You need to specify both the beginning and ending characters if you're going to extract the values from _raw. If you are looking at a specific field like 'AccountName' and you only want account names that end with $, then you can use wildcards in your search, like: YourSearch AccountName=*$ ... View more

You can extract the fields so that they show up in Interesting Fields, and use those fields directly in searches, but you cannot change how they display in the UI with config changes without using SEDCMD. ... View more

I should also mention that SEDCMD cannot be used post parsing, so you can't use automated Splunk sourcetypes that include extractions, and it is almost always required that the config is on the forwarder (not the indexer). ... View more

The current query you're using will work on events before this SEDCMD implementation but not after. Good luck. SEDCMD-modifySource = s/\"source\":/LogSource=/g s/\"tag\":/ContainerImage=/g s/\/(?=[^\/]+$)/,ContainerID=/1 s/\/(?=[^\/]+[^\/]+$)/,ContainerService=/1 SEDCMD is space delimited, so you'll actually find 4 replacement commands in the string. ... View more

The only way this would work is if the event timestamp can be shortened with SEDCMD thereby reducing the number of characters indexed, but it may be impossible to write such a SEDCMD. I have tested the SEDCMD to show that it can reduce license usage by replacing long strings with short ones. Another option that might work, but I have not tested, is to use SEDCMD to remove the event timestamp entirely and use CURRENT as the timestamp. In this case, Splunk would use the current time as _time, but like I said I don't know how that would affect license usage. ... View more

I have created a SEDCMD string that when added to props.conf (and a restart) for the sourcetype will change all new indexed events: "source to LogSource= "tag to ContainerImage= the second / from the end to ,ContainerService= the first / from the end to ,ContainerID= It works fine on all of the example data you've posted so far. Splunk automatically recognizes new field= names and sets the values accordingly. However, the SEDCMD literally changes the event data before it is indexed and the change is permanent (no going back without re-indexing the events). Also, this will not affect any data that has already been indexed, so a separate search like those posted by @somesoni2 would be required for searching old data (or you could re-index the entire data set with the new config). I can post the string, but I highly recommend that you create a test index, test sourcetype, and test input to test it before you implement it in production. ... View more

I'm trying some things to restructure/pull this data out at index time. ... View more

I don't understand. both of these events have %ASA in them. Also, is your intention to drop the events you don't want completely (not indexed) or keep the events but not extract the src_ip field? ... View more

It should be possible. Can you post some example events? ... View more

You can create an input to monitor the passwd file. It will allow you to track all changes to passwords and differentiate by host. It will not tell you exactly what the password is because it is encrypted, but if the input is included as part of the install then it will show you if the admin password was changed. inputs.conf [monitor://$SPUNK_HOME\etc\passwd] disabled = false sourcetype = passwd ... View more

You need to verify your user has the correct role associated with it. Here is a list of roles: http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Rolesandcapabilities ... View more

What method (delims or regex) are you using in the extractor, what are the settings (what does it look like in props/transforms), and what does the _raw data look like? ... View more

@somesoni2 how can this be adapted to happen behind the scenes? We've already figured out how to extract the fields in configs without a special search. How do you change the UI without a special search? ... View more

Can you post your current inputs, props, and transforms configs for this input? ... View more

Not a file, a folder. When you make changes in Splunk they are put in the app\local folder. If you don't have a search\app\local folder, then the index was not created specifically for the search app. From the UI, select Settings>Indexes, you should see a list with your index included. Which App is listed for that index? ... View more

Did you look in Splunk\etc\apps\search\local ? ... View more

It can probably be done with powershell, but if it was me I would pull the "Domain Support Lever". Give them the forwarder installer, and the commandline command to install it, list of systems, and ask them to install it (cc the enterprise admin). You should construct the commandline install on a test system to ensure that it connects to the indexer(s) and the deployment server. Once you have all of them connected to the index and the deployment server then the real fun begins. If you do not have active directory (group policy) support, then there is really no other option than to install each one manually because of the system variables. ... View more

Use Active Directory to preconfigure the targets and install the forwarders with the appropriate flags, and configure a deployment server to handle the post installation configuration for the different system types. You will need to read this doc to configure it for your environment: http://docs.splunk.com/Documentation/Forwarder/6.5.0/Forwarder/InstallaWindowsuniversalforwarderfromthecommandline ... View more

Windows or Linux? ... View more

Did this work? If not I can remove the answer so other folks will look at it. ... View more

I have input directories with 5 different index destinations based on the file name of the log file in the directory. To do this I use the Splunk file directory monitor UI and introduce wildcards in the source to differentiate different log names types. Can you post the names of the log files in the directory and how you want to separate them to different indexes? ... View more

I would emphasize scalable and usable. One (1) person (not a software developer) with basic network, infrastructure, and hardware support from the facility can install Splunk indexers, search heads, and hundreds of forwarders in a relatively short amount of time. Splunk (paid) software is supported very well by Splunk Inc. Splunk (paid and free) software is supported very well by the Splunk community (Splunk Answers). Splunk is also very well documented with Admin manuals, config references, release notes, etc...- if you can read, then you can learn Splunk. With Splunk and basic internal support, one person can be in a position to answer questions like “what happened, when, and who did it?” in an environment with multiple networks, dozens of servers, and hundreds of users. For scalability from small networks to very large enterprises it might take more than one person – depends on the person and the enterprise. ... View more

You can always say that Splunk is the 6th state of matter. solid > liquid > gas > plasma> data > Splunk (reconstitutes data too solid intelligence) ... View more

Once the data is added to Splunk it is referred to as Indexed data. The Splunk indexes are stored in Splunk_Home\var\lib\splunk. The log file you added remains unchanged on the local system. If you have more than one Splunk server than you can replicate the indexes between them. Hope that answers your question. ... View more