Hi, I am having troubles with providing the correct regex to extract the hostname from the file location. The file structure looks like this  /var/log/syslog/splunk-lb/ise/switch01.log I need only the switch01 as hostname but splunk add switch01.log. The regex i use is (?:[\/][^\/]*){1,}[\/](\w*) Any idea how to modify the regex to match only switch01? thanks Alex   ... View more

Hello, I have deployed an app to a distributed Search Head Cluster. This app contains only a props.conf file in the default directory. In the props.conf there is a calculated field writing a vendor-product to a specific source type. In the search app this field is not populated. I believe because the sharing permission is set to app, rather than to global. how can I change the permission from app to global? Initially I created this app on the Search Head deployer in the directory shcluster/apps by adding a directory TEST, there i created a directory default and there i created a file props.conf. Then I deployed it to the search heads. I see the app on all the search heads, it's just the wrong sharing permission. thanks Alex   ... View more

Hi, we have a distributed Splunk environment and I have successfully deployed the UF to Windows Server. I am getting data into my Indexer.  My question is regarding the Search Head cluster. I believe I need to deploy the TA also to the Search Heads to get properties from the props.conf and other files. Do I need to deploy the complete TA to my Search heads or just specific files? Thanks in advance Alex  ... View more

Hi, I am struggling with following task. I have a lookup file containing all the configured dhcp scopes in the following format.  ScopeId SubnetMask Name State StartRange EndRange LeaseDuration In the dhcp.log i have the ip address for a client.  I need the ScopeID and the LeaseDuration for each client.  My idea is to look if the given IP Address is within StartRange and EndRange and get the ScopeID and LeaseDuration. My problem is I don't have a clue on how to do so. Any Ideas? thanks  Alex ... View more

Hello, I have an issue with getting token into a new dashboard. I build a dashboard for VPN connections. Here is the search for the main dashboard. index=cisco-ise eventtype="cisco-ise" NAS_Port_Type=Virtual Location="Location#All Locations#bs HCS Domain#*" MESSAGE_CLASS="Passed-Authentication" OR MESSAGE_CLASS="Radius-Accounting" SelectedAccessService="VPN Access Protocols" Acct_Status_Type=Stop | dedup CPMSessionID user | eval LogoutTime = strftime(_time, "%d.%m.%Y %H:%M:%S") | eval LoginTime = strftime((_time-Acct_Session_Time), "%d.%m.%Y %H:%M:%S") | eval Acct_Input_Octets = round(((Acct_Input_Octets/1024)/1024),3) | eval Acct_Output_Octets = round(((Acct_Output_Octets/1024)/1024),3) | eval Acct_Session_Time = tostring(Acct_Session_Time, "duration") | table LoginTime LogoutTime user Calling_Station_ID Framed_IP_Address Acct_Input_Octets Acct_Output_Octets Acct_Session_Time Acct_Terminate_Cause | rename user as "Username" Framed_IP_Address as "VPN Client IP Address" Acct_Input_Octets as "MBytes Sent" Acct_Output_Octets as "MBytes Received" Acct_Session_Time as "Duration" Acct_Terminate_Cause as "Logout Reason" Calling_Station_ID as "VPN Client Public IP" LogoutTime as "Logout" LoginTime as "Login" The result is table, the idea is when clicking on one line of the table another Dashboard shows up with the connections the VPN client established in the time range where he was connected to the VPN. I could manage to pass the source IP to the new Dashboard and it shows all the connections for the IP address. I'd like to limit it to the time where the client actually were connected. Here is the drilldown section of the first dashboard <drilldown> <link target="_self">/app/search/vpn_connectivity_details?src_ip=$row.VPN Client IP Address$&amp;login=$row.Login$&amp;logout=$row.Logout$</link> </drilldown> When clicking I get an invalid earliest_time message on the second dashboard Here is the source code for the target dashboard <dashboard> <label>VPN Connectivity Details</label> <row> <panel> <table> <search> <query>index=cisco-asa eventtype=cisco_connection src_ip=$src_ip$ | table _time src_ip dest_ip src_port dest_port transport bytes_in action</query> <earliest>$login$</earliest> <latest>$logout$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </dashboard> I guess it has something to with the strtime format of my login and logout Table row. Is there a way to convert it back to a appropriate time format on the fly? Any ideas are appreciated. thanks Alex ... View more

Hi, I'm wondering if it is possible to add a sparkline instead of a value into a table? I am using the this query: eventtype="SNMP-Data" host="172.23.1.100" | rex max_match=0 "UCD-SNMP-MIB::mem(?((AvailSwap)|(AvailReal)|(TotalReal))\.\d+\,.*)" | table temp | mvexpand temp | rex field=temp "(?\w+)\.""(?\d+)\,""(?\d+)" | chart values(value) over id by metric | rename AvailReal as "Available Memory in kB" AvailSwap as "Available Swap in kB" TotalReal as "Total Memory in kB" The output looks pretty much like this It would be nice if the tables would show a graph rather than the values. thanks in advanced Alex ... View more

Good morning, i'm new to Splunk and have a question regarding universal forwarder deployment. I installed the UF on a windows machine, in order to configure it via the deploment server do i have to copy the SplunkForwarder folder from /opt/splunk/etc/apps to /opt/splunk/etc$ cd deployment-apps/ ? And what files I have to configured to make the client send data to my indexer? thanks in advanced Alex ... View more