Hi, Below are the three different source types from which I am trying to get the specific values as highlighted. sourcetype: cg_log 2017-02-15T05:47:45.107+1100: 123564.781: [GC 123564.781: [ParameterNew: 637043K, 0.004 secs] 120590K->600476K(20761856K), 0.004 secs] sourcetype: resp_log 2017-02-15 05:51:09.012890 id:155678,name:[AB05:RMS] Prod: apacheweb : Pool15 application pool,hostname:apacheweb.com,resptime:1378 sourcetype: jmx 2017-02-14 15:49:53 apacheweb.eu.com 318568616 Can someone please help me with the search . Below is the search i tried so far, > sourcetype=cg_log GC [search > sourcetype=resp_log resptime | table > resptime GC] ... View more

Hello, Can i please know how to get the all forwarders IP addresses that a reporting to splunk without use of internal index as some of the users don't have access to the internal data . Therefore, searches created with index=_internal will not work for those people. Is there anyway to create the search without of the use of that to get the all forwarders IP's ? ... View more

Hello, below is my search . Since i am using join , search is slow . Can i please know if there is a way to increase the speed of the search rather than absolutely specifying the index. | tstats max(time) as lastReport WHERE splunk_server_group=abc index=*_abc* OR index=main by host | eval LastReported=strftime(lastReport,"%m/%d/%y %H:%M:%S") | table LastReported host |join host [search index=_internal hostname=* | stats count by hostname sourceIp| rename hostname as host ] ... View more

Hello, Can someone please help me to build a query that will display hostname , IP address , last reported by the forwarder. If i use the index= star host= star , that will be too much load on the indexers . Is there any better way to grab those metrics. ... View more

Hi, Below is the query i am using to get the hostname , IP addresses and last reported to splunk . | metadata type=hosts index=apache_web splunk_server_group=abc | search [ | makeresults | eval host= apacheweb123 | table host | makemv host delim=" " | mvexpand host | eval host="".host."" | format ] | table host | append [ | makeresults | eval host=apacheweb123 | table host | makemv host delim=" " | mvexpand host ] | join [ search index=_internal hostname=* | stats count by hostname sourceIp | table hostname sourceIp | rename hostname as host ] But the above search is not working when the server group is mentioned but i need server groups to make search faster over a large data . Any help to get the hostname , IP address , Last reported by including splunk_server_group would be appreciated. ... View more

Hi, Can i please know how to calculate the log size per day for a specific source or a sourcetype reporting to splunk. ... View more

Hi, I have an app that is not getting deployed to forwarder but there is telnet connection to port 8089 from deployment server to forwarder and vice-versa. i have white-listed the IP address in the serverclass but app is not getting deployed on the forwarder. Any troubleshooting help would be appreciated . ... View more

Hello, Since i am new to Splunk, i'm having hard time understanding and writing the transforms for varying password lengths. It would be great if someone could help me with transforms to mask the username and password. As you may have noticed the password is not of fixed length–it varies for each event. SAMPLE DATA: 192.56.052.10 32.200.12.677, 123.23.234.31 - - [08/Feb/2016:16:41:44 -0500] "GET /login?company=monitorabc34adte1&bplte=&username=admin&password=welcome234 HTTP/1.1" 505 12345 "-" "alexa.com_bot_version_1.4_(http://www.alexa.com/)" "-" "asjenkwqjdqcqwjdncqkwddwc" "-" 0 192.56.052.10 32.200.12.677, 123.23.234.31 - - [08/Feb/2016:16:41:44 -0500] "GET /login?company=D0110&bplte=&username=grante&password=abc123 HTTP/1.1" 505 12345 "-" "alexa.com_bot_version_1.4_(http://www.alexa.com/)" "-" "asjenkwqjdqcqwjdncqkwddwc" "-" 0 192.56.052.10 32.200.12.677, 123.23.234.312 - - [08/Feb/2016:16:41:44 -0500] "GET /login?company=1234567u&username=asqwdcfVPOE$rV&password=ssqwerfV78#deQA&tklogin_key=abcdefg123 HTTP/1.1" 302 - "https://www.google.com/URLredirected/abc" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) mywebkit/537.36 (KHTML, like appesi) Chrome/62.0.3202.94 Safari/537.36" "-" "asdqwdqwdsfdewwichedf" "-" 0 ... View more

Hi, Below is the query which generates the table output. index=abc sourcetype=report | table company_id , company_name OUTPUT company_id company_name published1 microsoft published3 google Published4 apple Can someone please help me on how can I get the company_id , company_name is one field. something like below: Result published1,microsoft published23,google published4,apple ... View more

Hi, Below query is using the CSV, can I please know how the CSV file is being generated like whether is there any query that is generating it , etc. | inputlookup webaccess.csv | tail 14 | reverse ... View more

Hi, I can ping Telnet 8089 from forwarder to deployment server, but when I push the app from deployment server, it is not reflected in the forwarder (serverclass is correctly configured). Can I please know: 1. How do you troubleshoot this kind of issue? 2. What port number do deployment servers use to communicate with the forwarder? ... View more

Hi there, Below is the query for which i need the multi field value for job type and organization. index=abc sourcetype=xyz source="/var/log/companies" Status=finished| eval time=strptime(ScheduleTime, "%Y-%m-%d %H:%M:%S") |eval st=strptime(WorkerStartTime, "%Y-%m-%d %H:%M:%S.%3N") | eval et=strptime(WorkerEndTime, "%Y-%m-%d %H:%M:%S.%3N") | eval duration = et - st| table Schedule_time , Type, Name, organization, Host, length output Schedule_time JobType JobName Organization Host length 2017-11-30 00:00:00.000 abc compact Google apacheweb 73689.96 ... View more

Hi, Below is the search I am using to find the report_ID values that have top count. index=apache_web sourcetype=apache_hots host=abc | stats count by report_ID Below is the output of the above query. report_ID count 17615 25 12344 4 12435 2 11084 6 12181 9 13314 3 13945 2 13955 2 But i would like to see the visuali zation that shows when the report_ID occurred. For example, if the report_ID 17615 has 25 count but i would like to see time series visualization. ... View more

Hi, Below is the sample logs and I want to see the how many events generated from each server. Since there are different servers with different format , field extractions is not working . Can I please know how to write a query to display events generated by each server. (highlighted are the server names) 2016-11-15 13:35,123124e3,ADA,22361,jobtype event Jun 08 17:23:53 EDT 2017,admin,COMPLETED,2017-11-15 00:00:00.000,2017-11-15 00:00:00.000,2017-11-15 00:00:59.372,2017-11-15 00:00:59.564,apache34,,0,P3, 2016-11-15 13:35,123124e3,ADA,22361,jobtype event Jun 08 17:23:53 EDT 2017,admin,COMPLETED,2017-11-15 00:00:00.000,2017-11-15 00:00:00.000,2017-11-15 00:00:59.372,2017-11-15 00:00:59.564,ab-12312312.xy12.absv.api.comm,,0,P3, ... View more

Hi , Below are the two queries for which I am trying to join the output of the both queries but I am facing an issue as Search Factory: Unknown search command 'index'. First query index=apache* sourcetype=access_log host=xyz OR host=abc | timechart span=10m count as requests_per_minute Second query index=apache* sourcetype=web_logs host=cde OR host=wxy | table BClog When I tried the both append and join it is not working . index=apache* sourcetype=access_log host=xyz OR host=abc | timechart span=10m count as requests_per_minute | join [ index=apache* sourcetype=web_logs host=cde OR host=wxy | table BClog ] index=apache* sourcetype=access_log host=xyz OR host=abc | timechart span=10m count as requests_per_minute | append [ index=apache* sourcetype=web_logs host=cde OR host=wxy | table BClog ] ... View more

Hi , Below is the query that will run over last 2 weeks of data but I want an alert to trigger only if "good count" is greater than 4 in last 24hrs . index=abc sourcetype=abc| stats max(resptime) as responstime by _time, name | eval absDev=(abs('response'-median)) | streamstats window=1000 current=true median(absDev) as medianAbsDev by "name" | eval lowerBound=(median-medianAbsDev*exact(20)), upperBound=(median+medianAbsDev*exact(20)) | eval isgoodcount =if('response' < lowerBound OR 'response' > upperBound, 1, 0) | stats sum(isgoodcount) as "good count" by "name" | where 'good count'>4| sort -"good count" ... View more

Hi, I am using the timezone converting attribute " _tzhint" to convert EDT to UTC . This attribute was able to convert events timestamp to UTC but it is only converting only very few events, but not all. Below is the how configuration looks. when I use "TZ=UTC" splunk is not converting to UTC timezone , it is still using system time that is the reason I used _tzhint [monitor:///web/appache.log] disabled = false followTail = 0 _tzhint=UTC index = apache_web sourcetype=web_logs ... View more

Hi there, I started using splunk machine learning but trying to understand on how to use forecast time series. Can someone please explain what is the holdback , future timespan. When i read the documentation and try to set the values is throwing an error "External search command 'predict' returned error code 1."I am also trying to understand all the methods like LLP5,LL,LLP,LLT. It would be great, if someone could be help to understand the forecast time series in ML. ... View more