Is it possible to be able to calculate the total length of time that this host has had a CRITICAL status for if it? In the screenshot, it has had a CRITICAL status for approx 3 hours 43 minutes indicated. Below query for one host index=ad source=dfs host=nas01n | eval host = lower(host) | table _time, host, "Folder Name", "Group Name", State | fillnull value="Folder Not Enabled" "Folder Name" | fillnull value="No Group Name" "Group Name" ... View more

My colleague has setup a Windows Printer App following the below link http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowsprinterinformation However, I am not too sure where the print events are being pulled from as after checking the Event Viewer (Windows > PrintService) some logs are empty or do not contain any printing logs so I am at a loss in understanding where they are pulled from. Does anyone know on a more low level detail how Splunk forwards these events? ... View more

I want to compare the mailbox size from today to last week but my search is very slow and I am not sure how best to make it more efficient index=msexchange source=exchangemailboxinventory samAccountName=testuser1 | eval mailboxSize = totalItemSize+totalDeletedItemSize | eval MB = round(mailboxSize/1024) | eval mailboxGB = round(MB/1024,2) | eval archiveMailboxSize = archiveTotalItemSize+archiveTotalDeletedItemSize | eval archiveMB = round(archiveMailboxSize/1024) | eval archiveMailboxGB = round(archiveMB/1024,2) | table samAccountName, totalItemSize, totalDeletedItemSize, mailboxGB, archiveTotalItemSize, archiveTotalDeletedItemSize, archiveMailboxGB | dedup samAccountName | join type=left samAccountName [ search index=msexchange source=exchangemailboxinventory samAccountName=testuser1 latest=-1week | eval mailboxSizeNew = totalItemSize+totalDeletedItemSize | eval MBnew = round(mailboxSizeNew/1024) | eval mailboxGBOld = round(MBnew/1024,2) | table samAccountName, mailboxGBOld | dedup samAccountName] | eval mailboxGrowth = (mailboxGB - mailboxGBOld) , growth= (mailboxGrowth/mailboxGBOld)*100 | table samAccountName, totalItemSize, totalDeletedItemSize, mailboxGB,mailboxGBOld, mailboxGrowth, growth | sort -mailboxGB ... View more

I have the below search that shows the total mailboxSize in GB and I would like to compare this with a week ago to determine the size growth as a raw number in GB and the percentage growth/decrease. index=msexchange source=otl_exchangemailboxinventory samAccountName=*testuser1* | eval mailboxSize = totalItemSize+totalDeletedItemSize | eval MB = round(mailboxSize/1024) | eval mailboxGB = round(MB/1024,2) | table samAccountName, totalItemSize, totalDeletedItemSize, mailboxGB | dedup samAccountName | sort -mailboxGB ... View more

Search is trying to show all users within the companyOu that have Mobile Iron setup (Status=Allowed) and those that do not (Mobile Iron not setup) The below search is only showing one user listed but some users have more than one DeviceId configured. I can't work out why all DeviceId's are not showing for a user. index=ad source=aduserscan | table samAccountName, companyOu, displayName | search samAccountName=*_cp companyOu=dacp.com | rename samAccountName as MailboxId | join type=left MailboxId [ search index=msexchange source=otl_mobileiron MailboxId=*_cp | dedup DeviceId | search Retired="false" ] | rename companyOu as Company, MailboxId as "User ID", DeviceFriendlyName as Model, displayName as "Display Name", SyncStatus as Status | fillnull value="Mobile Iron not setup" Status | table Company, "User ID", "Display Name", "Status" DeviceId | sort Company asc ... View more

I have created and deployed a new app for DFS Replication called "NAS_DFS" which consists of pulling a csv file from each server D:\data\splunk\dfs_replication\dfs_replication.csv This app contains 163 clients in the server class (in the right screenshot) but when searching only 18 hosts are returning (left screenshot). I'm not sure why only 18 hosts are showing. inputs.conf [monitor://D:\data\splunk\dfs_replication\dfs_replication.csv] index=ad interval=60 source=otl_dfs sourcetype=csv disabled=0 crcSalt=<SOURCE> app.conf [install] state = enabled ... View more

Data is forwarded to Splunk every couple of days meaning that the _time stamp relates to the day it was sent to Splunk. The actual date of the event is listed in the logs as e.g Date="2018-03-29 11:48". How can I make the time picker search the date of the event (Date) rather than the date (_time) the data was ingested by Splunk? index=summary report=jiracsatresults Key="**" Assignee="**" Classification="**" | dedup Key | eval dateEpoch = strptime(Date, "%Y-%m-%d %H:%M") | eval today = now() | eval daysAgo = round(((today - dateEpoch)/60/60/24), 0) | search daysAgo <= 7 | table Key, Summary, Reporter, Assignee, Classification, "CSAT Rate", "CSAT Rating Comment", Date The only way I get the results for a specific Date e.g for a week is using daysAgo <= 7 ... View more