You need to specify both the beginning and ending characters if you're going to extract the values from _raw. If you are looking at a specific field like 'AccountName' and you only want account names that end with $, then you can use wildcards in your search, like: YourSearch AccountName=*$ ... View more

You can extract the fields so that they show up in Interesting Fields, and use those fields directly in searches, but you cannot change how they display in the UI with config changes without using SEDCMD. ... View more

I should also mention that SEDCMD cannot be used post parsing, so you can't use automated Splunk sourcetypes that include extractions, and it is almost always required that the config is on the forwarder (not the indexer). ... View more

The current query you're using will work on events before this SEDCMD implementation but not after. Good luck. SEDCMD-modifySource = s/\"source\":/LogSource=/g s/\"tag\":/ContainerImage=/g s/\/(?=[^\/]+$)/,ContainerID=/1 s/\/(?=[^\/]+[^\/]+$)/,ContainerService=/1 SEDCMD is space delimited, so you'll actually find 4 replacement commands in the string. ... View more

The only way this would work is if the event timestamp can be shortened with SEDCMD thereby reducing the number of characters indexed, but it may be impossible to write such a SEDCMD. I have tested the SEDCMD to show that it can reduce license usage by replacing long strings with short ones. Another option that might work, but I have not tested, is to use SEDCMD to remove the event timestamp entirely and use CURRENT as the timestamp. In this case, Splunk would use the current time as _time, but like I said I don't know how that would affect license usage. ... View more

I have created a SEDCMD string that when added to props.conf (and a restart) for the sourcetype will change all new indexed events: "source to LogSource= "tag to ContainerImage= the second / from the end to ,ContainerService= the first / from the end to ,ContainerID= It works fine on all of the example data you've posted so far. Splunk automatically recognizes new field= names and sets the values accordingly. However, the SEDCMD literally changes the event data before it is indexed and the change is permanent (no going back without re-indexing the events). Also, this will not affect any data that has already been indexed, so a separate search like those posted by @somesoni2 would be required for searching old data (or you could re-index the entire data set with the new config). I can post the string, but I highly recommend that you create a test index, test sourcetype, and test input to test it before you implement it in production. ... View more

I'm trying some things to restructure/pull this data out at index time. ... View more

I don't understand. both of these events have %ASA in them. Also, is your intention to drop the events you don't want completely (not indexed) or keep the events but not extract the src_ip field? ... View more

It should be possible. Can you post some example events? ... View more

You can create an input to monitor the passwd file. It will allow you to track all changes to passwords and differentiate by host. It will not tell you exactly what the password is because it is encrypted, but if the input is included as part of the install then it will show you if the admin password was changed. inputs.conf [monitor://$SPUNK_HOME\etc\passwd] disabled = false sourcetype = passwd ... View more

You need to verify your user has the correct role associated with it. Here is a list of roles: http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Rolesandcapabilities ... View more

What method (delims or regex) are you using in the extractor, what are the settings (what does it look like in props/transforms), and what does the _raw data look like? ... View more

@somesoni2 how can this be adapted to happen behind the scenes? We've already figured out how to extract the fields in configs without a special search. How do you change the UI without a special search? ... View more

Can you post your current inputs, props, and transforms configs for this input? ... View more

Not a file, a folder. When you make changes in Splunk they are put in the app\local folder. If you don't have a search\app\local folder, then the index was not created specifically for the search app. From the UI, select Settings>Indexes, you should see a list with your index included. Which App is listed for that index? ... View more

Did you look in Splunk\etc\apps\search\local ? ... View more

It can probably be done with powershell, but if it was me I would pull the "Domain Support Lever". Give them the forwarder installer, and the commandline command to install it, list of systems, and ask them to install it (cc the enterprise admin). You should construct the commandline install on a test system to ensure that it connects to the indexer(s) and the deployment server. Once you have all of them connected to the index and the deployment server then the real fun begins. If you do not have active directory (group policy) support, then there is really no other option than to install each one manually because of the system variables. ... View more

Use Active Directory to preconfigure the targets and install the forwarders with the appropriate flags, and configure a deployment server to handle the post installation configuration for the different system types. You will need to read this doc to configure it for your environment: http://docs.splunk.com/Documentation/Forwarder/6.5.0/Forwarder/InstallaWindowsuniversalforwarderfromthecommandline ... View more

Windows or Linux? ... View more

Did this work? If not I can remove the answer so other folks will look at it. ... View more