Why not just use h instead of i in the search? index=_internal source=*license_usage.log "type=Usage" | convert timeformat="%Y-%m-%d (%a)" ctime(_time) as ISODate | eval MB=b/1024/1024 | chart eval(round(sum(MB),0)) over h by ISODate limit=0 | addcoltotals labelfield=h | rename h as host ... View more

Have you looked at appendcols? http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendcols ... View more

As I read it "Nom du compte " is being passed to the table command as a string and not a field. If I wasn't getting the fields in the table I wanted I would try something like: EventCode=4624 sourcetype="WinEventLog:Security" ComputerName!="*$" | dedup ComputerName | table * which should create a table with all the fields. From that I would identify the columns I wanted to keep and use the filed values after the table command to create the final version. ... View more

Does the value "system" appear in the filed you create? If so then you should be able to pipe your original search to the search command and exclude the "system" value with "| search userid!=system". sourcetype=syslog source=/var/log/secure "pam_unix(sshd:session)" | rex "(?i) user (?P [^ ]+)" | stats latest(userid) as userid by host, _time | dedup host | search userid!=system ... View more

Try using the tostring function with EVAL. Not quite what you are looking to do, but perhaps informative: http://answers.splunk.com/answers/11399/rounding-currency-to-two-digits-after-decimal EVAL Functions: http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/CommonEvalFunctions ... View more

The way you have posed the question implies that you are looking for two sets of contiguous IP space. If true you can use an ORed CIDR notation for your search. Example: field=10.0.0.0/8 OR field=172.16.0.0/12 Or did I misunderstand the questions? ... View more

Your example, and the result you are looking, for is almost the exact example (#3) used in the Search Reference manual for the mvexpand command. Please take a look: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvexpand ... View more

The _time field is the internal time stamp that Splunk assigns to an event. This should provide more insight: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usedefaultfields Good Luck! ... View more

To follow on aweitzman's suggestion to throw out the events you don't want, the following in an example of sending select event log items to the null queue with props.conf and transforms.conf(you will need to adjust your regex to the events you want to keep/drop): http://answers.splunk.com/answers/59370/filtering-events-using-nullqueue ... View more

I think you want this: No. of concurrent searches / No. of avail. cores = No. of searches per core x No. of sec. per individual search = Total time (sec.) per search From: http://docs.splunk.com/Documentation/Splunk/6.1.1/Deploy/Accommodatemanysimultaneoussearches But start here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/HardwarecapacityplanningforadistributedSplunkdeployment ... View more

This doesn't seem to be the same issue you are having but I had a similar problem after upgrading to 6.1.1 where some alerts wouldn't fire. In my case it also seemed to be related to the account that owned the search. My situation seemed to be known issue SPL-84357. The workaround was to add a session timeout line to server.conf (sessionTimeout = 30d). After making the change and restarting the alerts fired as expected. I've included the links I found most helpful here: http://answers.splunk.com/answers/137421/why-are-my-real-time-alerting-searches-no-longer-sending-emails-for-matching-events-after-upgrading-to-61 http://docs.splunk.com/Documentation/Splunk/6.1.1/ReleaseNotes/Knownissues Hope that helps. ... View more

Based on the props.conf spec it doesn't look like the TIMESTAMP_FIELDS is the correct declaration for you to use based on the sample output. Further, it looks like the time stamp (crime) in the output is in the middle of the event. Again by the spec, Splunk will only examine the first 150 characters by default. I would try adding TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD values to props.conf. http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf Hope that helps ... View more

Based on your sample data it look like you might also benefit from using the mvexpand command. One of the examples on the documentation page for mvexpand uses rex, like has already been suggested, but also allows you to have other data (e.g., timestamp) from the original event applied. http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/Mvexpand ... View more