Hello everybody (皆おはようございます) I have a new request for all members 🙂 This search : sourcetype=sccm |streamstats count current=t reset_on_change=true by date_wday,date_month,date_hour,date_minute,date_second, Service_Status | table count, Service_Status,Service_Name Result : count Service_Status Service_Name 1 Found service XDSnscls 2 Found service XDSsnaptunnel 3 Found service XDSclm 4 Found service XDSsdsd 5 Found service XDSsccm 6 Found service XDSsccmms 7 Found service XDSdss 8 Found service XDSauth This is the same pattern every time and I wish to create an alert. For example : Verify the list of Service_Name and if one of them isn't in the list, I have an alert. Thanks for your help. Best regards Laurent ... View more

Hi Splunkers, The partner of my company send me a new log file with more details..... i do apologise for the inconvenience。 本当にごめんなさい！！！ On the new log file , I have an event to define the beginning : LOG IN -- > Mar 1 21:45:41 XDSauth: 1488433541 |ConnectorSession.setNextServiceName |next service name = X Mar 1 21:45:41 XDSauth: 1488433541 |ServiceHdlr.serviceTerminated |next service = X LOG OUT --> Mar 1 21:47:05 XDSauth: 1488433625 |ServiceHdlr.serviceTerminated |next service = X Where X is the user name. But the problem is : ServiceHdlr.serviceTerminated I have this event twice. One after ConnectorSession.setNextServiceName and the next is to define the end of connection. I tried a new approach : sourcetype=XDSauth | fieldformat Epoch_Time = strftime(Epoch_Time, "%F %T.%3N") | rex field=_raw ".*\d+\|.+\|\d+\|(?<fld_key>[^ ]+)\s.*" | where User="WIN7-007" |table User, Status , Epoch_Time , fld_key |streamstats count current=t reset_on_change=true by fld_key Result : User Status Epoch_Time fld_key count WIN7-007 ServiceHdlr.serviceTerminated 2017-03-02 14:47:05.000 145c414 1 WIN7-007 ServiceHdlr.serviceTerminated 2017-03-02 14:45:41.000 3a4822 1 WIN7-007 ConnectorSession.setNextServiceName 2017-03-02 14:45:39.000 3a4822 2 If it's possible I would like to obtain this result : User Status Epoch_Time fld_key count WIN7-007 ServiceHdlr.serviceTerminated 2017-03-02 14:45:41.000 3a4822 1 WIN7-007 ConnectorSession.setNextServiceName 2017-03-02 14:45:39.000 3a4822 2 Delete the ServiceHdlr.serviceTerminated line where fld_key of ServiceHdlr.serviceTerminated is different than fld_key of ConnectorSession.setNextServiceName Have a nice day Laurent ... View more

Hi everybody, I have a problem with a log file to search the log In and log Out event. pattern : Line 2 --> Mar 1 21:47:05 XDSauth: 1488433625 |ServiceHdlr.serviceTerminated |next service = X Line 1 --> Mar 1 21:45:41 XDSauth: 1488433541 |ServiceHdlr.serviceTerminated |next service = X ( XDSauth: --> Epoch Time , I converted the format : | fieldformat Epoch_Time = strftime(Epoch_Time, "%F %T.%3N") ) I search a solution to tag the Line 1 --> Log IN and Line 2 --> Log OUT If anybody has an idea or advice , I'm more than interested ^_^ Thanks, Laurent ... View more

Hello, I have a problem on xml code. I try to populate a radio menu button. I have all good entries but every time i receive this message : Duplicate values causing conflict code : <input type="radio" token="sourcetype1"> <label>Source</label> <search> <query>host=WIKI sourcetype="secure*.log"</query> </search> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> </input> I think the problem is with fieldForLabel and fieldForValue : same name How can there values renamed ? Best regards, Laurent ... View more