Here's a handy macro I just created base on this answer. I used the multiplier for miles instead of km. Define as haversine(4), takes args lat1,lon1,lat2,lon2 and creates a "miles" field. eval rlat1 = pi()*$lat1$/180, rlat2=pi()*$lat2$/180, rlat = pi()*($lat2$-$lat1$)/180, rlon = pi()*($lon2$-$lon1$)/180 | eval a = sin(rlat/2) * sin(rlat/2) + cos(rlat1) * cos(rlat2) * sin(rlon/2) * sin(rlon/2) | eval c = 2 * atan2(sqrt(a), sqrt(1-a)) | eval miles = 3963 * c Here it is included in the use case that brought me here. sourcetype=oktaim2:log | streamstats global=f window=2 current=t earliest(client.geographicalContext.geolocation.lon) AS lon1 latest(client.geographicalContext.geolocation.lon) AS lon2 earliest(client.geographicalContext.geolocation.lat) AS lat1 latest(client.geographicalContext.geolocation.lat) AS lat2 earliest(client.geographicalContext.city) AS src_city latest(client.geographicalContext.city) AS dest_city earliest(client.geographicalContext.state) AS src_state latest(client.geographicalContext.state) AS dest_state earliest(_time) AS departed_time latest(_time) AS arrived_time BY user | where lat1!=lat2 AND lon1!=lon2 | `haversine(lat1,lon1,lat2,lon2)` | eval hours=(arrived_time-departed_time)/60/60 | eval avg_mph=miles/hours | where avg_mph>500 AND miles>100 | eval src_locale=src_city . ", " . src_state, dest_locale=dest_city . ", " . dest_state | table _time lat1 lon1 lat2 lon2 src_locale dest_locale miles hours avg_mph user | sort _time desc ... View more

We ran into this as well. It looks like Splunk 7 has stricter interpretation of the character class construct, so [\S-\S] means "non-whitespace to non-whitespace" instead of "non-whitespace dash non-whitespace." Ultimately this makes the behavior more predictable. ... View more

This worked for me after changing the beginning of the rex to "\w+\s+" , using this against dnmasq-dhcp syslog from Tomato firmware. ... View more

The Slack user owning the webhook may need elevated privileges in Slack (not Splunk.) Setting the account to 'admin' in Slack seems to work, but I would look into whether some kind of lesser permissions will also work. ... View more

Thanks for answering! This is my fallback approach, but I would prefer to deploy a pristine Splunk_TA_windows and a seperate app as needed for each distinct configuration of it. ... View more

Thanks. FWIW, this was ultimately rendered moot by running the TA on each UF, connecting to localhost go get the data. ... View more

If you have your sourcetype as access_combined_wcookie or access_common, Splunk automatically extracts that URI segment as a field called "root". ... View more

Ran across this issue with a saved search that was shared in the app and a macro that was private. Making the macro shared in the app fixed the issue of not being able to save the modified search with the macro in it. Check the permissions of the knowledge objects used in your search. ... View more

Having the same issue with the same app, but it appears that the modular input fails to run if there is any file (even a dotfile) in the boot directory. So... 1) Why do deployment server / deployment client fail to deliver an empty directory? 2) Why does SPLUNK4JMX fail to work with a seemingly innocuous file in bin/lib/boot/ ? ... View more

> Splunk recommends that you don't run as root. I'm looking for a citation in the online docs, but not finding any specific recommendation. A recommendation from Splunk would be helpful in forming or justifying our own policy. All I have found so far is Run Splunk Enterprise as a different or non-root user ... View more

A little searching led me to look at literals.conf, but I don't see that config item. ... View more

Again, you have 8 vCPUs allocated. How many sockets and cores are available to satisfy that? Have you tried lowering the number of vCPUs and measuring response times? ... View more

If this is close to the man page for your syslogd, it may not have support for logging to an alternate port: http://linux.die.net/man/8/syslogd I can recommend rsyslog as a very flexible alternative. ... View more

Are you running the S.o.S. app? http://apps.splunk.com/app/748 Is RHEL setup according to VMware timekeeping guidelines? See their caveat about use of the divider=10 kernel param: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006427 Does the jobs inspector show any long-running searches? I see in your 'top' output you have a splunkd with 1358M of memory and a lot of cpu time under its belt. ... View more

Are you relatively low on disk space? See the first item here: We have increased the default amount of required available disk space for indexing and searching Prior to version 6.0, the default amount of free space Splunk needed to index and search was 2 gigabytes. When you upgrade, Splunk raises this default requirement to 5 gigabytes. Before you upgrade, make sure you have enough free space on the volume(s) that contain Splunk indexes and search dispatch directories to ensure uninterrupted index and search operation ... View more

Is your VMware infrastructure up to par? How many real sockets and cores do you have available? Are your VMware tools installed, up to date, and running? Are there any interesting events or alerts on the VMware side? ... View more

My guess would be that anything that creates a sane .csv is fine, including vi. I'm not in a position to test that, so not posting this as an actual answer. 🙂 ... View more

Looking at the monitor stanza versus regex, I would also do this: [monitor://e:\syslog\ASA\ASA_Syslog_*] ... whitelist = (|2009|20[1-9][0-9])-(0[1-9]|1[012])-([123]0|[012][1-9]|31). ... View more