the search results? I looked everywhere and there does not seem to be an option to do this. Thanks, I-Man. ... View more

All, Below are the logs prior to splunk interpreting them. I want to split each event with a regex based on the lines of =+=+=+=+=+=+...which is consistently 37 patterns long. [**] [1:2008581:3] ET P2P BitTorrent DHT ping request [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] [Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Bittorrent_Traffic] [Xref => http://doc.emergingthreats.net/bin/view/Main/2008581] [Xref => http://wiki.theory.org/BitTorrentDraftDHTProtocol] Event ID: 2 Event Reference: 2 09/19/11-23:09:15.740430 10.x.x.x:4566 -> x.x.x.x:59965 UDP TTL:126 TOS:0x0 ID:31114 IpLen:20 DgmLen:95 Len: 75 64 31 3A 61 64 32 3A 69 64 32 30 3A 49 78 E1 96 d1:ad2:id20:Ix.. 61 63 FA 84 13 3A 96 C1 F6 76 DC 53 DE 87 CC 95 ac...:...v.S.... 65 31 3A 71 34 3A 70 69 6E 67 31 3A 74 34 3A 67 e1:q4:ping1:t4:g 3B 36 79 31 3A 76 34 3A 55 54 62 B9 31 3A 79 31 ;6y1:v4:UTb.1:y1 3A 71 65 :qe =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] [1:2010140:5] ET P2P Vuze BT UDP Connection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] [Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze] [Xref => http://doc.emergingthreats.net/2010140] [Xref => http://vuze.com] Event ID: 3 Event Reference: 3 09/19/11-23:09:15.889491 10.x.x.x:60653 -> x.x.x.x:35421 UDP TTL:62 TOS:0x0 ID:51471 IpLen:20 DgmLen:93 Len: 73 9E 66 87 A7 D0 2A 93 5F 00 00 04 06 96 3E 45 1A .f...*._.....>E. 32 00 00 00 00 00 32 04 CC 45 B6 01 EC ED E5 CE 2.....2..E...... 09 70 00 00 01 32 83 F3 59 3E 14 41 7E D1 0C 90 .p...2..Y>.A~... 4D 4C 51 5D 69 43 F5 4C F1 46 00 BB EE C3 C2 02 MLQ]iC.L.F...... 1E . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Thanks, Iman UPDATE With the following config, here are some results splunk is giving us: [host::sensor01] BREAK_ONLY_BEFORE_DATE = false LINE_BREAKER = ([\r\n]*[=+]{74}[\r\n]*) Results: 09/20/11-16:16:07.511888 10.255.4.201:52954 -> 64.208.138.115:80 TCP TTL:63 TOS:0x0 ID:2122 IpLen:20 DgmLen:48 ******S* Seq: 0x4B5C56AC Ack: 0x0 Win: 0xFFFF TcpLen: 28 TCP Options (3) => MSS: 1460 SackOK EOL =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] [1:2408054:271] ET RBN Known Malvertiser IP TCP (28) [**] [Classification: Misc Attack] [Priority: 2] [Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork] Event ID: 55744 Event Reference: 55744 [**] [1:2010140:5] ET P2P Vuze BT UDP Connection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] [Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Vuze] [Xref => http://doc.emergingthreats.net/2010140] [Xref => http://vuze.com] Event ID: 6519 Event Reference: 6519 09/20/11-20:16:05.267902 10.250.85.60:6881 -> 2.30.187.43:4860 UDP TTL:62 TOS:0x0 ID:60117 IpLen:20 DgmLen:93 Len: 73 E7 03 B0 4C 87 80 D6 64 00 00 04 06 D8 6C BE 4D ...L...d.....l.M No consistency with the returned logs, not sure what I'm missing. ... View more