Hey guys, I am looking through a very very very large log of files for events. In the normal search screen, you can specify date ranges for your search, but in the field extraction screen, I cannot specify a range of dates to search through when I am searching for the sample event using the filter, so it searches through all (something like 200 million) events in order to find the string I am searching for. I know the date the event occurs on, and can find it in a normal search instantly, but not with the field extraction screen. I have tried adding earliest=10/19/2009:0:0:0 latest=01/17/2016:0:0:0 to find the events, but it always just returns 0 events (before 1/18/16 7:29:48.000 PM) . Is there a way to specify date ranges inside of the field extraction filter so that I dont have to filter through everything? When I add that filter from above, I am searching for an event structured like this Jan 15 13:54:23 |actual error message| Thanks ... View more

Hey guys, Question for you. I have a query where I am searching for multiple field names inside of the query - sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found" is it possible to use stats count in order to count up each of the fields? Something like sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found" | stats count by PhpFatal, DrupalPHPFatal, AccessDenied, PageNotFound Is this possible? ... View more

Hey guys, I asked a question recently about an appended column on a graph not selecting the correct events when it is clicked on. Iguinn provided me with a query(Thanks!) that allowed the columns to filter correctly and select the right events. I have to add two more columns to this graph, and I am running into the same problem I was having when I was trying to use append, which is that it does not filter the events correctly into the appended columns on the graph. Both of these fields have been extracted and appear correctly when they are not appended. My query is sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" | eval ErrorType = if(PhpFatal=="PHP Fatal error",PhpFatal,DrupalPHPFatal) | stats count by ErrorType | append [ search sourcetype=testing AccessDenied="Access Denied" OR PageNotFound="page not found" | eval ErrorType = if(AccessDenied=="access denied",AccessDenied,PageNotFound) | stats count by ErrorType ] These commands both work when they are not appended. When I select either the AccessDenied column or the PageNotFound column, I get 0 events, even though the graph says there are three. The search query when I select these appended columns is sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" | eval ErrorType = if(PhpFatal=="PHP Fatal error",PhpFatal,DrupalPHPFatal) | search ErrorType="access denied" when I select one of these appended columns. If I select a non-appended column, the query is the same, except it says search ErrorType="PHP Fatal Error" Why are appended columns not functioning properly on this graph? Thanks ... View more

Hey guys, I recently created a graph using the search: sourcetype=testing PhpFatal="PHP Fatal error" | stats count by PhpFatal | append [ search sourcetype=testing DrupalPHPFatal="Error: PHP FATAL Error" | stats count as DrupalPHPFatal ] I ran into an issue with the appended graph that I am unsure how to fix. Firstly, it does not actually show the events in different colors unless I make the appended graph stats count as DrupalPHPFatal instead of stats count by DrupalPHPFatal . Although it pulls up the correct number of events using both syntaxes, when I select the DrupalPHPFatal section, it does not pull up the right events. It pulls up the events for the first search, which in this case was for PhpFatal, not DrupalPHPFatal. Is there something wrong with the appending syntax, or do I have to have another specific command in there for Splunk to pull up the right events when I select the events sections on the bar graph? ... View more

Hey guys, I'm trying to create a graph which calculates the number of logs that fit the text critieria I am searching for. I want to have two different fields mapped on the same graph. I can map them separately correctly, but I would like to have them both on the same graph. These are the two searches I am running to create them on two separate graphs. sourcetype=testing DrupalPHPFatal="Error: PHP FATAL Error" | top limit=5 DrupalFatal sourcetype=testing PhpFatal="Fatal error"="PHP Fatal Error" | top limit=5 PhpFatal I have tried putting then together with a command like: sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" | top limit=5 PhpFatal, DrupalPHPFatal but it doesnt not return any results. How can I accomplish this task by having both of these graphs combined? Thanks. ... View more

Hey guys, I have configured the forwarder to send apache access logs to itself from localhost. However, when I look at the metrics log for Splunk, I see 01-07-2016 19:34:57.279 +0000 INFO StatusMgr - destHost=xx.xx.xxx.xxx, destIp=xx.xx.xxx.xxx, destPort=9997, eventType=connect_try, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor 01-07-2016 19:34:57.280 +0000 INFO StatusMgr - destHost=xx.xx.xxx.xxx, destIp=xx.xx.xxx.xxx, destPort=9997, eventType=connect_fail, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor My inputs.conf file is inside of /opt/splunk/etc/apps/search/local/inputs.conf , and it says - [splunktcp://9997] connection_host = ip [monitor:///var/log/apache2/access.log] disabled = false index = main sourcetype = access_combined I'm pretty sure I already opened port 9997. When I do it inside of Splunk, it says the port is already open. Any help would be appreciated. Thanks ... View more