Hi, I still don't understand the difference between $<field> and <fields>. Can you ELI5? ... View more

Ha, yep, I had to guess this myself. The custom search commands (or splunklib in general) docs could use some work. ... View more

Search time normalization of mac addresses. This will convert any mac format to XX:XX:XX:XX:XX:XX  One liner:   | rex mode=sed field=mac "s/[^0-9a-fA-F]//g s/(..)(..)(..)(..)(..)(..)/\1:\2:\3:\4:\5:\6/g y/abcdef/ABCDEF/"   Other versions:   | rex mode=sed field=mac "s/[^0-9a-fA-F]//g" | eval mac=upper(replace(mac, "(..)(..)(..)(..)(..)(..)", "\1:\2:\3:\4:\5:\6"))     | rex mode=sed field=mac "s/[^0-9a-fA-F]//g s/(..)(..)(..)(..)(..)(..)/\1:\2:\3:\4:\5:\6/g" | eval mac=upper(mac)   ... View more

Do you know if using use_old_eventlog_api caused any other issues or side effects? Any issues with field extractions? ... View more

This likely is tied to the size of your search head dispatch bundles. Try something like:   index=_internal sourcetype=splunkd metrics group=bundles_uploads status=success | stats max(replication_time_msec) AS rep_time BY host peer_name | sort -rep_time   and look for how long the bundles are taking to replicate. If it's consistently longer than 10 secs (10000msec) you likely have some large lookup files or others that are contributing. You can look at commands to blacklist replication or tame the size of your lookups. ... View more

I'm looking at this too. As of ES 6.4.1 this is still seemingly the case. Adding this immediately after the datamodel command in the correlation search extracts the weight field: | rex field=_raw "weight=\"?(?<wt>[^\s,\"]+)" | eval weight=coalesce(weight,wt)   ... View more

Dude, I've been ignoring this issue for years. You chased it down. Here- take my karma!! ... View more

I also had the same issue. I tried setting up timestamp configuration myself but i messed something. Later found that there was slight mistake in the Regex for TIME_PREFIX. I used your suggestion and now I am perfect. Thanks. Upvoted. ... View more

Yes, it is in the docs: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf enable_insecure_login = <boolean> * Whether or not the GET-based "/account/insecurelogin" REST endpoint is enabled. * Provides an alternate GET-based authentication mechanism. * If "true", the following url is available: http://localhost:8000/en-US/account/insecurelogin?loginType=splunk&username=noc&password=XXXXXXX * If "false", only the main /account/login endpoint is available * Default: false ... View more

DBX still has a default maxrows = 100,000. If you want to overcome that limitation and return 100,001 rows, use the parameter 'maxrows' like this: '| dbxquery maxrows=100001' ... View more

hmph... yeah- looks like it was revised as stated on 14 Nov, but modified again on 21 Nov to the prior state of listing SA-Hydra as an indexer component, according to the article history. Looks like the note on the Introspection workaround got added in Mar 2015. ... View more

Exclude the datamodel_summary directories from backup. If you restore an index, Splunk recreates the accelerated data model (that is what is stored in datamodel_summary ) automatically. ... View more

If you want to get this app working you need to update the 2 separate pieces of the faup.py file as listed above. The first is whether or not it is a Linux or Darwin system. The second is the logging folder. I update the faup.py on Linux to the code listed below and it works fine now. Except that the uri_resource_path will sometimes have uri_query information included. Not sure why that is just yet. faup.py- def where_is_faup(): # if platform.system() == "Darwin": # return os.environ['SPLUNK_HOME'] + "/etc/apps/faup/opt/faup-darw in" # if platform.system() == "Linux": # return os.environ['SPLUNK_HOME'] + "/etc/apps/faup/opt/faup-linu x" # if platform.system() == "Darwin": return os.path.join(os.path.dirname(__file__), "..","opt","faup- darwin") if platform.system() == "Linux": return os.path.join(os.path.dirname(__file__), "..","opt","faup- linux") # I don't know, so let's trust the system return "faup" faup_bin = where_is_faup() And also def setup_logger(): """ Setup a logger for our lookup """ logger = logging.getLogger('faup') logger.setLevel(logging.DEBUG) file_handler = logging.handlers.RotatingFileHandler('/opt/splunk/var/log/splunk/faup.log' ) formatter = logging.Formatter('%(asctime)s %(levelname)s %(message)s') file_handler.setFormatter(formatter) logger.addHandler(file_handler) return logger When running the command use * | lookup faup url If the url is extracted as something different, say uri, then use. * | lookup faup url AS uri Hopefully they can just write this into Splunk Enterprise base so we can use urlparse just as we can use urldecode. IAN. ... View more

You may be able to do this mathematically by decomposing timechart and manipulating _time somewhere in the middle. The timechart command is very close to this sequence of individual commands: ... | bucket span=XX _time | chart count over _time by target It is the bucket command (or its equivalent within timechart ) that is "rounding down" to the nearest value of span . What you may be able to do is something like this: ... | bucket span=1h _time | addinfo | <STUFF> | timechart span=1d count by target The "STUFF" is the tricky part. You'll need to do some eval magic to add-or-subtract from _time to shift events forward or backward in time. The addinfo command will introduce a couple of new fields to assist with this, specifically info_search_time which will be a time_t type value (seconds since 1970) of when the search was started. So, the "STUFF" might start out something like: | eval hour_of_search=strftime("%H",info_search_time) | eval hour_of_time=strftime("%H",_time) | eval hourshift=if(hour_of_time > hour_of_search,(24-hour_of_search),0) | eval _time=_time + hourshift*3600 Note I have no idea if the algebra there is right or not. It's just to demonstrate the general idea that _time is mutable, and if you can mathematically work out how to get what you want you can fuzz events forward or backward in time as needed to put them in the "same day" as you define your day. ... View more

and then click on the little icon that looks like a column chart (just under where it says '534 results..') ... View more

see the host_regex under [monitor://<path>] in http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Inputsconf ... View more

I removed the trial extended license we got from splunk and went back to the free license and the problem is solved. It's something to do with the license we got. I'll have to contact them. Thanks everyone for our input. ... View more

Cheers Jeff, good to know, even if I now have to go and doublecheck a whole bunch of reports for accuracy ... ... View more

updated 😉 ... View more

a similar answer, but closer to the actual expected output LINE_BREAKER=([\r\n]+)(=+[\r\n]+Check start) SHOULD_LINEMERGE=false should throw out the first [\r\n]+, and begin each event with your first row of =+ ... View more

This was really close. I had to use format to get it to work: | inputlookup myhosts.csv | search NOT [search stuff | fields host | format ] ... View more