did you downgrade to version 3.x? or you are still using version 4.x? Part of the functionality we want was enabled after 4.0, but if they told you to go back to three it is not an option for us. ... View more

I'm experiencing the exact same behavior, did you find a solution to this? ... View more

we have the same problem did you find a solution? ... View more

same issue here ... View more

yes I did, load the data and run the query ... View more

|rex field=_raw "MilliSeconds:\s(?<myvalue>\d+)\s"|table myvalue ... View more

Ok assuming the following dataset: 05/28/2015 1:00PM User=A Usage=10 Status=Start 05/28/2015 2:00PM User=A Usage=15 Status=In progress 05/28/2015 3:00PM User=A Usage=25 Status=In progress 05/28/2015 4:00PM User=A Usage=30 Status=Stop 05/28/2015 2:00PM User=B Usage=15 Status=Start 05/28/2015 3:00PM User=B Usage=20 Status=In Progress 05/28/2015 4:00PM User=B Usage=25 Status=Stop try the following query: source="sample.log" sourcetype="sample" |stats sum(Usage) as Usage1 by _time |streamstats max(Usage1) as Usage2 current=f |eval TotalUsage=Usage1-coalesce(Usage2,0) ... View more

can you provide 1 sample event? ... View more

Try This: use "range" <single> <search> <query>index = main mysearchcriteria|stats count by host | rangemap field=count low=0-10 high=50-96 default=severe</query> <earliest>-24h</earliest> </search> <option name="field">host</option> <option name="classField">range</option> </single> ... View more

yes, you can enable the index and forward option but this will work to forward to another splunk indexer because the data has been already cooked. The alternative is to use props and transfrorms to change the routing to use syslog to avoid additional splunk headers. ... View more

Alternative would be to use regular expression: index="test" regex referrer="^http://www.example.com/these-files/*" | rex field=referrer "(?.+)\?" stats count by url | sort -count ... View more

have you try faup app: https://splunkbase.splunk.com/app/1545/ this my help you handling urls ... View more

This is a tricky one, the authorize.conf is where the roles are defined, so what we do is create an application called auth_dev and we include in the default folder two files: authorize.conf authentication.conf in authorize.conf we define the role: [role_somethingnew] srchIndexesAllowed = mynewindex srchIndexesDefault = mynewindex srchMaxTime = 0 in authentication.conf we define the map for ldap group: [roleMap_MYCOMPANY-LDAP-DEV] somethingnew = SOME_AD_GROUP Then we push this app from the deployer. The thing you need to consider is local authentication.conf on each SH should contain the LDAP strategy definition, and because the password is hashed we cant update this file form the deployer, but once we set it up the first time, we dont need to modify it anymore: so in your etc/system/local/authentication.conf for all your search heads you will have something like: [authentication] authSettings = MYCOMPANY-LDAP-DEV authType = LDAP [MYCOMPANY-LDAP-DEV] SSLEnabled = 1 anonymous_referrals = 1 bindDN = cn=somuser,ou=people,dc=mycompanydomain,dc=com bindDNpassword = ****$1$H#shedPasword=**** charset = utf8 groupBaseDN = ou=groups,dc=mycompanydomain,dc=com groupBaseFilter = (cn=SOME_AD*) groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = ldap.mycompany.com nestedGroups = 1 network_timeout = 20 port = 636 realNameAttribute = displayname sizelimit = 1000 timelimit = 15 userBaseDN = ou=people,dc=mycompany,dc=com userNameAttribute = cn emailAttribute = mail bindDN password will be different on each SH. next time you need to add another role just modify the auth_dev app and that is it ... View more

The easiest way would be to change the external script to include the header, but if this is not an option we need to fix the lookup to force "host" header, this is what I would do: |inputlookup puppet_results.csv | transpose|transpose|eval host='row 1'| fields - "row 1",column | outputlookup puppet_resultswithheader.csv that would fix the column name as host and use the first value you had before as a value not as a header. then you can run your query: index=_internal | dedup host | inputlookup append=t puppet_resultswithheader.csv | stats count by host | where count < 2 ... View more

index=blah HOST1 OR HOST2 pam_unix session opened |rex field=_raw "\d+\sPM\s(?\w+)" |rex field=_raw "for\suser\s(?\w+)" |transaction startswith=HOST1 endswith=HOST2 maxevents=2 keepevicted=true |where closed_txn==0 this will give you any user that opened a session in host2 but not in host1 ... View more

the index=win|head 2| was just for testing purposes but I get the idea right? ... View more

|transpose ... View more

if for example you have: First Kind of event,Some More field,Authentication,7,More,More Second Kind of event,Data,Data,Data,Data,Data,Data,LogOFF,7,More,More if you want to get the 7 (Authentication\,\d+|LogOFF\,\d) ... View more

Probably when you installed the UF on that server all options were checked durting the installation, so that UF is trying to collect information from Active Directory, Peformance monitor, Network etc. If you just want to enable windows event logs : System, Security and Application, you need to make sure the rest of the inputs are disabled go to apps/Splunk_TA_Windows/local/inputs.conf and make sure the additional ones are disabled=true ... View more