Thanks! this work for me totally! ... View more

@LukeMurphey Works perfectly. Thank you for getting this deployed, it is much appreciated. ... View more

Yeah the previews showed up for me eventually too - it seems like a strange sporadic bug. I'm still not seeing any results even with the OUTPUTNEW command. Support hasn't found a fix for this yet for me, it seems like this may have shipped prematurely? ... View more

Ok, so utilizing the field extractions for the End Session time is all that would be needed then, since the start time is associated to Start Session time, then just use the eval to translate the string to an epoch time and then subtracting the two to get the second difference. I guess I will go with that, I was just trying to see if there was a different/better way of going about it. Thanks. ... View more

I've finally got round to re-test this. Thanks for the comment. I have updated the transforms and .csv file but the lookup is still not happening. The query completes but no loookups in the Manufacturers column. Transforms [splunk@lab local]$ more transforms.conf [ieee-mac-oui] filename = ieee-mac-oui.csv match_type = WILDCARD(Vendor_MAC) ieee-mac-oui.csv [splunk@lab lookups]$ head ieee-mac-oui.csv Vendor_MAC,Manufacturer 000000,XEROX CORPORATION 000001*,XEROX CORPORATION 000002*,XEROX CORPORATION 000003*,XEROX CORPORATION 000004*,XEROX CORPORATION 000005*,XEROX CORPORATION 000006*,XEROX CORPORATION 000007*,XEROX CORPORATION 000008*,XEROX CORPORATION Query The MAC address field is mac index=windhcp | lookup ieee-mac-oui Vendor_MAC as mac OUTPUT Manufacturer | table hostname, mac, src_ip, Manufacturer This query now works but some entries does not show the Manufacturer. Will need to double-check the ieee-mac-oui.csv. Thanks for all the help. I will mark this as answered. ... View more

So I tried to insert new set of data and added the index at that time only (via preview option) as "target". It works now, and its corresponding inputs.conf file was created in "\app\search\local\" folder. Could you tell me now what was I doing wrong also for my index it says App as launcher. So shouldn't it be created inside "\app\launcher\local" folder instead. ... View more

Thank you.. overlooked tostring() function 🙂 ... View more

source="dbmon-tail://idwarehouse/idw_account" application=TFAYD [|inputlookup execSSO.csv |rename sso as owner] |eval exp_date=strftime(relative_time(now(),"+90d@d"), "%Y/%m/%d %H:%M") |rename lastPasswordChange as lastpasswordchangedate This is search is calculating the exp date is 90 days from today date . I am trying to get lastPasswordChange date to 90days exp date. my output, application =TFAYD exp_date =2014/12/25 00:00 lastpasswordchangedate =2014-08-06 11:11:43 owner =501936069 refreshedDate =2014-09-26 12:16:36 sourcetype =mysql The now() command is returning the current date , so this query is returning the exp_date =2014/12/25 00:00 , i want to return lastpasswordchangedate, so that i will get exp date 90days calculating from lastpasswordchangedate . lastpasswordchangedate is a one of the field in splunk , i want to return this field value in splunk (lastpasswordchangedate =2014-08-06 11:11:43) , so that i can get the exp_date value 90days from the lastpasswordchange date , in the same place , instead of now() , if i place lastpasswordchangedate it is not returning the lastpasswordchangedate value ... any one can help on this ..... Thanks and Regards, Siraj ... View more

Just as a note, when using append and you have more than 100,000 events returned, anything after the 100,000 will be a blank result. However, you can still pipe the search to say table and/or stats and be able to utilize the data, just can't view the events past that, I am sure there is a setting to increase that before someone replies to this 🙂 . ... View more

Hey guys, I've put together a small article addressing some of those issues with transactions, happy to receive feedback! http://foren6.wordpress.com/2014/11/18/why-is-my-splunk-transaction-not-working/ ... View more

gkanapathy, I would agree with your response, but it would not work in my circumstance (at least with my current knowledge). below is the query that I was trying to do as a Subsearch but was unable to get it to work properly because of what myself and MuS explained above and below. sourcetype=checks check_number=XXX | eval earliest=strftime(_time-2, "%m/%d/%Y:%H:%M:%S") | eval latest=strftime(_time+2, "%m/%d/%Y:%H:%M:%S") | fields + earliest, latest, sourcetype | format "" "(" "" ")" "OR" "" ... View more

I have stopped working on this piece due to the random number of errors that can be thrown, as there is no consistency. I appreciate the help, but will need to address at a later time after modifications to the logs can be done. ... View more

This is also very slow! I had to use sampling to get some results. 1. Can someone explain why its slow? 2. Any other suggestions to speed it up? ... View more