How do i combine these stats commands? 1) | stats count by user host creates table: user host count 2) | stats first(_time) AS latest by user host creates table: user host latest How do i combine to create a table user host latest count ... View more

How can i tell if any data has been deleted using the | delete command? how can i prove no data has been deleted? Can i see if there are any flags against the data on the idnexers? Does this command hide the data at Search Head leel or at the Indexer? Edit: To clarify - i understand this command does not actually delete the data. i want to know if any admin user has given themself the can_delete privelege and deleted(hidden) data using |delete. ... View more

I have had some data reporting in from event logs from approx 30-40 windows servers. There were some issues on some of the hosts over the past 3 months, which has led to some gaps in the data. (inputs.conf had "current_only = 1") I intend to try and back fill those gaps via evt/evtx files but initially i would at least just like to know where and what data ranges there are prolonged gaps, say of more than 15 minutes from each host. so to produce resuls like host from to server1 19/10/2012 13:45:27 29/10/2012 09:45:27 server1 11/11/2012 17:25:32 12/11/2012 08:35:29 server2 31/10/2012 11:25:32 02/11/2012 18:22:22 etc.... ... View more

is there anyyway to define at what point in time windows event logs will start being collected by Splunk UF? We have [WinEventLog:Application] current_only = 1 index= winapp The server had an issue and splunk UF was stopped for several hours. How can i get collect those events that were missed when splunk is re started? 'current_only' says "index from the point splunk is started"if i remove the "current_only" splunk will start indexing the entire multi year history of the event log. It has only been enabled for a few months and we do not want the old data. any ideas? If i export a .evt file containing only these events and index that, will the splunk see the data in the same format? will all my field extractions etc work? or will it be completely different format? i will still have to modify all saves searches and dashboards to ensure it will include the data which is a pain ... View more

i have search which produces results as follows UserID Action domain\aas1234 blah blah domain\aas1235 blah blah I have csv file like so ID FirstName SecondName aas1234 Joe Bloggs aas1235 Dave Smith I want to add the fristName and SecondName to the results by looking up based on the the Searcgh results. i can see documebntation how to do this in props&trandsforms.conf but how do i do this at search time in the search bar? im aiming for the follwing result: UserID Action FirstName SecondName domain\aas1234 blah blah Joe Bloggs domain\aas1235 blah blah ... View more

I have created a simple UI dashboard app, which has a simple form based search and is locked down so the user cannot drill down to results and therefore get open access to the search bar. However i would like them to be able to export the table of results to a CSV. Unfortunately the Actions menu only has Print and a greyed out PDF option as the PDF server is not configured. some answers post seem to suggest this is not pssible? can someone confirm? I am using Advanced XML, cann i not add in a exportCSV module somehow? Thanks ... View more

Sorry i am a noob to regex and splunk regex especially. Regex to extarct all that is between the two single quotes. there will never be a single quote in the name. EG extract the name Bloggs, Joe:IT two Message field examples: The user 'Bloggs, Joe:IT' logged in Mailbox of 'Smith, John:HR' was opened How can i: A) do this using REX B) do this in props.conf REX something like index =data | rex field=Message "\'(?P<name>)\'" and from a REx how do you change it to extarct in props.conf? Thanks in advance ... View more

This doesnt return anything when i know there are many events with the usernames in the message! this returns a list of the usernames correctly |inputlookup list.csv | fields UserLogonName i have an extracted field called Messsage that will have the username SOMEWHERE in the message index = blah Message=”|inputlookup list.csv | fields UserLogonName” Thsi doesnt work, no results retrned! PLease help! thanks! ... View more

Does not make it clear here: http://splunk-base.splunk.com/answers/141/can-splunk-index-windows-event-logevtevtx-files Does this absolutely have to be a windows forwarder? ... View more

(NOTE - I have read other similar posts and solutions have not helped) I have a created a dashboard with 2 text boxes for a search. The default value if nothing enetered is "*". This worked well until i needed to add a radio button to the search options and i was forced to convert to advanced XML. Now i have converted all works well if i leacve text boxes empty and the search uses the *, but if anything entered into text boxes i get the error below: PARSER: Applying intentions failed 'unicode' object has no attribute 'get' http://splunk-base.splunk.com/answers/3606/unicode-object-has-no-attribute-get#3665).: This one states to add the line <param name="value"></param> This does not fix issue. It also says to change the order round- this does nto seem to work either! my code: <module name="ExtendedFieldSearch"> <param name="replacementMap"> <param name="arg"> <param name="Group"/> </param> </param> <param name="field">Enter ’Group' name</param> <param name="intention"> <param name="name">stringreplace</param> <param name="arg"> <param name="Group"> <param name="default">*</param> <param name="fillOnEmpty">True</param> </param> </param> </param> <module name="ExtendedFieldSearch"> <param name="replacementMap"> <param name="arg"> <param name="UserAddedRemoved"/> </param> </param> <param name="field">Enter 'Username'</param> <param name="intention"> <param name="name">stringreplace</param> <param name="arg"> <param name="UserAddedRemoved"> <param name="default">*</param> <param name="fillOnEmpty">True</param> </param> </param> </param> let me know if you need more? Please do not just point me to another post as none of them clearly identify what needs changing ... View more

if you have a stack with say 200gb and you allocate PoolA - 80GB PoolB - 80GB If PoolB went over the limit by 20GB would it automatically juts use the extra GB available and not cause a Real license violation? OR if you allocated all of the stack: PoolA - 100GB PoolB - 100GB and Pool A only used 50GB and PoolB wused 120GB Would this also cause a violation or would it understanmd that in total you hadnt caused a violation.. I.e. are violations at a Stack level or Pool level? Obviously the goal here is to allocate pools some license but leave some shared head room to avoid lic violations.... Thanks ... View more