Can you try below one tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Web |eval datamodel=Web | append [| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Malwareeval|eval datamodel=Malwareeval] | append [| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Intrusion_Detection| eval datamodel= Intrusion_Detection] | eval "Start time"=strftime(min, "%c") | eval "End time"=strftime(max, "%c") | eval "Event count" = count | fields "Start time" "End time" "Event count" datamodel ... View more

trendline command along with timechart might work here. Ex: sourcetype= customermetric customer!= Unknown earliest=-3w |bin span=1h _time | stats sum(trVol) AS volume_hour by user,_time| trendline sma504(volume_hour) AS sma_avg|your logic to caluculate 50 % diff btw hour count vs avg |... search filters ... View more

I tried with a sample data and it does work. Can double check stanzas and file permissions..? Here are the configs i have. (Avoid the spaces in the config file line beginnings) props.conf [your sourcetype] TIME_PREFIX = time=" MAX_TIMESTAMP_LOOKAHEAD = 16 BREAK_ONLY_BEFORE = <telegram MUST_BREAK_AFTER = </telegram> DATETIME_CONFIG = /etc/my_hex_epoch_datetime.xml $SPLUNK_HOME/etc/my_hex_epoch_datetime.xml <datetime> <define name="_hexepoch" extract="hexepoch"> <text><![CDATA[0x([A-Fa-f0-9]{8})]]></text> </define> <timePatterns> <use name="_hexepoch"/> </timePatterns> <datePatterns> </datePatterns> </datetime> ... View more

Can be done in multiple ways. Host lookup (have a lookup uploaded with list of hosts) |inputlookup lookup_hosts.csv|table host | join type=outer host [search index=myindex sourcetype=mysourcetype earliest=-5m | stats count by host ] | search NOT count =* Increase the time frame. index=myindex sourcetype=mysourcetype earliest=-15m|dedup host |table _time host |where _time < now() - 300 Similar to above logic but consider using either _inernal licence metrics or tstats command. ... View more

tstats is super fast and ideal choice to generate the list. But if you are looking for indexing volume along with that , metric data is the best pace to search. Ex: index="_internal" idx=* sourcetype=splunkd source="*license_usage.log"|stats min(_time) AS firstTime max(_time) AS lastTime,sum(b) as bytes_indexed by h idx st |convert ctime(*Time) ... View more

You may need to increase time frame slightly , and use any of splunk aggregation commends. Ex: index=my_index action=POST user=* | transaction user maxspan=30s|where eventcount > 100 This will aggregate the events happened in 30 sec window and filter the users which has more then 100 POST requests. ... View more

Its not a direct approach , but splunk map command comes very handy in these cases. For example in the below scenario i want to change the mail subject / email details by each host name. So i will write the logic on the main search and pass unique host and subject fields to map search. This will send the mail results with pre-defined email id / subject by each host you have. You can alter the mail search logic as it suits your requirement. index=myindex | dedup host|eval new_subject=(if(host=abc),"abc",none) .....etc logic|eval mail_id=If(host=abc,"abc@splunk.com",none).....etc logic | table host new_subject mail_id |map search=" search index=myindex host=$host$ | table _time user action other-fields ..... |eval email_to=$mail_id$ |sendresults showemail=f subject=$new_subject$ body="Body of the email" ... View more

Not sure if understand the question properly , but the the usual search NOT will work right ..? | metadata type=hosts index=xx_prod| search NOT (host=host1 OR host=host2) |eval age = now() - recentTime | eval status= case(age < 1800,"Running",age > 1800,"DOWN") | convert ctime(recentTime) AS LastActiveOn | eval age=tostring(age,"duration") | eval host = upper(host) | table host age LastActiveOn status | rename host as "Forwarder Name", age as "Last Heartbeat(min)",LastActiveOn as "Last Active On",status as Status ... View more

Hi Rajgowd, Can you check the permission of the script " $SPLUNK_HOME/etc/your_app/bin/txt2csv.sh" ..? you need to set something like "chmod 755 txt2csv.sh" and reload splunk one more time. And set the same permissions for commands.conf too. You may have to remove the below part of your script , because you need not redirect the output again , we are going to use it directly at search time right ..? ${configPath}/devices.txt And you can add any script like this in splunk. Once everything is set properly you should see these custom search command from UI too "Settings >>Advanced search » Search commands" You can edit this script directly from bin directory which get updates automatically. ... View more

Hey Rajgowd, I see some cool suggestions here. I believe you are familiar now how sub-search works. index=test_idx source=/var/log/messages ERROR OR Error OR error [inputlookup hostnames.csv | fields ip | format] This actually means index=test_idx source=/var/log/messages ERROR OR Error OR error (IP1 OR IP2 OR IP3.....) And since you mentioned about the script to generate these ip's from sample.conf. You can actually create a custom search command with this script and use it to directly on your search. Steps : Place your script file (.bat, .cmd, .exe, .js, .pl, .py, .sh) under $SPLUNK_HOME/etc/your_app/bin directory. Update/Create commands.conf on $SPLUNK_HOME/etc/your_app/local/ directory. Ex: $SPLUNK_HOME/etc/search/local/commands.conf [rajgowd] file = ip_script.sh - Refresh the app via url "http://SPLUNKHOST:8000/debug/refresh" After these steps you can use this custom command "rajgowd" directly on your search. Ex: index=test_idx source=/var/log/messages ERROR OR Error OR error [ |rajgowd] OR use the script to update lookup and use lookup in the search | rajgowd | outputlookup lookup_ips.csv ... View more

This(30min) has been decided by customer to avoid some performance issues. Can we increase that 1min to 30 if we have time stamp in the logs ..? ... View more

You are welcome. Also you can try the below app which gives slimier trends for monitoring Splunk users and searches ..etc https://splunkbase.splunk.com/app/3241/ ... View more

You can also hard-code the unique server name in server.conf on each box. This will appear on host value on all the logs that server is indexing. [general] serverName = your-custom-name ... View more

This should give you unique no of users count and total failed attempts by each month. You may need to change the user filed name as per your log data. index=networksecurity Protocol=Radius signature=Failed_Attempts earliest=-6mon@mon latest=@mon|timechart span=1mon dc(user) AS Users_Count,count(signature) AS Total_Failed_Attempts ... View more

Yes , only the new data.Its an application log file the data only gets appended. ... View more

Can you try with below case statement ? | eval result=case(type<=3 AND id="NULL","Class0Singles",type<=3 AND id!="NULL","Class0Multis",type>3 AND id="NULL","Class1Singles",type>3 AND id!="NULL","Class1Multis")|stats count by result ... View more

Cool , its working great. Thanks ... View more