If I want to use Splunk to monitor event logs on laptops that will be on and offline with some frequency, how does Splunk deal with alerting and summary indexing on data that comes in much later than the original event? Will an event that contains a much older timestamp trigger a realtime alert when the indexer sees it for the first time? What about periodic summary indexing? If I run a summary indexing search every hour and Splunk receives events from a laptop with timestamps that are 24 hours old, will those events show up in the search for events from the last hour? Thx. Craig ... View more

If I have a web application that wants to access Splunk data via the REST API, what is the performance impact on Splunk? Since it doesn't have to render any dashboards, I would think it would be faster...? Thx. Craig ... View more

Is there a search that will show me what time all searches are scheduled for over a 24 hour period? Broken out by minute? I think our indexer is getting overloaded by a bunch of searches that all kick off at the same time. I'd like to see what minutes of the day have the most amount of searches scheduled for them. Thx. ... View more

I would like to build a dashboard that contains form fields for the start time/date and end time/date of a series of searches. I want to have about seven searches on the dashboards that take the time value from the form and then sends those searches to the background (where they will create a CSV file). Is it possible to send a search to the background using a search command? Thx. Craig ... View more

Whenever we upgrade a 4.1 server to 4.2.1, Splunk reverts to the enterprise trial license. When I look in the etc directory, I no longer see a splunk.license file. Even after I have added the license to Splunk via the GUI. We're going to need to upgrade Splunk to 4.2 on over three hundred servers. How can I automate applying the license to those servers after they are upgraded to 4.2.1? And really, guys... Shouldn't the license survive the upgrade procedure? Thx. ... View more

We're seeing a ton of the following messages on startup after upgrading to 4.2: Possible typo in stanza [XXXXXXX] in D:\Splunk\etc\apps\search\local\eventtype s.conf, line 77: viewstate.resultView = normalView What modifications do we need to make to our saved searches to make these errors go away? ... View more

If I have a bunch of events in a tabular format that I wish to search for various charts on a dashboard, is it faster to input the events with inputlookup or is it better to save them in a summary index and search the index? Thx. Craig ... View more

I have Nessus event data that looks like this: 4/7/11 5:26:42.000 PM 10.11.5.10 host_end Thu Apr 7 17:26:42 2011 4/7/11 5:23:58.000 PM 10.11.5.10 10.11.5 irdmi (8000/tcp) 33817 4/7/11 5:23:58.000 PM 10.11.5.10 10.11.5 irdmi (8000/tcp) 47830 4/7/11 5:19:22.000 PM 10.11.5.10 10.11.5 irdmi (8000/tcp) 10815 If I want all of the events for 10.11.5.10 to have the timestamp of the result that contains host_end, what's the best way to do that? I've tried using transaction to group the events and then use rex and mvexpand to pull them out again. The problem is that those field extractions are really expensive when you're dealing with 50,000 events in a vulnerability scan. Any help would be appreciated. Thx. Craig ... View more

Is there an equivalent of a reverse transaction search command that would look backwards in time for events when a certain event occurs? For example, adding a Cisco switch port to a particular vlan looks like: interface fa0/1 switchport access vlan 100 We can't tell what port that command was accessed on unless we can capture the last X events from that user on that host. Is that possible? Thanks. Craig ... View more

We have events that look like this: edit 4 set srcintf "port1" set dstintf "port2" set srcaddr "0.0.0.0" "127.0.0.0" "169.254.0.0" "172.16.0.0" "192.0.2.0" "192.168.0.0" "255.255.255.255" set dstaddr "ANY" set schedule "always" set service "ANY" set logtraffic enable set comments "Blocks inbound traffic from illegal networks" next edit 56 set srcintf "port1" set dstintf "port1" set srcaddr "0.0.0.0" "127.0.0.0" "169.254.0.0" "172.16.0.0" "192.0.2.0" "192.168.0.0" "255.255.255.255" set dstaddr "ANY" set schedule "always" set service "ANY" set logtraffic enable next edit 1 set srcintf "port1" set dstintf "port2" set srcaddr "ANY" set dstaddr "jnetwebcluster_VIP" set action accept set utm-status enable set comments "Permit inbound ICMP to JNET DMZ" set schedule "always" set service "Allowed-ICMP" set av-profile "strict" set ips-sensor "all_default_pass" set dlp-sensor "Credit-Card" set profile-protocol-options "strict" set logtraffic enable next I am trying to extract each individual rule as a separate event using rex. I've tried the following: rex field=_raw max_match=400 "(?msi)edit\s(?P<rule>.*next)" rex field=_raw max_match=400 "(?msi)edit\s(?P<rule>.*)next" rex field=_raw max_match=400 "(?msi)edit\s(?P<rule>.*)(?=next)" rex field=_raw max_match=400 "(?msi)edit\s(?P<rule>.*)\n\s+next" Each one of these extractions will put all of the individual rules into a single field. It won't terminate at the "next" line that ends each individual rule. What am I doing wrong here? Thx. ... View more

We need to upgrade several hundred Splunk forwarders to the latest release. After the upgrade, the first time I restart Splunk from a command-line, I'm prompted about the migration process. Is there any way to make Splunk automatically complete the upgrade without requiring user input? Thanks. Craig ... View more

I'm doing some field extractions for a sourcetype and Splunk is saying the field has already been extracted. I went to the Splunk manager and clicked on the Field Extractions link. The page loads, but it's blank. The following error message is displayed: In handler 'extractions': Admin handler 'extractions' not found. ... View more

I have a timechart that is based on count by score, where score is a whole number between 0 and 10. Every time I make a chart, the order shows up as: 0 1 10 2 3 ... I've tried sorting the results by score, but 10 never appears at the end of the results. I tried to use covert num(score) and sort the results but 10 is still showing up between 1 and 2 instead of at the end of the results. What am I doing wrong? Thx. ... View more