I have a search time query | dbquery OEM "SELECT regexp_replace(d.target_name, '\..*', '') AS output, d.collection_timestamp, d.metric_column as Metric_Type, TO_NUMBER(d.value) as Metric FROM sysman.mgmt$metric_details d WHERE d.collection_timestamp >= SYSDATE - 1 and d.target_type = 'host' and (d.target_name in ('XXX','XXXX','XXXXX','XXX') or d.target_name like 'XXX-%' or d.target_name like 'XXXX%' or d.target_name like 'XXX%') and d.metric_column = 'cpuUtil' ORDER BY collection_timestamp" | search METRIC_TYPE="cpuUtil" I would like to leverage splunks dashboard and alerting features but I'm not sure I really need to import the entire table into a splunk index. Ideally I would like to be able to search, present and alert queried data for a time span and compare this to other datasets. My issue is the timestamp. The oracle 11g db is like 4/10/2013 4:16:48 PM %m/%m/%Y %H:%M:%S and is stored in our collection_timestamp column. I see how to fix the timestamp issue through a input stanza but I'm wondering if there is an search time method to convert the time stamp properly? Right now the collection_timestamp is converting to this 1365637246.000 Thanks! ... View more

Have the following defined in my inputs.conf [WinEventLog:Security] disabled=0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 Have the following defined in my props.conf [default] BREAK_ONLY_BEFORE_DATE = True Log File 01/18/2013 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=XXXX TaskCategory=Logoff OpCode=Info -----Line Break is Occurring Here ----- RecordNumber=1173295928 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: XXX Account Name: XXX Account Domain: XXX Logon ID: XXX Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. Should be only breaking on the date however from above, its breaking at the Record number. This is happening on only 2 of my DC's, Splunk from what I can see is configured the same way on all 5 of my DC's. Anyone have any ideas on what this could be?? Thanks! Michael ... View more

I have the http post workflow process configured in the splunk manager section but this process is a manual process to send fields via http post. Whats the best way to script this to automate this process? ... View more

I have a windows security event that I am trying to extract a custom field for failed logon events. The problem I have is there are two duplicate categories and the text I am after is in the second category: Ex: Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: PCVS Operator Account Domain: PCVSB681-2 Normally I would just put in rex "Account Name:(? .+)" to extract the content of this field but since there is two of them, is there a way to skip the first field and go directly to the second? Thanks! ... View more

Have a DC with a heavy forwarder, 3.4 communicating with two indexes (1 running 3.4 the other running 4.2). We are having an issue receiving data on the 4.2 index server. The 3.4 is configured via the gui, we are trying to configure input/output via conf files for the 4.2 index. 3.4 continues to receive data however the 4.2 has not received any data for this particular DC. 4.2 index server is currently receiving data from other sources App/Linux/Windows however we are unable to receive data for these DC's. TCP port is open and indexer is responding to ping from the DC, index is configured, windows firewall is off, service has been restarted after changes are made, conf files are loaded in C:\Program Files\Splunk\etc\system\local Output: [tcpout] defaultGroup = server2_431 disabled = false indexAndForward = 0 [tcpout:server2_431] autoLB = true server = server2.gov:431 sendCookedData = false Input: [default] host = DC1 Monitor Windows event logs Events: [WinEventLog:Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 evt_dc_name = evt_dns_name = [WinEventLog:Application] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 evt_dc_name = evt_dns_name = [WinEventLog:System] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 evt_dc_name = evt_dns_name = [tcp://9994] queueSize=50KB persistentQueueSize=100MB Where are we going wrong? Is it possible to send data from a 3.4 forwarder to a 4.2 indexer? Can we have multiple index sources for this forwarder? ... View more