How to detect trending or spike for given timespan. So we column of users and activities column. How do we detect a sudden spike or abnormal? I can't use top because top would not detect such abnormal. For example, teacher normal activities are teaching math, history. So if I do top it will show activities are teaching math and history. But let's say a bunch of teacher start showing interest in Computer class which did not happen before then we need to show such activities. But the computer subject will be short period interest where next week it might no longer be true. Monday events: teacher 1 - teacher 100 Math teacher 3 - teacher 200 History Tuesday events: teacher 1 - teacher 100 Math teacher 3 - teacher 200 History teacher 4 - 6 . Physic -- No need to show since this is small set teacher 5 - teacher 30 Computer -- need to show this in splunk query Wednesday teacher 1 - teacher 100 Math teacher 3 - teacher 200 History splunk columns: Name, Event ... View more

Can I have indexer smart enough to go to dedicate index base on data value Here is my data "2013-12-02 20:30:30","[email protected]", . . . "2013-12-02 20:30:30","[email protected]", blah blah "2013-12-02 20:30:30","[email protected]", blah blah "2013-12-02 20:30:30","[email protected]", foo bar "2013-12-02 20:30:30","[email protected]", . . . Right now the data is feed over tcp port to main index. Then from there I setup multiple summary index that if email (second column) equal [email protected] then it goes to index=a_a1 and if [email protected] then goes to [email protected] and [email protected] goes to index=c_c etc I was wondering is there anyway I could setup at indexing where it could goes straight to designate index rather have to main index then use summary to go to designate index? ... View more

I have issue with index field which contain comma. Below is my csv input "28650096","2013-12-02 20:30:30","blocked","porn\, sexual content","[email protected]","1.1.2.3" "28650093","2013-12-02 20:30:30","allow","search site","[email protected]","2.2.2.4" "28650092","2013-12-02 20:30:30","blocked","gambling","[email protected]","3.3.3.2" my props.conf [temp-audit] FIELD_DELIMITER = , INDEXED_EXTRACTIONS = csv KV_MODE = none NO_BINARY_CHECK = 1 REPORT-audit = temp-audit-csv SHOULD_LINEMERGE = false pulldown_type = 1 my transforms.conf [temp-audit-csv] DELIMS=", " FIELDS=id,timeStamp,Type,Reason,email,SourceIP When add data using A file or directory of files it can see three events without problem. But after done adding data when in search when I do "search *" it only return 2 events it seem the first one didn't make it to the search. Please help thanks ... View more

Hello I have csv which look like this [email protected],10.20.10.223,12/2/2013 20:39,www.google.com [email protected],10.20.10.223,12/2/2013 20:39,www.yahoo.com [email protected],10.20.10.223,12/2/2013 20:39,www.msn.com [email protected],12.12.3.444,12/2/2013 20:39,www.ask.com [email protected],14.15.3.344,12/2/2013 20:39,www.facebook.com [email protected],12.14.3.444,12/2/2013 20:39,www.tweeter.com [email protected],12.22.33.444,12/2/2013 20:39,www.splunk.com Where as the first column is username, ipaddress, time and url user visit. I already successfully modified props.conf and transform.conf to map csv fields. In splunk i have user account setup for [email protected], [email protected] and [email protected]. Is there a way when user a logged in he can only search information which only relevant to him so is with [email protected] and [email protected]. In another word when user [email protected] logged in when he type * or any search term or command so in background it will automatically prepend and run [email protected] | search * ... View more