I'm installing the VMware app to monitor a rather large environment (1000+ esxi hosts, 10+ vCenters) and I'm not having a lot of luck finding rules for scaling. I can only presume that a single search head/scheduler is not going to handle the load gracefully, but I'm not sure what the best practices are for using multiple SH's and how that affects the end user, whether the scheduler can handle the load, or if it can be broken into pieces, etc. ... View more

I've extracted a field called QR from a sourcetype, and it's working perfectly, but is returning numerical data, and I need specific words for a Enterprise Security dashboard to work. When I type the following eval command into the search bar it works perfectly, but when I place it in props.conf it doesn't execute correctly (new field is not created): sourcetype = MSAD:NT6:DNS | eval message_type = if(QR==0, "RESPONSE", "QUERY") I'm wondering if I'm running into an order of precedence issue, where my EVAL is kicking off before a QR field is even created. I have the following in my transforms and props files. transforms.conf [MSAD:NT6:DNS] [dns_qr_extraction] REGEX = (QR)\s+(\d) FORMAT = $1::$2 props.conf [MSAD:NT6:DNS] REPORT-dns_qr_extraction = dns_qr_extraction EVAL message_type = if(QR==0, "RESPONSE", QR==1, "QUERY", "UNKNOWN") ... View more

Most, but not all of the field extractions, lookups, and aliases created in the TA-DNSServer-NT6 app are viewable when looking through the Search and Reporting application, but not when searching through the Enterprise Security application. The TA-DNSServer-NT6 sharing is set to Global (everyone-read,admin-write) Unsure why only a handful of Lookups generated fields are viewable through ES, but everything is viewable through Search&Reporting. ... View more

I create an alternate identities csv file in *Nix by copying ./SA-IdentityManagement/lookups/identities.csv to ./SA-IdentityManagement/<company>_identities.csv, and then populate it with a few records. I go to settings-lookups-lookup table and ensure the permissions are app=global, everyone=read, admin=write Then settings-lookups-lookup definitions and create a new entry and set the same permissions as above Then in Enterprise Security; configuration-Identity Management and create a new Identity. This lookup is never merged with the existing identities.csv file despite having completely different record data. More telling is that from Identity Management when I click on the lookup://<filename> instead of opening a screen showing the records I get a broken URL link, and an error stating "An error occurred while reading the page template. Has anyone else encountered this issue? I'm presuming it's a permissions issue somewhere but I can't track it down. ... View more

I'm trying to match the dates on specific event logs with an inputlookup file. I've done this in the past and it has worked perfectly but for some reason, in this case the data is not coming back as expected and I'm hoping someone can shine a light on the issue. My inputlookup csv file is just one column with a list of county names in it. My query is looking through event logs to find a specific event, then parse the date down to a specific format and return that result next to the county name. The interesting field is db_name which corresponds exactly to the county name field. So my expected results are County DB Backup Albany Thursday, July, 10th, 2014 Broome Thursday, July, 10th, 2014 .... What is happening instead is I'm getting the above results but instead of db_name Albany being matched up to County Albany, the query has grabbed one database record and populated the entire list with it. | inputlookup counties.csv | join type=outer [search host=main_server EventCode=17055 | sort -_time | dedup db_name | eval "DB Backups"=strftime(_time, "%A, %b %d, %Y")] | table County "DB Backups" ... View more

I'm new to writing regular expressions and am having a difficult time building a field using extract fields. Unfortunately Splunk is unable to automagically create one for this circumstance. There are a series of events I'm trying to monitor, a sample of them follows: F:\mssql\backups\ulster\ F:\mssql\backups\washington\ F:\mssql\backups\broome\ F:\mssql\backups\cattaraugus\ F:\mssql\backups\dutchess\ I'd like isolate the county names (washington, broome, cattaraugus, dutchess) in the string and create field for them. ... View more