This is what that data set look like.   Base query | fit DensityFunction 1/1/g1 show_density=true | bin 1/1/g1 bins=100 | stats count avg("ProbabilityDensity(1/1/g1)") as pd by 1/1/g1 | makecontinuous 1/1/g1 | sort 1/1/g1     For fit I have reset the value back to auto. dist=auto For apply I have dropped the -  for the lcl value boundary range.   | apply 1/1/g1 | rex field=BoundaryRanges "Infinity:(?<lcl>[^:]+)" | rex field=BoundaryRanges "(?<ucl>[^:]+):Infinity" | table _time 1/1/g1 lcl ucl   The chart looks good now. Thank you for the assistance.  It has been really helpful.   ... View more

The events contains ifHCInOctets counters for switch ports which I calculate the bandwidth. {"timestamp": "2021-05-01T00:40:02", "device": "switch1", "port_id": "1/0/g2", "port_alias": "LONDON1_Gi1_0_2", "port_type": "network", "ifHCInOctets": "386349938202882"} By specifying a specific switch port (port_id=1/0/g2), I am able to fit the time series to an algorithm but this approach is not scalable. index=main sourcetype=_json port device=switch1 port_alias=LONDON* port_id=1/0/g2 | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by port_id | eval in_change = last_in - ifHCInOctets | where in_change>=0 | eval inMbps=in_change*8/1000/1000 | eval c_time=strftime(_time,"%m/%d/%y %H:%M:%S") | timechart span=15m per_second(inMbps) by port_id | eval date_minutebin=strftime(_time, "%M") | eval date_hour=strftime(_time, "%H") | eval date_wday=strftime(_time, "%A") | fit DensityFunction 1/0/g2 by "date_minutebin,date_hour,date_wday" into switch1_1_0_g2 threshold=0.05 dist=norm I would like to fit multiple switch ports (port_id=1/0/g*) into each of their seperate models in one search. Then afterwards, I would like to apply multiple switch port models to their new respective time series data (using the same approach?). ... View more

Yes, I did. Thank you! 🙂 ... View more

Thanks Harshil. ... View more

Thanks a lot! ... View more

As someone already mentioned it's difficult to understand what that regex is supposed to be doing. My understanding from the example data and the "bluecoat_categories" stanza you posted is that it should be taking this block of log data: 2016-07-27 01:44:37 82 aaa.bbb.ccc.ddd - - liveupdate.symantecliveupdate.com 173.222.148.19 None - - OBSERVED "Technology/Internet;Non-Viewable/Infrastructure" - 200 TCP_NC_MISS GET application/zip http liveupdate.symantecliveupdate.com 80 /sepc$20virus$20definitions$20win64$20$28x64$29$2012.1$20ru6_microdefsb.curdefs_symalllanguages_livetri.zip - zip "SEP/12.1.6318.6100, MID/{AE0696BC-BC71-CDA9-C292-88E224F7E9F3}, SID/59" 166.45.51.140 7735 447 - "Symantec Live Update" "Update Software" unavailable 27222a8161c3a978-0000000000bc77b0-0000000057981205 - - And pulling out this value: 2016-07-27 01:44:37 82 aaa.bbb.ccc.ddd - - liveupdate.symantecliveupdate.com 173.222.148.19 None - - OBSERVED "Technology/Internet But what you're actually looking for is: Technology/Internet;Non-Viewable/Infrastructure The regex for extracting that is wrong here and in the link you posted. But it's probably supposed to be this...: (?:[^;]+) It is basically saying "Capture everything except a semicolon and then stop" which seems like it wouldn't work that well. So while I think the regex I just posted is the 'correct' regex, I don't think it's very good. Maybe try this: ^(?:[^ \n]* ){12}\"([^\"]*)\" Translated this means: Start at the beginning of the log line. Match everything except spaces and a newline 12 times (I'm assuming a single space is the only delimiter between these columns and doesn't occur in the fields leading up to it... can change it if necessary), at which point capture everything that occurs after a quotation mark before encountering a quotation mark. ... View more

Like Twinspop mentioned it's the hyphen but you don't have to move it, you can escape it with a backslash: [dvc_for_junos_fw] REGEX = \s+([.\-\w]+)\s+RT_FLOW FORMAT = dvc::$1 ... View more

Has anyone been able to get the above suggestions to work with proxySG 6.6.5.9? Most of the fields extract correctly but I have a few anomalies where the cs_host shows up in cs_uri_scheme and for that record fields are all off. In most cases the cs_host ends up being 443 when this happens. ... View more

Hi, sorry for taking so long to come back to you. I see you are using [host:123] , which I believe is supposed to be [host::123] . And the other stanzas, is your sourcetype sep12:behavior , and other settings are applied properly to this stanza? ... View more

Hi pjohnson, Try the following, REGEX = User\s+(?:Authentication\s+)?(authenticated|Successful|Failed): Or this for a more generic match REGEX = User\s+(?:Authentication\s)?(\w+): Note how you can use ?: to define a non-captured group in regex. Here's a link to regex101 if you would like to see what the regex is doing: https://regex101.com/r/bX8vH0/1 Hope this helps. ... View more

I have tried this workaround but it seems that it doesn't work all the time. I have 4 sourcetypes (for Sophos Endpoint logs) and I have created this configuration for all of them at the same files (local folder of Splunk_TA_sophos app). It seems that it works for the three of them and not for the forth. Any ideas why this is happens? Thanks! ... View more

Took me too long to type - so deleting my answer as you got it right here 🙂 ... View more

I've finally got round to re-test this. Thanks for the comment. I have updated the transforms and .csv file but the lookup is still not happening. The query completes but no loookups in the Manufacturers column. Transforms [splunk@lab local]$ more transforms.conf [ieee-mac-oui] filename = ieee-mac-oui.csv match_type = WILDCARD(Vendor_MAC) ieee-mac-oui.csv [splunk@lab lookups]$ head ieee-mac-oui.csv Vendor_MAC,Manufacturer 000000,XEROX CORPORATION 000001*,XEROX CORPORATION 000002*,XEROX CORPORATION 000003*,XEROX CORPORATION 000004*,XEROX CORPORATION 000005*,XEROX CORPORATION 000006*,XEROX CORPORATION 000007*,XEROX CORPORATION 000008*,XEROX CORPORATION Query The MAC address field is mac index=windhcp | lookup ieee-mac-oui Vendor_MAC as mac OUTPUT Manufacturer | table hostname, mac, src_ip, Manufacturer This query now works but some entries does not show the Manufacturer. Will need to double-check the ieee-mac-oui.csv. Thanks for all the help. I will mark this as answered. ... View more

So... each event is written once to App-Hourly.log and once to App-$weekday$.log ? I'd monitor all seven Day-of-Week files from the forwarder and have the app people disable the duplicate hourly log entirely. ... View more

Thank you. ... View more

Below configuration in props.conf will fetch domain name. [MSAD:NT6:DNS] EXTRACT-question1 = \] (?<questiontype>\w+)\s+(?<questionname>.*) EXTRACT-question2 = \] (?<questionname>[^\s]*)$ EVAL-domain = trim(replace(questionname, "(\([\d]+\))", "."),".") ... View more