I looked at the code again to make sure I wasn't speaking out of turn and it basically works like this: >>> import re >>> pattern='(\\\\|/|\s+|;|-)' >>> testdata='this-is-a-test.txt' >>> matches=re.split(pattern, testdata) >>> matches ['this', '-', 'is', '-', 'a', '-', 'test.txt'] >>> pattern='(\\\\)' >>> testdata='this-is-a-test.txt' >>> matches=re.split(pattern, testdata) >>> matches ['this-is-a-test.txt'] The delims value is just a splitter, not a filtering mechanism despite the bad variable naming I used in the script. I'll have to rename that later on... At any rate, modifying the delims to not include the hyphen should solve your issue. ... View more

That delims option tells the command how to split up stuff that gets put into the command. For example, if you have an input 'this-is-my-process.exe', the default value splits this into multiple words and compares your wordlist to each word: "this", "is", "my", and "process.exe". By changing the delims value, you can change this behavior so that "this-is-my-process.exe" is evaluated as a whole word. The command shouldnt be excluding anything based on the provided delims. I'll check the code later to validate 100%. ... View more

Most likely the issue you are running into is with the "delims" option. From the add on readme: Delims accepts a regex string, escaped splunk style, and defaults to (\\\\|/|\s+|;|-) So if you were to pass in a different delimiter to the command like: | fuzzy wordlist="list.exe" delims="(\\\\)" compare_field=process_name You may get better results. ... View more

That is not the purpose of this app - the goal of this app is to look at the cron schedules applied to scheduled searches and list out the upcoming iterations of those to look for future overlap. ... View more

Latest version 1.0.2 has been submitted to Splunkbase with this feature added. It was not added specifically as you requested it but it should meet your needs. Let me know if it does not! ... View more

Assuming the domain field is not multivalue, the output from the app will contain two main fields: fuzzyout_max_match_ratio fuzzyout_max_match_word The compare field is split up based on the provided value to option "delims" and each result is measured against the provided wordlist. Key things to keep in mind, particularly for multivalues: The command does not filter results from the input. If you have a multivalue field, it will measure all values in the field and only show you the highest match. The command does not produce a list of all matches in a multivalue field or modify your original compare field. This would probably be a nice feature to have so I'll fit it into the next release. Here are some examples to help highlight command usage. Example 1: Example 2: Hope this helps. ... View more

This app was primarily designed for passing in a wordlist like: "iexplore.exe,svchost.exe" and comparing that against events (say, process audit security logs) to find results that are <100 and greater than some number... highlighting processes like "svch0st.exe" or "scvhost.exe" - common malware hiding techniques. That said, it's probably not the most efficient for your use case but you could accomplish a comparison like this: your search | fields name,blacklist_name | makemv delim="," blacklist_name | mvexpand blacklist_name | fuzzy wordlist=name compare_field=blacklist_name With the update I tossed in the git repo, that should read the values out of your name column and compare it to the blacklist_name column. With the makemv/mvexpand combo, you can compare every entry and get a corresponding score to find similar entries. If you're looking for exact matches, then something like this might be better: your search | fields name,blacklist_name | makemv delim="," blacklist_name | mvexpand blacklist_name | where match(name,blacklist_name) I used the fields operator in those sample searches but that's not strictly required here. Hope that helps. ... View more

As of now, the requested functionality has been added/checked in to the git repo here: https://gitlab.com/johnfromthefuture/TA-fuzzy/. I have a few more things I'd like to test/look at and then I'll get it on Splunkbase. If you are running on-prem, you can clone out the git repo and see if that meets your requirements. ... View more

Couple possible alternatives that might work for you: index=iis (action="login" OR a_action="event_status") cs_username=* | eval start_time=if(action=="login",_time,null()), end_time=if(a_action=="event_status",_time,null()) | stats min(start_time) as start_time,max(end_time) as end_time by cs_username | eval diff=abs(end_time-start_time) Or: | multisearch [| search index=iis action=login cs_username=] [| search index=iis a_action=event_status cs_username=] | stats earliest(_time) as start_time,latest(_time) as end_time by cs_username | eval diff=abs(end_time-start_time) ... View more

Sure, you can convert it. I mostly just wanted to bring up the bug with the author. ... View more

Btw, if you were to dig into these metrics, you could infer other things... like which logs went through which heavy forwarder by looking at group=per_source_thruput series="your source" . The key is "infer" because your universal forwarders should load balance through your heavy forwarders and most logs will go through all of them. With the combination of the per source thruput and a rough timeframe though, you could take a good guess. ... View more

Had a need for this today. This search does the trick for me: index=_internal (host=myheavyforwarder1 OR host=myheavyforwarder2 OR host=myheavyforwarder3) sourcetype=splunkd "group=tcpin_connections" component=Metrics | timechart span=30m dc(hostname) by host From this, I can see the distinct count of hostnames flowing through each heavy forwarder... ... View more

Yep, this is true. But it will still require distributed search functionality to set up a different splunk server to be the search head. That part won't be possible on the Free license. ... View more

I don't think it's possible. The reality is that splunkweb is a minor process compared to splunkd. It's splunkd that actually handles everything. You'd likely have better luck looking into how you could proxy the web connection to give the appearance of separation. ... View more

Also, this: https://answers.splunk.com/answers/4279/timezone-and-timestamp-modification-at-search-report-time.html ... View more

Making sure I understand: Let's say you have a log indexed at 10:00 UTC. You want users in say, timezones UTC-1 and UTC+3, to use the same time specifier in their search of 10:00 and get the same results? Off hand, I'd say your best bet here is to have the users set their timezone context in Splunk to the same time zone. ... View more

What you are thinking of is a search peer and distributed searching. Box A can be both an indexer and search-head while Box B is just a search head configured to look at Box A as a search peer. Reference this doc: http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Configuredistributedsearch And this one: http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Forwardsearchheaddata However, that said, you will not be able to do this with a free license. Distributed search is one feature disabled... Reference: https://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html ... View more

I would be curious to know if the phone has access to the management port (default: 8089). You mentioned the Android device was using a VPN connection - what about the iPhone? Anyway, I ask because from what I remember about the mobile app, it requires access to the management port. ... View more

It should be (backslash)d not d. ... View more

For item 1: Can you provide the syntax error? And the search you try to run when the syntax error occurs? For item 2: It's important to know how the script does its matching. You can look at the comments in the script to get that information but here's the summary. Look at the input field, match against a generic regex (?:\d[ -]*?){13,30} If matched, strip all non-numeric characters Match new string against better regex (?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11}) If matched, run luhn check If luhn validated, set output field to true. You can change the first regex to limit what gets passed to the rest of the script (and feasibly limit false positives). The reason the script was done this way was to be more paranoid - in my log data, I don't always expect a perfectly formatted card number. However, IIS logs tend to throw false positives with this method because of the status code followed by more numbers. (i.e. 404 239058293) You can change it like this: | luhn regex="[\d\s-]{13,19}" output_field=luhn_check input_field=_raw An alternative suggestion is to change the input_field. It defaults to _raw but you could use "ccfield" instead. ,For item 1: What are the syntax errors you are getting? In some distributed search environments, if the script is not replicated as part of the knowledge bundles, you may need to do: | localop | luhn . Without the actual error, I can't say for certain. For item 2: regex="your regex string" . You can modify the regular expression that the command is using. You could also modify the script directly which wouldn't be too terrible. The design decision around doing 13-30 instead of 13-19 is related to how card numbers can be presented. So the matching works like this (if the display doesn't work here, refer to the comments in the script): We take a provided string and match it against the pattern provided by regex="your regex string" which defaults to (?:\d[ -]*?){13,30}) . For each match, remove all non-numeric characters. Check the remaining number with regex (?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11}) If matched, run a luhn check. I have seen false positives when working with web logs quite a bit because of the status codes followed by more numbers and this may be an area where changing the initial regex may help. If you wanted to match 13-19 character length of format "XXXXXXXXXXXX" or "XXXX-XXXX-XXXX-XXXX", assuming my regex is correct: | luhn regex="[\d-]{13,19}" output_field=luhn_check input_field=_raw Let me know if that helps at all. The app isn't perfect so I'm willing to make some changes here... ... View more

This may help too: http://blogs.splunk.com/2013/10/31/streamstats-example/ It's an example of using streamstats but they specifically show how to look at when DHCP changes for an IP address. As to your point, if you need to search by MAC address, I would still recommend the above method. You can create a simple form dashboard that takes a MAC address and time range. You can create a search like this: host= sourcetype=dhcp mac_address=$mac$ | table _time, mac, hostname, ip_address, ... When you submit a MAC address in the form, you can have it output data however you want but in this example it would output a table of results. If you consume DHCP logs with MAC and IP address, you should be able to correlate the MAC address to a given host. ... View more