We have the exact same problem. Interesting to know if anyone has a solution. sourcetype=pan_log finds lots of logs containing the regex ,TRAFFIC, as per transforms.conf ... View more

Note that earliest latest also exist which have the meanings that you seem to be looking for from first and last. ... View more

This seems tied to the eventtype=bcoat_request in the BlueCoat - Datacube and BlueCoat - Datacube - Summary Index saved searches. By editing the saved search and replacing eventtype=bcoat_request in both searches with the expansion from macros.conf, i.e. sourcetype=bcoat_cacheflow OR (sourcetype=bcoat_proxysg filter_result!="DENIED") the application works. Editing default/savedsearches.conf directly didn't seem to force this, even with a restart. Adding a local/savedsearches.conf with the correct stanzas (which I achieved through editing the saved search in Manager) does have the desired effect. local/savedsearches.conf now contains [BlueCoat - DataCube] action.email.inline = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 search = sourcetype=bcoat_cacheflow OR (sourcetype=bcoat_proxysg filter_result!="DENIED") | bin _time span=5m | makemv delim=";" allowempty=t category | fillnull src_ip cs_bytes category dest_host rs_bytes sc_bytes sc_status sr_bytes | eval client_bytes=sc_bytes+cs_bytes | eval server_bytes=rs_bytes+sr_bytes | eval savings_bytes=client_bytes-server_bytes | eval savings_bytes=if(server_bytes==0,0,savings_bytes) | eval savings_perc = (1/client_bytes) * savings_bytes * 100 | stats count by host src_ip sourcetype category dest_host server_bytes client_bytes savings_bytes savings_perc _time [BlueCoat - DataCube - Summary Index] action.email.inline = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 search = sourcetype=bcoat_cacheflow OR (sourcetype=bcoat_proxysg filter_result!="DENIED") | bin _time span=5m | makemv delim=";" allowempty=t category | fillnull src_ip cs_bytes category dest_host rs_bytes sc_bytes sc_status sr_bytes | eval client_bytes=sc_bytes+cs_bytes | eval server_bytes=rs_bytes+sr_bytes | eval savings_bytes=client_bytes-server_bytes | eval savings_bytes=if(server_bytes==0,0,savings_bytes) | eval savings_perc = (1/client_bytes) * savings_bytes * 100 | sistats count by host src_ip sourcetype category dest_host server_bytes client_bytes savings_bytes savings_perc _time I have no idea why the use of the eventtype foxes the distributed search - this could be a bug in Splunk. ... View more

This is most likely an artifact of domain name resolution rather than anything to do with Splunk. Asking for the IP address of host.com may well give you different values at different times, for instance if there is more than one A record associated with the domain. What specific problems does this cause you - perhaps if we know why you need the DNS lookup to remain consistent, your problem can be solved in a different way. ... View more

Ah, it should be LOOKUP-weblogic_access = calling_app s_account AS user OUTPUTNEW calling_app ... View more

With a little more digging, it seems that the lookup does work with the lookup command (one of the users that appears most in the logs isn't actually in the lookup table and so changes that improved the lookup appeared to have no effect until I dedupped the users). However, it doesn't work with the automated lookup switched on: Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'weblogic_access' and lookup table 'testlookup' props.conf looks like: [weblogic_access] REPORT-weblogic_access = access-extractions LOOKUP-weblogic_access = calling_app user AS s_account OUTPUTNEW calling_app Actual CSV looks like S_ACCOUNT,CALLING_APP 1234,userX 2345,userY And we want to add a new field called calling_app based on the user field from weblogic_access, mapped to the s_account column in the lookup table (i.e. if user is 1234, calling_app should be userX) ... View more

Read access is provided for everyone, and the permissions are now set to Global, but still without success. I've renamed the lookup csv file to be the same as the transforms stanza, and inputlookup still works, but not piping the search results to lookup ... View more

the table lives in apps/$appname/lookups, the definition is in apps/$appname/transforms.conf, and the problem occurs when searching using the $appname app. No automated lookup as yet, but that would be in apps/$appname/props.conf ... View more

Have you looked at DELIMS rather than REGEX? http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Configuring_delimiter-based_field_extraction Not sure how that would cope with the LOG at the start of the line, but I imagine you could always strip it off before DELIMS. ... View more

That is confusing behaviour! Thanks for the explanation! ... View more