All - I need someone to bring me sanity with a regex I am trying to write. Essentially I want to capture everything after "username=" up to either "&" or "\s" Two sample events: Ex. 1 username=test%40bmcm%2ecom&version=5%2e4%2e0 Ex. 2 username=test%40bmcm%2ecom next_field Right now my regex looks like this: username=(?P[^&|^s]+) Though I can get it to break on spaces, the regex will not break on "&". Can someone tell me where I'm going wrong, I'm sure it's embarrassingly simple! Thanks! ... View more

Hi all - I have a dataset that tracks server access. Every time a server makes a request an event is generated. A very simple example: 01/01/01 00:00:00 server_id=server_1 01/01/01 00:00:00 server_id=server_2 01/04/01 00:00:01 server_id=server_1 01/04/01 00:00:00 server_id=server_2 In this case server_id=1 AND server_id=2 first and last logons were exactly on 3 months apart, therefore the average age of server_id = 3 months. This is calculated by taking the first time an instance is seen and last time an instance is seen. My problem is, some servers are seen daily, others days apart, etc. Essentially these servers represent customers and I want to track the average age of all servers over time (to measure wether customer (server) lifespan is increasing or decreasing). I initially thought this would be simple using first and last times: | eventstats last(_time) as first_time, first(_time) as last_time by server_id | eval lifespan_days=(last_time-first_time)/86400 | timechart avg(lifespan_days) Now I am doubting, given the results, the logic behind the query. My thinking is, when the search is set to "all time", the eventstats function will always look for the most recent "last" time of an event, versus the relative last time of the event (the day the event was generated). Can anyone confirm this thinking or better still; offer any advice on crafting a query? -dave ... View more

Hi all, I have some data like so Day | Count 1 | 200 2 | 200 3 | 300 4 | 100 5 | 200 ... | ... I can graph a timechart in normal way: SEARCH | timechart span=1d count However, I now want a bar graph with a rolling count for 3 days e.g 1 + 2 + 3 | 700 2 + 3 + 4 | 600 3 + 4 + 5 | 600 Is there any built in Splunk commands that can do this? How can I go about building a search for this use-case? Thanks! ... View more

I have 3 indexers (A, B, C) A and B are in one zone, C in another zone. From my forwarders I want to load balance data to indexers A + B (50% data to A / 50% to B). I also want to send 100% of my data to indexer C. Essentially creating 2 copies of my data (1 split between A+B, 1 on C) My outputs.conf currently accounts for A+B use case (below), how would I add in C to the stanza? [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server=A:9997,B:9997 ... View more

Hi - I am re-architecting our Splunk environment. I have mounted various volumes to each of my indexers (3 total) for hot, warm and cold buckets. To do this I have set volumes in an indexes.conf file I will deploy via Deployment Server to the 3 indexers. /deployment-apps/myapp/default/indexes.conf [volume:hot_warm] path = /splunk_data/hot_warm #DISK SIZE = 2.9TB maxVolumeDataSizeMB = 2800000 [volume:cold] #DISK SIZE = 8.8TB path = /splunk_data/cold maxVolumeDataSizeMB = 8700000 My question is, will this config set volumes globally for all indexes on the indexer? That is, if another app has an index=x, will that index write hot data to the path; "/splunk_data/hot_warm", for example? ... View more

I have an existing Splunk Forwarder currently forwarding data to an indexer. I have a new deployment server I want to connect Splunk Forwarder to as deployment client. Should I need to know anything before pointing Splunk Forwarder at deployment server? I cannot find any warnings in the docs. Will this interrupt current forwarding rules (and apps) currently installed on Forwarder? ... View more