Support just brought this page to my attention... greetings from late 2014, we come in peace. There is now an official and supported OPSEC LEA solution for Linux: https://apps.splunk.com/app/1454 and Solaris: https://apps.splunk.com/app/1453 The semicolon delimiter thing is not in there, but you can toggle no-resolve. http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/ConfiguretheLEAclient for instructions. ... View more

Could you please elaborate little bit more ? ... View more

Does double colon apply to splunk 6? ... View more

The above search will work for small instances or low volume scenarios. If you need a quick way to get the hosts and sources information separately: | metadata type=hosts OR | metadata type=sources For information over the last 24 hours: | metadata type=hosts | eval diff=now()-recentTime | where diff < 86400 | convert ctime(*Time) OR | metadata type=sources | eval diff=now()-recentTime | where diff < 86400 | convert ctime(*Time) If you need to find information for a different time range, modify the 86400 value to your desired time (in seconds). Also, the first two above searches will give you a very fast and complete summary of all hosts and sources. ... View more

The full description of relative time range modifiers is here: http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch#Specify_relative_time_ranges_in_your_search ... View more

That works to get the current average for the timeframe, but I need to compare it to the most recent day's count to know if I need to generate an alert. So if I take the average of the last 8 days (earliest=-8d@d latest=-2d@d) I need to compare that average to the DC from earliest=-1d@d so that I can determine the diff from normal. ... View more

If regex in these whitelists are anything like the regexp in stanza names, there was a bug in the docs. . means dot, * means anything but slash (meaning filenames only) and ... (three dots) means anything, your usual regex .* ... View more