Try: {([^:].+?):([^}].+?)} $1 will be your key and $2 will be your value. ... View more

Your hints helped us identify the aggqueue and parsingqueue and the culprits. This answer from Gerald helped us fix it: http://answers.splunk.com/questions/1142/the-aggqueue-and-parsingqueue-consistently-full-blocked-how-do-i-increase ... View more

We stepped through this exercise with Support's help and it seems to be an issue when deploying form Windows. We were only interested in deploying the unix app to machines that would act as forwarders, thus the way we solved it was to deploy a "unix-enable" app, which just switched on the inputs on the forwarders. This wasn't a problem as the unix app was deployed by default as part of the Splunk install and the permissions for the scripts were set correctly. $SPLUNK_BASE/etc/deployment-apps/unix-enable/default/inputs.conf [script://./bin/cpu.sh] disabled = 0 [script://./bin/df.sh] disabled = 0 [script://./bin/hardware.sh] disabled = 0 [script://./bin/interfaces.sh] disabled = 0 [script://./bin/iostat.sh] disabled = 0 [script://./bin/lastlog.sh] disabled = 0 [script://./bin/lsof.sh] disabled = 0 [script://./bin/netstat.sh] disabled = 0 [script://./bin/openPorts.sh] disabled = 0 [script://./bin/package.sh] disabled = 0 [script://./bin/protocol.sh] disabled = 0 [script://./bin/ps.sh] disabled = 0 [script://./bin/rlog.sh] disabled = 0 [script://./bin/time.sh] disabled = 0 [script://./bin/top.sh] disabled = 0 [script://./bin/usersWithLoginPrivs.sh] disabled = 0 [script://./bin/vmstat.sh] disabled = 0 [script://./bin/who.sh] disabled = 0 [fschange:/etc] disabled = 0 [monitor://~/Library/Logs] disabled = 0 [monitor:///Library/Logs] disabled = 0 [monitor:///var/log] disabled = 0 [monitor:///etc] disabled = 0 ... View more

I've seen some strange behavior between different browser versions. Have you tried Firefox or Safari (I'm assuming you might be using IE). ... View more

We always enable the "SplunkLightForwarder" app and have not seen any issues with it in production. ... View more

This will definitely help get us there. Thank you very much. ... View more

We think we found our issue, some of the events get logged a lot later, but has a timestamp that sometimes falls in a Summary Indexing window that has already passed. At least we can confirm that Summary Indexing seems to work reliably. Will raise a new question for this backfill challenge. Thanks! ... View more

realtime_schedule is set to 0 for the saved searches in question. ... View more

I found some skipped saved searches using your search, but not for the day in question. I verified that the scehduled search events's scehduled_time field was correct (ie. 5 minute intervals). Will need to dig deeper to find out why our summary index is missing events. ... View more

The API is pretty similar to 4.1 (and even 3.x), just check http://www.splunk.com/base/Documentation/4.1.4/Developer/RESTIntro ... View more

Have you tried removing: [syslog] defaultGroup=logserver from your outputs.conf? As I read it and from my own experience it might change the behaviour from what you intend. Otherwise it looks good. If all else fails you can use REGEX = to negate certain log entries. ... View more

My recommendation would be to fix timestamp recognition on the originating data, there are lots of option, but the one that works best for me is explicitely setting TIME_FORMAT and TIME_PREFIX in props.conf. Please see: http://www.splunk.com/base/Documentation/4.1.4/admin/Configuretimestamprecognition If you can post a sanitized sample of the data we can make some further recommendations. ... View more

Use the Lookup command http://www.splunk.com/base/Documentation/4.1.4/SearchReference/Lookup and define the lookup table using the Manager (Manager -> Lookups -> Lookup table files) ... View more

Hi, The Splunk for *NIX app that ships with the Linux versions has the queries "Successful User Logins" and "Failed Logins" built in (under the Users menu). Would that be sufficient? Just load Splunk, Enable the *NIX app and configure it. ... View more

Syslog is a good option. You can configure a UDP or TCP input for that purpose using the Splunk Manager. You should also be able to use NFS to mount the log files on the production server to your local filesystem, then just load Splunk on the server and point it to the correct folder. ... View more

Katey, in one of my environments I have a similar setup and I would recommend that you go with proposal 3. (Add the syslog log to Manager ->Data inputs->File & directories->Add new -> /var/log/syslog). You dont have to configure the whitelist regex. The advantage of this approach is that Splunk will automatically monitor /var/log/syslog and in the event of Splunk ever stopping (for example because of a reboot) it will be able to continue where it left off, it automatically keeps track of it's progress when in this mode. Adding a forwarder is just adding complexity and overhead. ... View more

Thank you! We were looking for function capabilities, but Lowell's solution will help us to get the search working. ... View more

This is a great tip, I have also verified that you can use addinfo in subsearches of a scheduled search, so this will solve my problem. Thanks! ... View more