We search thru the logs of switches and there are some logs that are unconcerning if you just have a couple of them like 5 in an hour. But if you have more than 50 in an hour, there is something wrong and we want to raise an alarm for that. The problem is, i cannot simply search back in the last hour and show me devices that have more than 50 results, because i would not catch the issue that existed 5h ago. So i am looking into timecharts that do a statistic every hour and then i want to filter out the "charts" that have less than x per slot. What i came up with is this (searching the last 24h): index=network mnemonic=MACFLAP_NOTIF | timechart span=1h usenull=f count by hostname where max in top5 But this does not work as i still get all the timechart slots where i have 0 or less than 50 logs logs. So imagine following data: switch01 08:00-09:00 0 logs switch01 09:00-10:00 8 logs switch01 10:00-11:00 54 logs switch01 11:00-12:00 61 logs switch01 12::00-13:00 42 logs switch02 08:00-09:00 6 logs switch02 09:00-10:00 8 logs switch02 10:00-11:00 33 logs switch02 11:00-12:00 29 logs switch02 12::00-13:00 65 logs So my ideal search would return to me following lines: Time Hostname Results 10:00-11:00 switch01 54 11:00-12:00 switch01 61 12::00-13:00 switch02 65   The time is not that important, im looking more for the results based on the amount of the result.  Any help is appreciated. ... View more

I am trying to get logs from a firewall into splunk. Usually i work with regex to extract the fields, but these logs dont come in a predictable manner, so the fields are not always there, or in the same order. So what i try to do is let splunk automatically detect the fields for itself. Given following example raw log:   2021-02-15T09:50:22Z %FTD-6-430002: EventPriority: Low, DeviceUUID: ef9c5cce-2400-11eb-a8f2-ce5d579dab29, InstanceID: 5, FirstPacketSecond: 2021-02-15T09:50:22Z, ConnectionID: 26265, AccessControlRuleAction: Allow, SrcIP: 195.180.144.165, DstIP: 172.16.20.86, SrcPort: 49609, DstPort: 443, Protocol: tcp, IngressInterface: INT_DMZ_External, EgressInterface: INT_LAN, IngressZone: DMZ_External, EgressZone: LAN, IngressVRF: Global, EgressVRF: Global, ACPolicy: Merbag Default Access Control Policy, AccessControlRuleName: WAP2LAN, Prefilter Policy: Merbag Default Prefilter Policy, Client: SSL client, ApplicationProtocol: HTTPS, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 389, ResponderBytes: 70, NAPPolicy: Balanced Security and Connectivity, URLReputation: Unknown, URL: https://adfs.company.com   I have tried lots of things in props.conf but sadly, nothing seems to work.   [firewall] category = Network & Security TIME_FORMAT = %Y-%m-%dT%H:%M:%SZ TZ = Europe/London KV_MODE = auto FIELD_DELIMITER = , HEADER_FIELD_DELIMITER = :   So the first 3 lines work great, but the last 3 lines dont seem to work at all. Sadly, there is not onboard GUI in splunk where i can run the config against a log and see the output live. Its just editing the config file and restarting the service over and over again. It would be helpful if there were actual examples (config & example log) in the documentation. ... View more