Hi all, I have recently installed Splunk for Nagios and setup the livestatus things associated with it into my nag server. I have MK Livestatus running out of xinetd and can run: echo -e "GET services\nColumns: host_name description state" | netcat 111.111.111.111 6557 And successfully get data on my Nagios nodes. (running it from splunk indexer) However, when I open the Livestatus Dashboard page in the SFN app I get N/A everywhere... (except for the "service alerts") Also the "Nagios Linux Performance Graphs" only display any info in the first two sections. (Warnings and Crit Alerts, Top 10 Service Notifications) It's indexing my data fine, but, doesn't seems to be using the livestatus connections correctly. Any ideas? Help? Cheers, Aaron. ... View more

Hi all, Everyone in my organization has a unique username, which I have extracted from my search as "anumber". I want to construct an external lookup script to convert this "anumber" extraction into human names. All of these anumbers are convertible via an AD lookup, which I have scripted. This is basically what I want to achieve, in my fields I want to be able to see both anumber and humanname, for example: anumber = "a00001" humanname = "Michael Someone" I have written a python script which works as follows... ./a0convert.py a00001 Returns: Someone, Michael Now, two questions... 1) Is this script output okay, or does it need to be formatted differently...? 2) How do I now add this scripted lookup into splunk? (preferably with the GUI, what needs to be done under "Lookups") Thanks in advance for any help you can provide. Aaron. ... View more

Hi there, I have taken the following regex from here... http://splunk-base.splunk.com/answers/9736/revisiting-regex-to-extract-domain-name-from-an-fqdn/10407 And modified it to suit domains such as .com.au, leaving it like: (?<domainname>(?<ip>^[A-Fa-f\d\.:]+$)|(?<nodots>^[^\.]+$)|(?<fqdomain>(?:(?:[^\.]+\.)?(?<tld>((?:[^\.\s]{3})|(?:[^\.\s]{2}))(?:(?:\.[^\.\s][^\.\s])|(?:[^\.\s]+)))))$) Now, I have data formatted in csv style containing a url string... To extract the domain/ip string from the data, I use this regex: (?i)^(?:[^ ]* ){12}.+://(?P<domain>[^:|,|/]+)[/,]? What I wish to do is create a single regex that will create the domainname,nodata,fqdomain and tld fields from the data extracted using the second extraction of domain. Can someone please help me combine the two extractions to create a single? I'm not the best when it comes to splunk regex... Here is some sample data: Aug 28 13:05:26 111.111.1.1 28-08-2012; 13:04:48, 26, 111.111.111.11, username@hostname, 125679, 1, text/html, http://global.ebsco-content.com/interfacefiles/12.4.33.0.2/javascript/bundled/_layout2/master.js, default, Educational ... View more