I read all the splunk documentation for setting up a summary index, and I followed it as best I could, but I cant get results when I try to search against it. My search: index="summary" search_name="404_logs" but my search is not even listed in any indexes with index="summary*" If I go to settings>knowledge>searches, reports, and alerts, It shows my 404_logs search that I am trying to set up as a summary index, and it has 0 alerts. (it has been over 24 hours since I set it up) In that search, it is configured as follows: SEARCH: index="is_logs" source="mysite.com" sc_status = 404 DESCRIPTION: Summary Index of 404 errors Not accelerated SCHEDULE: -1y to now, basic, every day at midnight. ALERT: Condition - Always, alert mode - once per search, no throttling, 24 hour expiration, medium severity ALERT ACTIONS: All disabled SUMMARY INDEXING: Enabled, index - summary, add fields - blank I'm not sure if I am trying to search against it improperly, or if it is not set up right. edit: My eventual goal is to be able to easily pull up a time chart of 404 errors within the last year, because without using summary indexing, the search takes over an hour to complete on the dashboard every time the page is loaded, and I need to use the 404 error data in other searches as well. ... View more

I need to be able to get useful data out of the following search: index="logs" source="mywebsite" | stats dc(cs_username) as Users by c_ip | where Users > 4 | geoip c_ip The search (in theory) should show me a location where a single IP address has more than 4 users. What I can't see is the actual IP address, and numbers in the circles don't make any sense, I would like the number to be how many users there are, and I would like to be able to click on, hover over, or have some way to easily see the IP address. As it stands, I have no way to see the IP address without doing a completely separate search without geoip edit: Right now, if I do click on one of the results, it puts the search in a new window and adds _geo="43.6135,-116.2035" to the parameters, but it always gives me "No results found." ... View more

Looking for the best way to format a timechart or stats visualization of failed login account names by time. Right now I have: index="activedirectory" EventCode=4740 | eval Account_Name=mvfilter(Account_Name!="-") | timechart span=1d count by Account_Name This helps a little, but due to how rare it is for a lockout to occur here, there are way too many empty blocks of time where nothing occurs. How can I get a useful chart that shows easy to read data over a long range of time while still showing the exact day that the lockout occurred? I also don't need to know the count of "how many failed logins per individual accounts", but I don't know how else to get a visual representation. ... View more

I am trying to get a search result that shows a single IP associated with all of its user agents, but I would like the IP's sorted by the overall amount of hits rather than sorted by numerical order. I would also like to be able to see the count of hits in the end result as well. Thanks in advance! My current search: index="logs" source="mywebsite.com" | stats values(cs_User_Agent_) as cs_User_Agent_ by c_ip Right now it results: IP: 11.00.00.00 User Agent: 1. Mozilla/5.0... 2. Mozilaa/4.0... IP: 22.00.00.00 User Agent: 1. Mozilla/5.0... IP: 33.00.00.00 User Agent: 1. Mozilla/5.0... 2. Mozilaa/4.0... 3. Mozilla/5.0... I am looking to get results like: IP: 64.00.00.00 - Count: 13451 User Agent: 1. Mozilla/5.0... 2. Mozilaa/4.0... IP: 109.00.00.00 - Count: 636 User Agent: 1. Mozilla/5.0... IP: 72.00.00.00 - Count: 122 User Agent: 1. Mozilla/5.0... 2. Mozilaa/4.0... 3. Mozilla/5.0... ... View more

My main goal right now is to see if there are users accessing our site through phishing sites or emails. We do not send any e-mails with links whatsoever, so I shouldn't see anyone referred through an email. My (possibly uneducated) question is to clarify what exactly the Referer URL is giving me. If I was to pull a list of: "... | top cs_Referer_" I get results like "http://www.google.com/" with no search criteria, and also "google.com/MyWebsiteName/". Is it actually just the URL the user was on before they changed to ours, or is it actually based on clicking a link? Given this info, what type of referer would I look for to see if they did click on a link in an email? ... View more

I am looking to compare a list of non unique usernames with unique IP's, and specifically analyze the occurences where any users have logged in with multiple ips. So far I have: index="iis_logs" source="url.com" NOT cs_username="-" | table cs_username, c_ip | dedup c_ip A given username can be all letters, all numbers, or a combination of both, so the "where cs_username > 1 doesn't seem to work. I also do want to see the actual username, so a stats command that only shows how many ips a given user logged into doesnt work either. ... View more

I am trying to find a search command that will get me a list of my top 20 client ip addresses (c_ip) along with each given ip's top 1 user agent (cs_User_Agent_). In laymans code: ... | top 20 c_ip each with top cs_User_Agent_ ... View more