Hello all I am trying to create a scheduled search to run every 15 minutes, scanning from -15m to now. This search uses regex to chop out fields from IIS logs e.g. uri, query string, http status code etc. I want to also include a subsearch against an index which has the same regexed fields stored in it as the main search though the index only stores data from 15m ago and older. My aim is to produce an alert if "new" errors occur, that is errors which occurred in the last 15 minutes but do not feature in the index - this is to provide quick feedback on new website code deployments etc. I thought i understood what needed to be done but it is not working so if anyone can suggest what i have done wrong, i would very much appreciated it. My search which includes the subsearch is: earliest_time=-15m sourcetype="IISLogs" (host="xxxx-vmweb-p04" OR host="xxxx-vmweb-p05" OR host="xxxx-vmweb-p06" OR host="xxxx-vmweb-p07" OR host="xxxx-vmweb-p08") | rex field=_raw "(?<year>\d{4})-(?<month>\d{1,2})-(?<date>\d{1,2}) (?<hours>\d{1,2}):(?<minutes>\d{1,2}):(?<seconds>\d{1,2}) (?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<request_method>\w{3,4}) (?<uri>\S*) (?<query_string>.*) (?<server_port>\d{2,5}) - (?<remote_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<user_agent>.*) (?<http_status_code>\d{3}) (?<http_sub_status_code>\d{1,3}) (?<time_taken>\d{1,10}) (?<num_bytes>\d{1,10})$" | rex field=source "^\w{1}:.*W3SVC(?<site_id>\d{1,3}).*$" | cluster field=uri t=0.99 countfield=numErrors | sort -numErrors | search [search index="CLIENT_AAA__deploy_arch" | table uri] | table numErrors http_status_code site_id uri query_string My index of historic errors is basically built from the same search as above but with different timescale (-30m to -15m via schedule) and of course doesn't have the subsearch: sourcetype="IISLogs" (host="xxxx-vmweb-p04" OR host="xxxx-vmweb-p05" OR host="xxxx-vmweb-p06" OR host="xxxx-vmweb-p07" OR host="xxxx-vmweb-p08") | rex field=_raw "(?<year>\d{4})-(?<month>\d{1,2})-(?<date>\d{1,2}) (?<hours>\d{1,2}):(?<minutes>\d{1,2}):(?<seconds>\d{1,2}) (?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<request_method>\w{3,4}) (?<uri>\S*) (?<query_string>.*) (?<server_port>\d{2,5}) - (?<remote_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<user_agent>.*) (?<http_status_code>\d{3}) (?<http_sub_status_code>\d{1,3}) (?<time_taken>\d{1,10}) (?<num_bytes>\d{1,10})$" | rex field=source "^\w{1}:.*W3SVC(?<site_id>\d{1,3}).*$" | cluster field=uri t=0.99 countfield=numErrors | sort -numErrors | table numErrors http_status_code site_id uri query_string I am unsure if i have the subsearch in the right place and also whether i need to somehow specify the fields to compare from the search and subsearch. I have a reasonable amount of experience with Splunk searches but have never used a subsearch before (as you can probably tell!). All suggestions very much appreciated. Thanks Neil ... View more

Hi all I have hit a problem with Splunk which I am hoping someone might be able to offer some help with. I've just written a search which aims to collate IIS crashes to provide an overview of number of crashes versus hour of the day so i can see if there are any regular patterns. The regex seems to work fine but i can't cluster on the fields extracted by the regex - i have previously done this successfully. Any ideas? My search is: host="*" earliest_time=-30d sourcetype="WinEventLog:Application" | search Message="Faulting application name: w3wp.exe*" | rex field=_raw "(?<i_month>\d{1,2})\/(?<i_date>\d{1,2})\/(?<i_year>\d{2,4}) (?<i_hours>\d{1,2}):(?<i_minutes>\d{1,2}):(?<i_seconds>\d{1,2}).*" | cluster field=i_hours t=0.99 countfield=numErrors | sort -numErrors | table numErrors i_hours Many thanks Neil ... View more