Hi all, I have recently installed Splunk for Nagios and setup the livestatus things associated with it into my nag server. I have MK Livestatus running out of xinetd and can run: echo -e "GET services\nColumns: host_name description state" | netcat 111.111.111.111 6557 And successfully get data on my Nagios nodes. (running it from splunk indexer) However, when I open the Livestatus Dashboard page in the SFN app I get N/A everywhere... (except for the "service alerts") Also the "Nagios Linux Performance Graphs" only display any info in the first two sections. (Warnings and Crit Alerts, Top 10 Service Notifications) It's indexing my data fine, but, doesn't seems to be using the livestatus connections correctly. Any ideas? Help? Cheers, Aaron. ... View more

Hi all, Everyone in my organization has a unique username, which I have extracted from my search as "anumber". I want to construct an external lookup script to convert this "anumber" extraction into human names. All of these anumbers are convertible via an AD lookup, which I have scripted. This is basically what I want to achieve, in my fields I want to be able to see both anumber and humanname, for example: anumber = "a00001" humanname = "Michael Someone" I have written a python script which works as follows... ./a0convert.py a00001 Returns: Someone, Michael Now, two questions... 1) Is this script output okay, or does it need to be formatted differently...? 2) How do I now add this scripted lookup into splunk? (preferably with the GUI, what needs to be done under "Lookups") Thanks in advance for any help you can provide. Aaron. ... View more

Hi there, I have taken the following regex from here... http://splunk-base.splunk.com/answers/9736/revisiting-regex-to-extract-domain-name-from-an-fqdn/10407 And modified it to suit domains such as .com.au, leaving it like: (?<domainname>(?<ip>^[A-Fa-f\d\.:]+$)|(?<nodots>^[^\.]+$)|(?<fqdomain>(?:(?:[^\.]+\.)?(?<tld>((?:[^\.\s]{3})|(?:[^\.\s]{2}))(?:(?:\.[^\.\s][^\.\s])|(?:[^\.\s]+)))))$) Now, I have data formatted in csv style containing a url string... To extract the domain/ip string from the data, I use this regex: (?i)^(?:[^ ]* ){12}.+://(?P<domain>[^:|,|/]+)[/,]? What I wish to do is create a single regex that will create the domainname,nodata,fqdomain and tld fields from the data extracted using the second extraction of domain. Can someone please help me combine the two extractions to create a single? I'm not the best when it comes to splunk regex... Here is some sample data: Aug 28 13:05:26 111.111.1.1 28-08-2012; 13:04:48, 26, 111.111.111.11, username@hostname, 125679, 1, text/html, http://global.ebsco-content.com/interfacefiles/12.4.33.0.2/javascript/bundled/_layout2/master.js, default, Educational ... View more

Hi all, I am mainly asking this here as it's a little past my knowledge with Splunk. Basically, I'm after a way of combining the results from two field extractions into one. This is my scenario. I have an index="my_index" It contains log data entirely in the same format that dates back over 2 years, quite a lot of data around 1GB per day for the past 2 years. Now the data is basically just from our "firewalls" can contains a few "important" fields. The important stuff, per event. Datestamp, Username, url_host. I will explain these for you: Datestamp is obvious. Username is the user going through the firewall, this is captured via a custom field extraction. url_host is again a custom extraction, it nabs just the domain that was hit from the URL string. Now the difficult part, as you should (unless I am wrong) be aware, a field extraction needs to be linked to one of these: a source, a host or a source-type. I have an issue with this, my index has multiple hosts, multiple source types (every day) and the source-type was modified several times throughout the life of the data due to problems we were experiencing with other fields (not related to this). My problem is I want to run the following search: index="my_index" username="someuser" | stats count by url_host In other words, print me a list of all the sites (domains) this user connected to and the number of times they connected to each. However, since the data has no common host, source or source-type I can only get results for a single host, or single source, or single source-type... which is pretty useless to me. Is there anyway of overcoming this? First thoughts would be... Link a field extraction to an index? Or create a search that combines the counts per url_host from two different url_host based extractions...? Eg. final_url_host = count of url_host_01 + count of url_host_02??? Help me please my brain is hurting! lol Aaron. ... View more