I looked at the code again to make sure I wasn't speaking out of turn and it basically works like this: >>> import re >>> pattern='(\\\\|/|\s+|;|-)' >>> testdata='this-is-a-test.txt' >>> matches=re.split(pattern, testdata) >>> matches ['this', '-', 'is', '-', 'a', '-', 'test.txt'] >>> pattern='(\\\\)' >>> testdata='this-is-a-test.txt' >>> matches=re.split(pattern, testdata) >>> matches ['this-is-a-test.txt'] The delims value is just a splitter, not a filtering mechanism despite the bad variable naming I used in the script. I'll have to rename that later on... At any rate, modifying the delims to not include the hyphen should solve your issue. ... View more

That delims option tells the command how to split up stuff that gets put into the command. For example, if you have an input 'this-is-my-process.exe', the default value splits this into multiple words and compares your wordlist to each word: "this", "is", "my", and "process.exe". By changing the delims value, you can change this behavior so that "this-is-my-process.exe" is evaluated as a whole word. The command shouldnt be excluding anything based on the provided delims. I'll check the code later to validate 100%. ... View more

Most likely the issue you are running into is with the "delims" option. From the add on readme: Delims accepts a regex string, escaped splunk style, and defaults to (\\\\|/|\s+|;|-) So if you were to pass in a different delimiter to the command like: | fuzzy wordlist="list.exe" delims="(\\\\)" compare_field=process_name You may get better results. ... View more

That is not the purpose of this app - the goal of this app is to look at the cron schedules applied to scheduled searches and list out the upcoming iterations of those to look for future overlap. ... View more

Latest version 1.0.2 has been submitted to Splunkbase with this feature added. It was not added specifically as you requested it but it should meet your needs. Let me know if it does not! ... View more

Assuming the domain field is not multivalue, the output from the app will contain two main fields: fuzzyout_max_match_ratio fuzzyout_max_match_word The compare field is split up based on the provided value to option "delims" and each result is measured against the provided wordlist. Key things to keep in mind, particularly for multivalues: The command does not filter results from the input. If you have a multivalue field, it will measure all values in the field and only show you the highest match. The command does not produce a list of all matches in a multivalue field or modify your original compare field. This would probably be a nice feature to have so I'll fit it into the next release. Here are some examples to help highlight command usage. Example 1: Example 2: Hope this helps. ... View more

This app was primarily designed for passing in a wordlist like: "iexplore.exe,svchost.exe" and comparing that against events (say, process audit security logs) to find results that are <100 and greater than some number... highlighting processes like "svch0st.exe" or "scvhost.exe" - common malware hiding techniques. That said, it's probably not the most efficient for your use case but you could accomplish a comparison like this: your search | fields name,blacklist_name | makemv delim="," blacklist_name | mvexpand blacklist_name | fuzzy wordlist=name compare_field=blacklist_name With the update I tossed in the git repo, that should read the values out of your name column and compare it to the blacklist_name column. With the makemv/mvexpand combo, you can compare every entry and get a corresponding score to find similar entries. If you're looking for exact matches, then something like this might be better: your search | fields name,blacklist_name | makemv delim="," blacklist_name | mvexpand blacklist_name | where match(name,blacklist_name) I used the fields operator in those sample searches but that's not strictly required here. Hope that helps. ... View more

As of now, the requested functionality has been added/checked in to the git repo here: https://gitlab.com/johnfromthefuture/TA-fuzzy/. I have a few more things I'd like to test/look at and then I'll get it on Splunkbase. If you are running on-prem, you can clone out the git repo and see if that meets your requirements. ... View more

Couple possible alternatives that might work for you: index=iis (action="login" OR a_action="event_status") cs_username=* | eval start_time=if(action=="login",_time,null()), end_time=if(a_action=="event_status",_time,null()) | stats min(start_time) as start_time,max(end_time) as end_time by cs_username | eval diff=abs(end_time-start_time) Or: | multisearch [| search index=iis action=login cs_username=] [| search index=iis a_action=event_status cs_username=] | stats earliest(_time) as start_time,latest(_time) as end_time by cs_username | eval diff=abs(end_time-start_time) ... View more

Sure, you can convert it. I mostly just wanted to bring up the bug with the author. ... View more

Btw, if you were to dig into these metrics, you could infer other things... like which logs went through which heavy forwarder by looking at group=per_source_thruput series="your source" . The key is "infer" because your universal forwarders should load balance through your heavy forwarders and most logs will go through all of them. With the combination of the per source thruput and a rough timeframe though, you could take a good guess. ... View more

Had a need for this today. This search does the trick for me: index=_internal (host=myheavyforwarder1 OR host=myheavyforwarder2 OR host=myheavyforwarder3) sourcetype=splunkd "group=tcpin_connections" component=Metrics | timechart span=30m dc(hostname) by host From this, I can see the distinct count of hostnames flowing through each heavy forwarder... ... View more

Yep, this is true. But it will still require distributed search functionality to set up a different splunk server to be the search head. That part won't be possible on the Free license. ... View more

I don't think it's possible. The reality is that splunkweb is a minor process compared to splunkd. It's splunkd that actually handles everything. You'd likely have better luck looking into how you could proxy the web connection to give the appearance of separation. ... View more

Also, this: https://answers.splunk.com/answers/4279/timezone-and-timestamp-modification-at-search-report-time.html ... View more

Making sure I understand: Let's say you have a log indexed at 10:00 UTC. You want users in say, timezones UTC-1 and UTC+3, to use the same time specifier in their search of 10:00 and get the same results? Off hand, I'd say your best bet here is to have the users set their timezone context in Splunk to the same time zone. ... View more