search (index=os sourcetype=cpu host=anyhost CPU="all") If I remove CPU=all in the search, I see the data. Please try: search (index=os sourcetype=cpu host=anyhost) | table CPU OR search (index=os sourcetype=cpu host=* CPU=*) ... View more

NetApp Data ONTAP is only supported on a Linux Search Head. http://docs.splunk.com/Documentation/NetApp/2.1.1/DeployNetapp/Platformandhardwarerequirements ... View more

There is a hidden dashboard that may help. /en-US/app/splunk_app_netapp/hydra_framework_status ... View more

Splunk's timechart command actually already does this by default until you tell it not to. Among the various arguments you can feed timechart with, there's span and bins . The default number for bins is 100, meaning timechart will always choose the timespan so that no more than 100 intervals will be used. You can change this as you see fit. ... View more

My bet is that your ip exists in the host field and not in the _raw text. [setnull] REGEX = 10\.3\.0\.1[12] SOURCE_KEY=MetaData:Host DEST_KEY = queue FORMAT = nullQueue ... View more

You need to do your own field extraction (instead of allowing Splunk to do it automatically because it will stop at the first whitespace unless the whole thing is enclosed in double-quotes), with rex command: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex ... View more

Thanks for that clarification. Based on your description I too find this odd. I would also recommend filing an issue on this for support to look into. ... View more

Are you looking for those values in specific fields, or just anywhere in the event? If you are looking for them just anywhere in the event, then I would suggest that you don't use regex at all. Simply do a search like this: sourcetype=WinEventLog:Security EventCode=540 NOT ("SYSTEM" OR "ANONYMOUS LOGON" OR "$") However, that may be a bit too loose. For example, the term "system" could occur else where in your event, and perhaps a clever hacker would attempt to hide logon attempts by using a "$" as part of their username,.... So perhaps it's would be better to be slightly more specific about what we want to filter out. So, this may be a better search: sourcetype=WinEventLog:Security "EventCode=540" NOT ("User=SYSTEM" OR "User=ANONYMOUS LOGON" OR USER="*$") (Notice the usage of quotes around the entire expressions--this make splunk look for those literal terms in the index, rather than doing a field matching, which should result in a faster search) I'm not sure about the USER="*$" part, that does give difference results than simply searching for "$", so you'll have to play around and see what results you really want. ... View more