Hello, I configured the Splunk AWS App. After some trial and error I am able to get the Cloud-trail logs and also the Billing info to show up. However the instance usage, the ebs volume and the ebs snapshot sections are empty. Is there any additional configuration that's needed on the app to get these sections to show up? I am also wondering if there is a way to specify a particular billing CSV file to load from the billing S3 bucket. Any help on these questions would be greatly appreciated. Thank you. ... View more

I have a logfile whose events are not being broken up in Splunk. Here are the two separate events that are being shown together in Splunk console. 16:45:12,772 INFO> intro_response.pl:549 main:: - Batch AAAIE120809004119P03 successfully transferred to staging server. 16:45:12,774 INFO> intro_response.pl:568 main:: - account=act,program=932,admin=opsprg12,pgmssn=932-574,wfstate='BATCH_PUBLISHED',subject=Math,grade=11,error_code='',msg='Batch published to ePEN',batchnum=AAAIE120809004119P03,batch_count=5 Here's the configuration I have in props.conf for this logfile - TIME_FORMAT = %H:%i:%s SHOULD_LINEMERGE = false BREAK_ONLY_BEFORE = \d+:\d+:\d+\,\d+ MAX_EVENTS = 2000 This configuration was working fine earlier but it stopped working for some reason this week. Any help on this would be greatly appreciated. ... View more

Hello, We have a set of log events consisting of user activity by a number of different users in an application. We are trying to construct a search that will returns only those usernames that have been active in the logs (that is log events with that username present) for more that 4 hours but did not take a break of at least 15 minutes (i.e. no activity in the logs for at least 15 minutes). I tried using the transaction command like the one shown below but it does not appear to be working. Any advise on how to accomplish this would be greatly appreciated. sourcetype=app_sourcetype | transaction username maxspan>240m maxpause<15m Thanks in advance. ... View more

Hello, I am planning to upgrade one of our Splunk indexers from version 4.1.0 to 4.2. I remember reading that some licensing improvements have been incorporated into 4.2. I am just wondering if this means requesting a new "4.2" license from support or does the 4.1 version of license work with 4.2? Thanks in advance. ... View more

Hello All, I am trying to import some of my Checkpoint firewall logs into Splunk. I tried to setup a sample input to index the text format of these logs, but am running into issues with the header and timestamp extraction - Here's a sample (pruned down) semi-colon separated input from the logs - num;date;time;orig;type 0;22Mar2011;0:55:11;0.0.0.0;control 1;21Mar2011;7:09:41;0.0.0.1;log Here are the entries in my props.conf to extract the timestamp and the header info for these logs - TIME_PREFIX = ^\d+; TIME_FORMAT = %DD%MMM%YYYY;%H:%M:%S SHOULD_LINEMERGE = false TZ=GMT CHECK_FOR_HEADER = true However, it looks like Splunk is only recognizing the time and the timezone configuration but it is setting the date to the current day (Apr 5th) and is also not extracting any of the headers for the events. Any help in figuring out where I am going wrong would be greatly appreciated. Thank you. ... View more

I would like to know if there's any way to change the default value of the "Results per page" option from 10 to a different number in the search results window? I have a search that can potentially return more than 50 events/results in a table format (50 being the max value for the Results per page option). I am running this search as a saved search and scheduling it to email a pdf attachment of the results. I noticed that in the current setup I am only seeing 10 results in the pdf attachment and the rest of the results are not accessible. I would like to know how to get around this issue. ... View more

Hello, I ran the fill_summary_index.py script to backfill the data for one of my summary indexed saved searches. However I realized that I gave the wrong time frame as the argument and killed the fill_summary_index.py process while it was still running. Now I am trying to start a new fill_summary_index.py process with the correct timeframe but I keep getting the following error - "An instance of fill_summary_index is already running for app=search" I stopped and started all my splunk processes but I am continuing to get this error even after a complete restart of the Splunk processes on the system. Could you please let me know how I can resolve this issue? Thanks in advance for any assistance. ... View more