Here is the search string I used to test. Please note that field=orig_field will need to be adjusted to whatever the field name is in question, can even be _raw | makeresults | eval orig_field="error occurred from the server ABCXYZ12345ABCXYZ under lenderprice hop" | rex mode=sed field=orig_field "s/(?i)server\s+(\S+)\s+under/XZXYYZZ/g" ... View more

What UF version is this? Recently, Splunk switched over to making the UFs register as splunk . That way the systemd name is same between a Splunk "full" install or UF. Try this command to see what it is registered: systemctl -l | grep -i splunk ... View more

This is a good question! I've got some ideas but need to build a test case for this. I'm thinking that if I make the GUID and "serverName" on each UF the exact same, it MAY de-duplicate the data because from the indexer(s) perspective, it is coming from the same place (but of course this is just a theory at the moment) ... View more

You've verified that you are pushing to the nominated/dynamic "captain"? #Linux $SPLUNK_HOME/bin/splunk show shcluster-status #Windows %SPLUNK_HOME%/bin/splunk show shcluster-status The nominated "captain" will be at the top. ... View more

allenedmondson, Glad it worked out for you! ... View more

mlevsh, By chance, does the 'dev' or the 'production' server have a proxy in-line? If so, are you doing SSL interception? ... View more

lguinn, This makes sense but I find it interesting that making a TCP input through the Splunk Web GUI lead me to believe you could put multiple hosts within the monitor line. Adam ... View more

Here is a system built input example, yours is no different than mine: [tcp://test1.foobar.net,tada.foo.net:9000] connection_host = dns sourcetype = cisco_syslog [tcp://172.16.100.99,172.16.200.25,172.16.230.*:9001] connection_host = ip sourcetype = cisco_syslog You're restarting Splunk after making changes, correct? ... View more

kennybirdwell, Your first stanza is the correct format, that is exactly how you do multiple hosts. I would check to be sure (if you are using DNS names as inputs) that they can be resolved by Splunk. If they are statically IP'd machines and you don't want to rely on DNS being available, you could use (although frowned upon), UNIX: /etc/hosts OR WINDOWS: C:\Windows\System32\Drivers\etc\hosts Adam ... View more

ddrillic, The use of regular expressions within a blacklist is allowed. The use of regular expressions within [monitor://....] is not allowed. ... View more

The default appears to be 7 Days of acceleration for Firewall Logs, Endpoint Logs, and Wildfire Malware Reports. I'd run the search below to determine the usage per day against your Palo Alto Indexes and Summary indexes to be able to project an average monthly usage by Palo Alto. The search will return a day by day basis of usage per Index. index=_internal source="*license_usage.log*" type=Usage | eval yearmonthday=strftime(_time, "%Y%m%d") | eval yearmonth=strftime(_time, "%Y%m%d") | stats sum(eval(b/1024/1024/1024)) AS volume_b by idx yearmonthday yearmonth | chart sum(volume_b) over yearmonth by idx ... View more

tragiccode, I do not know of a way to do what your example is asking but you can quickly help the user understand which index they come from by how you present the results. Example, appending a table command to the end of your existing search: index="log4net" OR index="wineventlog" AND wineventlog:Type="Error" OR log4net:level="Error" earliest=-1h latest=now | table host source sourcetype index _raw ... View more

MonkeyK, ddrilic brings up a good point, what level of data acceleration is your PA App set to? Limiting the amount of historical data to accelerate will significantly reduce the summary index consumption. ... View more

coolarnie, The author of the app has a github page, but unfortunately that shows the latest commit as May 2015. The app should install on 6.5 just fine but it is not currently supported so your mileage may vary on capabilities. ... View more

MonkeyK, When you say "...approach the size of the total indexed data", what do you mean? Total indexed data over the last two months or today? Summary indexes are great for large time window searches such as annual reporting, so they will be a subset of your overall indexed data. ... View more

Morning tragiccode, The default fields for each event that are returned in a search are as follows: host, index, linecount, punct, source, sourcetype, splunk_server, timestamp and the default selected fields are: host, source, sourcetype index is included as a default but not selected. Therefore, do you have a specific output you were looking for? ... View more

bshuler, According to the details for the App, it is on the "Future Roadmap", snippet from details below: URL => Splunk DUO App Details .... Future roadmap: -Add CIM compatibility. -pre-built reports. .... ... View more

You are correct, direct CPU utilization is related to what you said: CPU utilization = %user + %nice + %system My answer above was simply to elaborate on what you had stated in your question as the description for %IOWAIT. ... View more

They should be mapped automatically because the built-in searches are looking for a specific set of sourcetypes. You are using the Windows TA to pull the DNS server logs into Splunk, correct? How do you view the current DNS logs, via search or the Windows Infrastructure App? ... View more

I do not have an ES instance in front of me at the moment but DNS activity dashboard should be using specific sourcetype searches to find the corresponding data. ... View more

Try this out: search ... | eval severity=case(match(category,"INFO"), "Informational", severity) ... View more

You're welcome! Glad it worked for you! ... View more

kiyoshi miyake, %IOWAIT is the amount of time the CPU waited (in an idle state) for an INPUT/OUTPUT device (Hard drive usually) to respond to its request. Running the 'iostat' command (if on a NIX platform) will yield a lot more information and help you to diagnose an issue with I/O. ... View more