I have an instance where another group of people want to receive an exact copy of data that is indexed on my main Splunk server. I've modified the outputs.conf on my server and the second server receives the data and indexes accordingly. I've come across a problem, though. My splunk environment is production, with a large number of sources being indexed on my server. The second server, though, has the tendency of being rebooted, services stopped, etc. This wreaks havoc in my production environment - when my server cannot forward it shuts down its listening ports, which causes all my forwarders to shut off their listening ports, and so on and so on. Is there a way that I can tell my production system that if system #2 is down and forwarding is stopped to continue listening and indexing data? Thanks! ... View more

In many of our web proxy logs we see the equal sign (=) included in many URLs. I'm searching for certain patterns that include the equal sign - for instance, abc=321%f=1. I've tried searches like: index=proxy uri=*abc\=321\%f\=1 index=proxy "uri=*abc\=321\%f\=1" index=proxy | regex _raw=.*abc\=321\%f\=1.* all come back without any results. I know the IP address of a client and server that has this pattern in it's URI. So when I run the search against those IPs I get the event that shows the URI I'm looking for. Is there a special way to format searches to look for the equal sign? Thanks ... View more

Hi, I have three indexes that I'm trying to build a transaction from. the first two indexes each have a field named User_Name, which makes the transaction statement pretty easy. This creates the base transaction I'm looking for. The first index also has a field called ip. What I want to do is use this field to retrieve the events from the third index into the first transaction (unfortunately the User_Name field does not exist in the third index). I've tried so many different searches, all never result in a transaction containing all the pertinent records. Any thoughts on how to create this type of transaction? Thanks!! ... View more

I'm trying to come up with a search that would help me find emails that share the same subject line but the IP address of the sender varies from message to message (as if a bot network sends a SPAM campaign). So far I'm able to get the base information via this search: index=smtp | transaction qid keepevicted=true | table subject,ip I'm not sure if there's a way in Splunk to evaluate the common "subject" against the different IP addresses, with the results just showing the common subjects that have different IP addresses. Or should I look to export this table to a CSV then write another script that would parse the CSV? Any thoughts or input would be great! Thanks!! ... View more

Trying to configure SplunkLightForwarder with SSL for both encryption and mutual authentication, but no connection is made. On the receiver the connection is failing with the error message: ERROR TcpInputProc - Error encountered for connection from host=10.2.3.4, ip=10.2.3.4. error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned On the sender side: sslCertPath=$SPLUNK_HOME/etc/auth/cert/sender.pem sslPassword=password sslRootCAPath=$SPLUNK_HOME/etc/auth/cert/root.crt sslVerifyServerCert=true sslCommonNameToCheck=receiver.example.com On the receiver side: [splunktcp-ssl://12345] disabled = false [SSL] serverCert=$SPLUNK_HOME/etc/auth/cert/reciever.pem password=password RootCA=$SPLUNK_HOME/etc/auth/cert/root.crt dhfile=$SPLUNK_HOME/etc/auth/cert/dhparams.pem requireClientCert=true Thoughts anyone??? ... View more

I'm writing a search that performs a simple eval: eval changed = case (NOT address="-",address,NOT city="-",city,NOT state="-",state) One thing I want to do is add some text value to the returned value of the case, based on which boolean worked. For instance, if the address <> "-" I want to return "Address changed to", followed by the value of the field "address", to the new field named "changed". Is there a way to get the case statement to return that sort of result? ... View more