I've upgraded from splunk 8.0.3 to 8.2.2, and now i'm getting errors for my metrics query. This used to work: | mstats rate(_value) prestats=true WHERE metric_name="traffic_in" AND index="em_metrics" AND description="EDGE" AND name_cache="EDGE" span=60s BY name_cache | timechart rate(_value) span=120s useother=false BY name_cache | fields -_span* | rename "EDGE" as traffic_in | eval Gb_in=(traffic_in*8/1000/1000/1000) | append [ | mstats rate(_value) prestats=true WHERE metric_name="traffic_out" AND index="em_metrics" AND name_cache="EDGE" span=60s BY name_cache | timechart rate(_value) span=120s useother=false BY name_cache| fields - _span* | rename "EDGE" as traffic_out | eval Gb_out=(traffic_out*8/1000/1000/1000) ] | selfjoin keepsingle=true _time| fields _time Gb_in, Gb_out Now i get an error that says The following join field(s) do not exist in the data '_time'.  Has anything changed from 8.0.3 to 8.2.2 that could explain this? ... View more

So i'm trying to extract and ip address from a multi-value field and my transforms stanza is something along these lines transforms.conf [ip] REGEX = ((?:(?:\d{1,3}.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z.]+)?(?:::)?)|(?:::[\dA-Fa-f.]{1,15})|(?:::)]*) FORMAT = IP::$1 props.conf [host::hostname] TIME_FORMAT = %a %b %d %H:%M:%S %T %Y KV_MODE = none SHOULD_LINEMERGE = false REPORT-ip = ip So this works, however it also extracts the source, sourcetype and host values in my new ip field. So i have random fields that look like IP= source::source|host::host|sourcetype. I could really use some help in trying to figure out why these extra values are being extracted. ... View more

If i go to Logs & Reports, in the sophos central console, under the General Logs heading there are 2 options, Events and Audit Logs. Based on the information that is polled from the Splunk Add-on only the Event Logs are polled, is there a way to receive the Audit Logs as well? ... View more