I downvoted this post because this is very dated information, and no longer valid and may result in a seriously broken environment. please do not set settings this high without consultation. ... View more

Can you share a sanitized sample of the raw data? Either include it here within as a code element, or via pastebin (or similar). ... View more

Hi, The LINE_BREAKER regex requires a capture group to tell Splunk what to discard. Have you tried this as your regular expression? [sourcetype] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) Regards ... View more

Any particular reason you need to this with a calculated field versus a field extraction? If you're open to the field extraction, then jedatt01's solution can be leveraged under Settings -> Field Extractions. You can set it as inline, which will end up being an EXTRACT in props.conf. ... View more

Hi bkumarm, As of Stream 6.4.2, you'll need the following layout... splunk_app_stream : deployed to a single search head, this is your primary configuration point for Stream, as well as viewing the dashboards. Splunk_TA_stream: needs to be deployed to any splunk instance that will perform searching, parsing, or local data capturing. In your scenario, this means the search head, forwarders and indexers. On the search head and indexers, if you do NOT want to have local capture, then make sure the copy they get have disabled=1 in their inputs.conf. On the systems actually performing data capture (the forwarders), if they are Linux, you'll have one additional step, which is to allow the streamfwd process the ability to perform network capture. The docs list that out here: http://docs.splunk.com/Documentation/StreamApp/6.4.2/DeployStreamApp/InstallSplunkAppforStream#Step_3:_Ensure_Proper_Permissions One last thing, out of the box, the TA understands certain network interface naming conventions. If you're on Linux, that defaults to eth# and en#. If you happen to use a different naming convention, you'll need to make a copy of Splunk_TA_stream/default/streamfwd.xml into Splunk_TA_stream/local/streamfwd.xml and make it look similar to this (assuming your interface is of the form enp#s#): <CmConfig xmlns="http://purl.org/cloudmeter/config" version="6.4.2"> <Port>8889</Port> <UIDirectory>../ui</UIDirectory> <DataDirectory>../data</DataDirectory> <LogConfig>streamfwdlog.conf</LogConfig> <Capture> <InterfaceRegex>enp[0-9]s[0-9]</InterfaceRegex> </Capture> </CmConfig> For Windows, you'll want to specify the network alias, such as "Local Area Network", or whatever your naming convention happens to be. You'll need to restart the splunk instance after making any of these changes. Hope that helps, -js ... View more

You've got it right, that's basically what the inputs.conf is saying. As for keeping configurations separate, the latest version of the Stream app has a feature called Distributed Forwarder Management (DFM) that let's you define groups, and associate Streams with these groups. You can then place UFs into the Forwarder groups and control Stream configurations that way as well. You can find out more about DFM here: http://docs.splunk.com/Documentation/StreamApp/6.3.2/DeployStreamApp/DistributedForwarderManagement ... View more

By default only Stream internal information goes to _internal. The real event data (by default) goes to the main/default index. You can also configure on a per Stream basis and destination index if you like. And finally, if you want to set a global destination, you can modify Splunk_TA_stream/local/inputs.conf and add an "index = foo" attribute. -jsie ... View more

Hi giy4, This is currently not supported. Regards ... View more

Updated... 🙂 ... View more

I was using the License Usage report here: http://yoursplunkserver:8000/en-US/manager/search/licenseusage You can access via Settings -> System -> Licensing. And then the green Usage Report button. ... View more

This will depend on what you've actually configured in terms of enabled Streams, enabled fields, etc. Have you tried looking at the License Usage Report? The "Previous 30 days" tab plus "Split By Source/Source type" may offer the insight you need. ... View more

When you say "interested" how do you want the data expressed? As a single field containing the full path? ... View more

How fast is the part of the query prior to the lookup and how many events actually make it past the NOT statement? ... View more

How many events are being processed/passed to the lookup? Perhaps there's optimization that can be done there. Can you share your actual search query? ... View more

Considering there are many "o=" in your log sample, you need to at least tell us the rule for identifying the "winner." Is it the very first o=? Is it any o= that's not a .com value? Or do you want one exacted value for o=cyH and one for o=a.com which essentially is asking for a dedup'ed MV (or a set of o= values)? ... View more

See if Ayn's answer here works for you: http://answers.splunk.com/answers/100969/how-to-format-timechart-time-values-easily ... View more

Have you tried it to see if it works? Are you running into an issue? ... View more

Do you mean… - given an fqdn, lookup it's ip address(es) - convert those to lat/lon - plot on a map? ... View more

In Python, you could use triple quotes to surround the string instead of the single quotes like so: search_query = """sourcetype=csv| search 48,2 | rex field=_raw "(d+,){0}(?<tableid>d+)" | rex field=_raw "(d+,){101}(?<table_value>d+)" | stats list(TableID) as Table, list(Table_value) as Value""" ... View more

Can you provide a raw example of the event? Are you intending to handle the "57" in the above string as the seconds? Or "57.7667"? ... View more

You're welcome, Im glad it worked. ... View more

Hi there, I'm assuming you're referring to the Maxmind app located here http://apps.splunk.com/app/291/. As it is currently written, it specifically requires a GeoIP City type of database. Using a GeoIP Country type would require some modification of the custom search command implementation. If you're okay using the City type, then you need to replace the Lite version at $SPLUNK_HOME/etc/apps/MAXMIND/bin/GeoLiteCity.dat with the commercial one. Be sure to maintain the same name "GeoLiteCity.dat" as it's coded within the python script. Alternatively, you could modify the python script $SPLUNK_HOME/etc/apps/MAXMIND/bin/geoip.py and replace the file name with your commercial one. Change: DB_PATH=('GeoLiteCity.dat') To: DB_PATH=('YOURFILENAME.dat') Regards and good luck. ... View more