Both certifications can be achieved by attending virtual classes offered by Splunk Education and an online test for the Administrator Certification. The Architect certification requires a practical exam that you can also participate in remotely / virtually. Here is a link to the Administrator Certification classes and requirements: http://www.splunk.com/view/SP-CAAAJDH Architect Certification classes and requirements: http://www.splunk.com/view/SP-CAAAJER Note that the Knowledge Manager certification is a prerequisite to Administrator Certification: http://www.splunk.com/view/SP-CAAAJEN You do not need to "repeat" any of the classes in the certification paths once you've taken and passed them. For pricing and scheduling questions, you can contact education@splunk.com Hope this helps! ... View more

curses! lguinn beat me to the answer! 😛 ... View more

have you defined outputs.conf on the forwarder? ... View more

It might help to give the dc(msisdn) value a new fieldname in your search string. Try this: sourcetype=smart_gtp Completed | stats dc(msisdn) as msisdndc | rangemap field=msisdndc low=0-0 elevated=1-1 default=severe ... View more

If there's a field in your data that represents auth status (success, etc.), you can set up your search using the != operator. (not equal to) ... myAuthStatusField!=success Or, if you know what the value WOULD be for a failed login, it's better to be specific and use ... myAuthStatusField=failed (or denied, or whatever the value would potentially be) Then set your search schedule to run every 5 minutes for a time range of the last 5 minutes. Set your alert conditions to "if number of events is greater than 9". If you don't have that field defined and haven't extracted a new field before, you can read the full documentation here: http://docs.splunk.com/Documentation/Splunk/4.2.3/User/ExtractNewFields ... View more

There are a number of license-related CLI commands for use with 4.2.2 http://www.splunk.com/base/Documentation/latest/Admin/LicenserCLIcommands It seems you should be able to use splunk list license-messages for your case. Hope this helps! ... View more

I'm assuming you're doing this, but just to make sure... When you search against a summary index, the syntax should be: index="summary" search_name="savedSearchName" | stats count .... The search following the first pipe must match your populating search (minus 'si'). So, if your populating search is: ...| sistats count by fieldName your search against the index must be: ...| stats count by fieldName | more stuff... ... View more

or... for a simple table display, ... | table percentANR, percentENR, percentHNR The table command will output the columns in the order you specify. ... View more