Hi It appears that for the windows addon there are some missing tags to populate information to this lookup. On a customers site i enabled the following input: [WinHostMon://OperatingSystem] disabled = 0 and added the following configuration to Splunk_TA_windows/local/tags.conf [eventtype=hostmon_inventory] system = enabled version = enabled I then re-ran the lookup generator(or just wait for a while) and the dashboard loaded fine with windows and linux devices populated. Thanks Darren ... View more

Hi What you are trying to achieve could be done using an EVAL rather than a FIELDALIAS in your props.conf [mysourcetype] EVAL-ip=mvappend(src,dest) Thanks Darren ... View more

Hi the timewrap ( http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Timewrap ) command is now part of Splunk Enterprise, it looks like this is what you are trying to achieve, maybe that command would help and make things easier? Thanks Darren ... View more

Hi I have written these additions for the props and transforms, i have added them to Splunk_TA_bluecoat-proxysg/local/props.conf and Splunk_TA_bluecoat-proxysg/local/transforms.conf props.conf [bluecoat:proxysg:access:syslog] REPORT-auto_kv_for_bluecoat_v6 = auto_kv_for_bluecoat_v6_5_x,auto_kv_for_bluecoat_v6_6_x transforms.conf [auto_kv_for_bluecoat_v6_6_x] REGEX = (?:"([^"]+)"|(\S+))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+)) FORMAT = date::$1 date::$2 time::$3 time::$4 time_taken::$5 time_taken::$6 c_ip::$7 c_ip::$8 cs_username::$9 cs_username::$10 cs_auth_group::$11 cs_auth_group::$12 s-supplier-name::$13 s-supplier-name::$14 s-supplier-ip::$15 s-supplier-ip::$16 s-supplier-country::$17 s-supplier-country::$18 s-supplier-failures::$19 s-supplier-failures::$20 x-exception-id::$21 x-exception-id::$22 sc-filter-result::$23 sc-filter-result::$24 cs-categories::$25 cs-categories::$26 cs_Referer::$27 cs_Referer::$28 sc_status::$29 sc_status::$30 s-action::$31 s-action::$32 cs-method::$33 cs-method::$34 rs_Content_Type::$35 rs_Content_Type::$36 cs_uri_scheme::$37 cs_uri_scheme::$38 cs_host::$39 cs_host::$40 cs_uri_port::$41 cs_uri_port::$42 cs_uri_path::$43 cs_uri_path::$44 cs_uri_query::$45 cs_uri_query::$46 cs_uri_extension::$47 cs_uri_extension::$48 cs_User_Agent::$49 cs_User_Agent::$50 s_ip::$51 s_ip::$52 sc_bytes::$53 sc_bytes::$54 cs_bytes::$55 cs_bytes::$56 x_virus_id::$57 x_virus_id::$58 x_bluecoat_application_name::$59 x_bluecoat_application_name::$60 x_bluecoat_application_operation::$61 x_bluecoat_application_operation::$62 cs_threat_risk::$63 cs_threat_risk::$64 These seem to work fine from my testing, however in my testing I noticed that the odd event(less than 0.00001%) in my dataset had exceeded the default TRUNCATE limit of 10000 bytes, so i also increased my TRUNCATE value to 20000 for the [bluecoat:proxysg:access:syslog] stanza in props.conf I hope this helps anyone else that is having challenges with the additional fields being sent by bluecoat 6.6.x devices. Thanks Darren ... View more