Hey Splunksters, My work environment is switching from Windows (large distributed enviro) to Linux pretty soon. I'd like to get familiar with architecting in Linux so I had a couple of questions: I'm wondering if I can simply spin up 3-5 aws linux vm's and use the free version of splunk to get familiar with the process of creating a distributed enviro (assigning a search head, 1 idx, maybe couple of forwarders and a deployment server using the free splunk???  Or, is the free splunk Enterprise only good for 1 download on 1 machine ?? Thanks! ... View more

Hey Splunksters, I have an Azure VM that I put a forwarder on that is supposed to reach out to my on-prem deployment server (which I have successfully done in my separate development environment).   (just a little backstory in case this helps anyone) Originally it was installed using a script that pointed to the wrong Deployment server, so I uninstalled the forwarder - then reinstalled it pointing to the correct deployment server  I checked the deploymentclient.conf and it is pointed correctly - restarted the service etc etc. - But none of the deployment apps are showing up on the client - and the DS GUI does not show the the client server in forwarding management Ran a test-netconnection from the Azuer machine to the DS using the DS management port - and got TCP success However, when I run test connection on the DS back to the Azure machine it fails -- Which would lead me to believe there is a firewall or isn't set to bi-directional port etc etc etc. HOWEVER, my DEV setup gives me the exact same test connection failure going    FROM:   the DS  TO:  the Azure client machine ----BUT IT STILL WORKS (data comes in, apps deploy , etc in DEV ) ---so I'm confused That's why I feel like I am taking crazy pills.  Considering doing a full reboot of the client machine, but that is not optimal at the moment.  Thanks! ... View more

hello all, I have a lookup with two fields sourcetype and interval ( like below) ..some of the intervals are in seconds (which is great) - However some are in cron like (14 01 * * *) --I need to change the ones in cron to 86400 ...Any ideas sourcetype interval blah 300 blah2 15 01 * * * * blah3 3600 blah4 18 02 * * * Here is my comically bad regex I've been working with, but cant seem to make it work | rest splunk_server=local /services/data/inputs/script | search (disabled = 0 AND interval=*) | dedup sourcetype | eval output=if(match(interval="(\d+)(\d+).(\d).(*).(*).(*)")),"86400","interval") | table sourcetype interval output Thanks! ... View more

Hey Splunkerinos, Noob Here. The code below tells us what sourcetypes haven't reported in, which is great and all.. However, I need to get a little deeper analysis to determine if we actually care about that sourcetype that hasnt reported in....To do that I need to get the INTERVALS for when these sourcetypes report ...for instance, if i havent heard from a sourcetype in 9 hours, (currently filtering to over a week, but you get my drift) but it only reports every ten hours, then i dont care and then I can blacklist it to keep it from showing up.......perhaps another lookup (multi-column) with sourcetype , interval, blacklist ...Not really sure how i would implement that though ...Thanks for your help ! | tstats latest(_indextime) as lt by host sourcetype | search NOT [inputlookup sourcetype_blacklist.csv | table sourcetype] | eval NOW=now() | eval difftime=NOW-lt | rangemap field=difftime "0 - 60 Min"=0-3600 "1 - 24 Hours"=3601-86400 "1-7 Days"=86401-604800 "1-2 Weeks"=604801-1209600 "2-3 Weeks"=1209601-1814400 default="Greater than 3 Weeks" | eventstats count(host) as tots_hosts by sourcetype | eventstats dc(sourcetype) as tots_st by host | search difftime >= 604801 | eventstats count(host) as ghost_hosts by sourcetype | eval percent_ghost_host = (ghost_hosts / tots_hosts) * 100 | eval percent_ghost_host=round(percent_ghost_host,2) | eventstats dc(sourcetype) as ghost_st by host | eval percent_ghost_st = (ghost_st / tots_st) * 100 | eval percent_ghost_st=round(percent_ghost_st,2) | dedup sourcetype | rename host as Host sourcetype as Sourcetype range as "Time Missing" percent_ghost_host as "This Hosts Percentage Missing to Whole" percent_ghost_st as "This Sourcetypes Percentage Missing to Whole" tots_hosts as "Total Count of Hosts by Sourcetype" tots_st as "Total Count of Sourcetypes by Host" ghost_hosts as "Count of Missing Hosts" ghost_st as "Count of Missing Sourcetypes" | table Host Sourcetype "Time Missing" "Total Count of Hosts by Sourcetype" "Count of Missing Hosts" "This Hosts Percentage Missing to Whole" "Total Count of Sourcetypes by Host" "Count of Missing Sourcetypes" "This Sourcetypes Percentage Missing to Whole" ... View more