The trick is to use "case" eval function:   count(eval(action="allowed")) as allowed count(eval(action="blocked" OR action="dropped")) as blocked values(eval(case(action="allowed", count))) as allowed values(eval(case(action="blocked" OR action="dropped", count))) as blocked   ... View more

I only needed to rename the passwords.conf file and restart the service to update the password: $SPLUNK_HOME$/etc/apps/TA-QualysCloudPlatform/local/passwords.conf ... View more

The data model acceleration setting "Maximum Concurrent Summarization Searches" defaults to 3, which means they won't run well on a 16 core system. It should help to bump these down to 1 across the board, then increase it for searches that need more horsepower. The Data Model Audit dashboard (/app/search/datamodel_audit) is handy for tuning the acceleration jobs. ... View more

I've found the stat functions 'earliest' and 'latest' work best for time-dependent field reporting: ... | stats latest(_time) as _time, latest(X) ... View more

I use dedup instead of subsearches to identify New (over 'All time' range) or Infrequent (over 'Last X days' range) event types, for example: sourcetype=WinEventLog* | dedup host, LogName, SourceName, EventCode sortby +_time | eval epochevent=_time | eval epochwindow=relative_time(now(), "-1d" ) | where epochevent>=epochwindow | table host, LogName, SourceName, EventCode, Message, _time Change "-1d" in the search to narrow or broaden the differential range and schedule your alert to the same frequency. ... View more

Resolved by including the props.conf and transforms.conf file on the forwarder along with inputs.conf, which are required to perform INDEXED_EXTRACTIONS per the document Extract fields from files with structured data. ... View more

Also confirmed the same issue with Bro 2.5 installed using the CentOS 7 RPM from: https://www.bro.org/download/packages.html ... View more

I'm running into the same issue with EPEL bro-2.4.1-3.el7.x86_64 on CentOS 7 and Splunk 6.5.1. Sourcetype is set correctly, but the dynamic field extraction process isn't working: props.conf: [bro] SHOULD_LINEMERGE = false TRUNCATE = 0 MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s.%6N TRANSFORMS-BroAutoType = BroAutoType, TrashComments INDEXED_EXTRACTIONS = TSV FIELD_HEADER_REGEX = ^#fields\t(.*) FIELD_DELIMITER = \t FIELD_QUOTE = \t Sample conn.log header: #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path conn #open 2017-02-07-16-24-39 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] ... View more