Hi, we’ve had a problem recently where data has stopped flowing to an index, and it’s a few days before we find out and then resolve. Does anyone know of a splunk 9.x feature or an add-on that you can use to monitor / alert when data stops for a set amount of time? ... View more

i've followed the documentation and also some examples on here but for some reason I cant seem to get these to extract here is an example of the log xxx localhost 9997 8003 test test endRequest 2266 2022-11-17T08:08:06.617 2022-11-17T08:08:06.640 23 0 - OK - - DESC EXTENDED VIEW test_data_imp DESC - Denodo-Scheduler JDBC 127.0.0.1 - - the props are as follows [denodo-vdp-queries] SHOULD_LINEMERGE=true LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true REPORT-denodo-vdp-queries-fields = REPORT-denodo-vdp-queries-fields the transforms are as follows [REPORT-denodo-vdp-queries-fields] DELIMS = "\t" FIELDS = "server_name","host","port","id","database","username","notification_type","sessionID","start_time","end_time","duration","waiting_time","num_rows","state","completed","cache","query","request_type","elements","user_agent","access_interface","client_ip","transaction_id","web_service_name"   i've pushed the app to the forwarders that sending in the data and its in the right sourcetype, i've also pushed the app across the SH cluster, however none of the fields are extracted, am i missing a step?   ... View more

Hello, we are seeing some strange results when trying to map RAS connections to our organisation.. The search i am running "index=cisco_collect_std sourcetype=cisco:asa "New Connection Established" |iplocation Remote_IP" shows that we have several connections from India, Ukraine, Egypt but when we check the IP address it is actually based in the UK. an example of the data this search is working on is here. Nov 21 10:58:52 10.174.128.11 Nov 21 2019 10:58:52 CR2PDMZASA02 : %ASA-5-750006: Local:10.xxx.xxx.21:4500 Remote:84.68.89.156:65100 Username:xxxxxx IKEv2 SA UP. Reason: New Connection Established and the regex for Remote_IP is pulling out 84.68.89.156 We have updated the mmdb and also when we interogate the database using iplocation it returns the correct location. any advice what could be going on here would be great ... View more

ive created a table with monitoring in for our daily checks However I still need to do an eval to get the Total Duration in Minutes for each service which is (“Test File End” – Test_Start) In the example below I’ve shown in yellow my attempt to eval this field. It actually works when the fields I am using are not included in the join subsearch. However when I join on the subsearch field the field returns blank It has been suggested to do this without a join but as its in a seperate index the data comes back blank for the file start and end fields. index=test| bucket _time span=1d as Day | stats earliest(_time) as TEST_Start latest(_time) as TEST_End by Day | eval TEST_Start=strftime(TEST_Start,"%H:%M:%S") | eval TEST_End=strftime(TEST_End,"%H:%M:%S") | eval Day=strftime(Day,"%d/%m/%Y") | join Day [search index=test2 State=START Service="Testing" | bucket _time span=1d as Day | stats values(FileTime) as "TEST File Start" by Day | eval Day=strftime(Day,"%d/%m/%Y")] | join Day [search index=test2 State=END Service="Testing" | bucket _time span=1d as Day | stats values(FileTime) as "Test File End" by Day | eval Day=strftime(Day,"%d/%m/%Y")] | eval st = strptime(Test_Start,"%H:%M:%S") | eval et = strptime("Test File End","%H:%M:%S") | eval diff = et - st | eval "TEST_Total" = tostring(diff, "duration") | fields Day Test_Start Test_End "Test File Start" "Test File End" "TEST_Total" ... View more