All - I would like to experiment with Splunk Cloud but I am having an issue getting any data into my sandbox. I installed the windows UF on my laptop and told it to forward windows events to my cloud instance (prd-p-mycloud.cloud.splunk.com:9997). I then downloaded and installed the credentials from the UF App in Splunk Cloud. All the documentation I have been able to find indicates that is all I need to do. But for some reason in my splunkd log file I am getting the WARN TcpOutputProc - Cooked connection to ip=x.x.x.x:9997 timed out error. When I run a netstat, I get an ESTABLISHED connection to port 9997 with Splunk Cloud. I even went so far as to turn off my Windows firewall and still nothing. Any thoughts or docs that I may have missed to set this up? Thanks! Mike ... View more

Hi All - I am trying to do some simple reporting on two lookup files we have. Lookup File A time number 2015-01-16 100 2015-01-17 200 2015-01-18 300 2015-01-18 600 2015-01-18 700 Lookup File B time count 2015-01-16 700 2015-01-17 800 2015-01-18 900 2015-01-18 200 2015-01-18 300 I would like to sum(count) by time and sum(number) by time then produce a line chart. But I can't figure out how to use both of the lookup tables. My last iteration looked like this. | inputlookup email_into_edge.csv | appendcols [| inputlookup email_into_forefront.csv | stats sum(count) AS into_forefront by time] | stats sum(number) AS into_edge by time Thanks for any tips, Mike ... View more

Hello fellow Splunkers! I am curious about how all of you make your dashboards available to a wide range of users? This is not really a question about permissions (we currently have authentication via AD) or limiting what data users see in a dashboard... but the process that you go through to publish a dashboard. Right now, our users login Splunk and we direct them to the Search App -> Dashboards. They then see ALL of my dashboards - most of which are in various stages of development. What I would like to do is have a user log into Splunk and have them only see the dashboards they need. Any discussion would greatly benefit me and hopefully others. Thanks! Mike ... View more

I have been playing with the rex command for awhile now and I am stuck. I have a csv source that I need to extract a 1-3 digit number from. The trouble is that depending upon the line in the csv, it is either in the 8th or 9th column in the csv. Sample csv line: 2014/04/28 07:23:41 AM EDT,100.200.250.27,email link click,username@email.com,ABC,"CENTRAL, MAINE",x123456,204,PC,Windows,more,text OR 8/28/2013 15:04,100.200.250.27,,username@email.com,ABC,DEF,x987654,23,,,IE 8,Mozilla,more I would like to extract the 204 from the first line and 23 from the second. The trouble is the extra comma in the location in some of the lines (,"CENTRAL, MAINE",). My base rex is | rex field=_raw ",{8,9}.{1,3} (?<AAA>.*)" What I am thinking I am doing is searching for 8 or 9 commas ,{8,9} then when it finds it, select the next 1 to 3 characters .{1,3} then put all that in an extraction called AAA (?<AAA>.*) I think I am just off, but any tips would be great! Thanks, Mike ... View more

I am trying to create a report that includes failed log on attempts from our windows security logs with the originating host name from the network_dhcp log files. I can pull the failed log ons using this search: index=os_windows source="WinEventLog:Security" EventCode=4771 NOT user="*$" Failure_Code="0x18" | rex mode=sed field=src_ip "s/::ffff://" | stats count(user) as Attempts dc(src_ip) as IPs values(src_ip) as "IP Addresses" by user | where Attempts > 2 | table user Attempts IPs "IP Addresses" | sort -Attempts This returns: user Attempts IPs IP Address xxx 5 2 192.168.1.10 192.168.1.11 yyy 4 3 192.168.1.20 192.168.1.21 192.168.1.31 I would like to then lookup by IP Address in the dhcp logs to get the hostname of the offending workstation. This search works for this purpose: index=network_dhcp dest_ip="192.168.1.102" | table nt_host dest_ip Ideally the finished search would look like this... user Attempts IPs IP Address nt_host xxx 5 2 192.168.1.10 wkstation01 192.168.1.11 wkstation02 yyy 4 3 192.168.1.20 wkstation03 192.168.1.21 wkstation04 192.168.1.31 wkstation05 I have this subsearch but it does not return any results. index=network_dhcp [search index=os_windows source="WinEventLog:Security" EventCode=4771 NOT user="*$" Failure_Code="0x18" | rex mode=sed field=src_ip "s/::ffff://" | fields + src_ip] | table nt_host dest_ip Thanks for any help! Mike ... View more

I have been engaged in an arm wresting content with Splunk for the past couple of hours with regex and it has been beating me pretty soundly. I have read the Splunk docs and looked at the various regex help sites but I can't get it working. In fact, my regex works on http://rubular.com/ just fine. But when I put it in a search is barfs.., then laughs at me. I have weblog data and I would like to search for COMPANY\userID and place userID in a label for use down the pipeline. This is what the data looks like 2014-03-19 12:58:00 W3SVXYZ 10.0.0.1 POST COMPANY\userID 10.1.1.1 ..... 2014-03-19 12:59:00 W3SVXYZ 10.0.0.1 GET COMPANY\userID 10.2.2.2 ..... I would like to extract the userID and then perform stats on them (number of concurrent users, etc). My code so far that works in Perl is "COMPANY\\w+" but when I use it in splunk it tanks. <base search> | rex field=_raw "COMPANY\\\w+(?<testID>)" It does not populate the testID field correctly and it also includes results that do not have COMPANY in it. Thanks in advance for any tips or tricks! Mike ... View more

I am trying to calculate an overall total value for use later in my pipeline in a percentage calculation. My data looks like this Bucket userID ... 1 mike 1 joe 1 sally 2 mike 2 tim 2 sally 3 mike Report would look like this userID #_of_buckets_in percentage mike 3 100 joe 1 33.3 sally 2 66.6 My base search looks like this | stats count by userID This gives be userID and the #_of_buckets_in. When I try to add | dc(bucket) as totalBuckets to the search it only tallies up the buckets that the user is in and not the Total number of buckets. All the data is in the same sourcetype. Thanks for any suggestions! Mike ... View more

I have been working with extracting userIDs using RegExs and have run into some trouble. The following returns the correct results | rex field=_raw "\,[abc]\w\w\w\w\w\w(?<userID>)" | stats count(userID) This extracts user IDs from a csv file (that is our sourcetype) When I go to the Fields Extraction page and edit the extraction manually, I don't get any results (actually, it returns none found) I have tried editing the inline regex to read \,[abc]\w\w\w\w\w\w(? ) but it is not returning anything. I can't seem to find any documentation about the nuances of this inline regex. Any tips would be great! Thanks, Mike ... View more

Hi All - I'm working on creating a summary report and I am having difficulty discerning the various addtotals or addcoltotals commands to get Splunk to yield to my bidding. Here is what I have so far ... location campID Clickers cityA 1 20 cityA 2 10 cityA 3 5 cityB 1 15 cityB 2 25 cityC 4 7 ... .. sourcetype=phishing_clickers | lookup lookup.csv identity as userID OUTPUT bunit as location | stats count(userID) as Clickers by location, campID | addColtotals I would like to be able to sum each location's total Clicker amount. So something like this ... location campID Clickers Total_Clicks cityA 1 20 cityA 2 10 cityA 3 5 35 cityB 1 15 cityB 2 25 40 cityC 4 7 7 ... .. Thank you!! Mike ... View more

All - I have what I originally thought was a simple problem. I needed to calculate a percentage from two values in a row. For example, my current output looks like Repeat Phish Campaign Total_Emails E-Mails_clicked percentage 2 1000 100 4 2000 400 6 3000 1500 I can't seem to get the search to calculate the percentage between the total and clicked emails. Here is the current search that generates the above output. sourcetype=phishing_recipients repeat | stats count as phishingRcvd by campID | join type=outer max=0 campID [search sourcetype=phishing_clickers] | stats first(phishingRcvd) as Total_E-mails_Sent, count(userID) as E-Mails_Clicked by campID | eval percentage = E-Mails_Clicked * 100 / Total_E-mails_Sent | rename campID as "Repeat Phish Campaign" | table "Repeat Phish Campaign", Total_E-mails_Sent, E-Mails_Clicked, percentage I am raising the white flag on this one... Thanks! Mike ... View more

Hello Splunkers - I have phishing data that we would like to report on. I have two sourcetype - clickers (people who clicked on a particular campaign) and recipients (list of people who were sent the phishing emails, some of which are 'repeat' campaigns) sourcetype=clickers fields: userID campID ... sourcetype=recipients fields: userID campID ... The recipients event may contain the keyword 'repeat'. This is important. I would like to search the recipients sourcetype for the keyword 'repeat'. I would like to count the number of users for each campID that are associated with 'repeat'. Then we would like to use the identified campIDs from the recipients sourcetype and use those to get the count of users who actually clicked on those campaigns. So, we have campID 14,16,and 20 with the 'repeat' keyword from the recipients sourcetype. I want to know how many users these campaigns were sent to. So we have campID count 14 1000 16 2000 20 3000 Next, I take the campID and use that to count the number of people that actually clicked on those specific campaigns from the clickers sourcetype. The final result would look like this. campID count click_count 14 1000 100 16 2000 200 20 3000 300 Here is the start of my search... but I can only get one set or the other, not both. sourcetype=clickers | join campID [search sourcetype=recipients repeat] | eval campID{sourcetype}=campID | stats count(eval (campIDclickers)) as CLICKERS, count(eval(campIDrecipients)) as TOTAL_EMAILS by campID Thanks everyone! Mike ... View more

Hi All - I have a search that returns a userID and their associated groupIDs. I am just wanting the userID and their FIRST (read: smallest) groupID So if you have userID groupID userA 22 userA 33 userA 44 userB 11 userB 22 ... I would like to return userA 22 userB 11 ... My basic search looks like this: sourcetype=source | table userID, groupID When I dedup on userID, groupID I get everything (as this is looking for a the unique combo of userID and groupID) Hope that I explained this properly. Thanks, Mike ... View more