All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Again - what in this event should tell Splunk that it's a new event?
Tried to use "_raw =errortrace" in fields alias section...it did not pick up this field alias.
Why is data from other sites retrieved?  1. splunk version  9.2.1   2. server.conf : manager-node      [general]      serverName = site01_master      pass4SymmKey = $7$50dW7T6+mDkef5xS4o2BemFWDA... See more...
Why is data from other sites retrieved?  1. splunk version  9.2.1   2. server.conf : manager-node      [general]      serverName = site01_master      pass4SymmKey = $7$50dW7T6+mDkef5xS4o2BemFWDAur04JWlGHTwFKCNHAXuGtkZkOaEg==      site = site1      [clustering]      available_sites = site1,site2      mode = manager      multisite = true      pass4SymmKey = $7$lBUz3IZR3TZJeUAdYDUZR4tesE3AL0ttpupYUywS3UrG7PdwqHZ01g==      site_replication_factor = origin:3,site1:3,total:6      site_search_factor = origin:2,total:2 3. server.conf : site1-SH      [general]      serverName = site01_sh01      pass4SymmKey = $7$lX74ABK5XURidryB9htlMI9hsjjZZSq0PulPOi3bCbCziiWrBBnN5g==      site = site1      [clustering]      manager_uri = https://192.168.79.141:8089      mode = searchhead      multisite = true      pass4SymmKey = $7$JZddW4jKx48TGUx03PmTHexz76aYtTwK/aW7cQ9AGFsnZaA++xv1lA==       3. server.conf : site2-SH      [general]      serverName = site02_sh01      pass4SymmKey = $7$zFcBrd6VgPug9rgiJvI+mvRI5H7PRWwuaGgg0HBY0UKp4hTMN1CBmQ==      site = site2      [clustering]      manager_uri = https://192.168.79.141:8089      mode = searchhead      multisite = true      pass4SymmKey = $7$3u+CM93kvNCnGZolsv6K9EdD6fyYpalpNDyfL/+Bq0D0Vuzd5u3kuQ==    
Thanks for Update    04/06/2024;09:55:33;Operator;Operator level: 0 -> 6 EP78543 line break Before and after  regex query
I just checked out my number formatting on the table and changed the precision to 0 exactly
This query is working fine with the given example But when I am running given query in index it not producing any result.  index = cba_hcck8s_UHGWM110-013948 host=prod_poc source=poc | fields ... See more...
This query is working fine with the given example But when I am running given query in index it not producing any result.  index = cba_hcck8s_UHGWM110-013948 host=prod_poc source=poc | fields - {}.* ``` optional ``` | spath path={} | mvexpand {} | fields - _* ``` optional ``` | spath input={} | eval totalCount = SKIPPED + PROCESSED | chart sum(SKIPPED) as SKIPPED,sum(PROCESSED) as Processed sum(totalCount) as TotalClaims by DAYHOUR DATE I am getting no result with this query. You know my data reside in message under event field. Might be this query not reaching message  field where rest of the data stored in array.    Also adding my row text    {"id":"0","severity":"Information","message":"[{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00343\",\"TOTAL\":0,\"PROCESSED\":11,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":15,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00598H\",\"TOTAL\":0,\"PROCESSED\":4,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02141\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":9,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00447\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":5,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":7,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00031AdjPro\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":30,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00343\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":43,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00031\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":9,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_HOSPICE_CLM\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":1,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00283\",\"TOTAL\":0,\"PROCESSED\":16,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02107\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00283\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":104,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02141\",\"TOTAL\":0,\"PROCESSED\":8,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00674\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":17,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253\",\"TOTAL\":0,\"PROCESSED\":40,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00758H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":6,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02076H\",\"TOTAL\":0,\"PROCESSED\":27,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00283H\",\"TOTAL\":0,\"PROCESSED\":9,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00120H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":14,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00721H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":105,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00479\",\"TOTAL\":0,\"PROCESSED\":7,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_05009H\",\"TOTAL\":0,\"PROCESSED\":13,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00243\",\"TOTAL\":0,\"PROCESSED\":47,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02061\",\"TOTAL\":0,\"PROCESSED\":1,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00119\",\"TOTAL\":0,\"PROCESSED\":9,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00035\",\"TOTAL\":0,\"PROCESSED\":101,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02093\",\"TOTAL\":0,\"PROCESSED\":188,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00680\",\"TOTAL\":0,\"PROCESSED\":5,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00394\",\"TOTAL\":0,\"PROCESSED\":198,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_01902\",\"TOTAL\":0,\"PROCESSED\":4,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00363\",\"TOTAL\":0,\"PROCESSED\":12,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00072H\",\"TOTAL\":0,\"PROCESSED\":2,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00035\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":25,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00660\",\"TOTAL\":0,\"PROCESSED\":19,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02093\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02117\",\"TOTAL\":0,\"PROCESSED\":58,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00035Med\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":5,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_CSTATUS\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":16,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00363\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":24,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_01902\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02149\",\"TOTAL\":0,\"PROCESSED\":3,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00072H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":28,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00380\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":8,\"FAILED\":8,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00367\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00200\",\"TOTAL\":0,\"PROCESSED\":28,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00479\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":23,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00663\",\"TOTAL\":0,\"PROCESSED\":3,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00119\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00243\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":25,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00598H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":482,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00031Medica\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":6,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00108\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":2,\"FAILED\":2,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02131H\",\"TOTAL\":0,\"PROCESSED\":71,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_01000H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":18,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00367\",\"TOTAL\":0,\"PROCESSED\":1,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00674\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":1,\"FAILED\":1,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00680\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":7,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00313\",\"TOTAL\":0,\"PROCESSED\":1,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_01010\",\"TOTAL\":0,\"PROCESSED\":1,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00674\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":141,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00660\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":94,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253H\",\"TOTAL\":0,\"PROCESSED\":12,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3}]"}  
how do i get the values in days_to_eol to just show without the .00 decimal. I even rounded the result to the nearest whole number with my query
 any solution to this issue, i am also having same problem after upgrading to Splunk 9.2.2
We have approximately a year's worth of data in our Splunk Cloud instance. Due to certain reasons, we need to export all the indexed data from Splunk Cloud into readable files. What are the possible ... See more...
We have approximately a year's worth of data in our Splunk Cloud instance. Due to certain reasons, we need to export all the indexed data from Splunk Cloud into readable files. What are the possible ways to achieve this?
It would help if you post the data as text instead of a photo of it.
Hi     <search> <query>index=* EventCode=25753 | stats count(EventCode) as toto | append [| search index=* EventCode=* | stats count(EventCode) as toto2]</query> <earliest>-... See more...
Hi     <search> <query>index=* EventCode=25753 | stats count(EventCode) as toto | append [| search index=* EventCode=* | stats count(EventCode) as toto2]</query> <earliest>-7d@h</earliest> <latest>now</latest> <done> <condition> <set token="NbHost">$result.toto$</set> <set token="NbHost2">$result.toto2$</set> </condition> </done> </search> <option name="drilldown">none</option> <option name="underLabel">$NbHost$ / $NbHost2$</option>   I dont succeed to display the NbHost2 value under my single panel what is wrong please?    
And your props for this sourcetype are...?
i'm facing problem with the storage of splunk i tried multiple way to minimize the heavy data stored at hot/warm DB but nothing went ok since the cold data won't accept and migartions from the hot/wa... See more...
i'm facing problem with the storage of splunk i tried multiple way to minimize the heavy data stored at hot/warm DB but nothing went ok since the cold data won't accept and migartions from the hot/warm data       any suggestions?
Honestly (yes, I know it is not helping in the immediate problem at hand but might save you some time in the future), this is a very ugly data format. I suspect that someone just receives data with a... See more...
Honestly (yes, I know it is not helping in the immediate problem at hand but might save you some time in the future), this is a very ugly data format. I suspect that someone just receives data with a third-party solution which adds its own headers and forwards it to Splunk. The result is that you have some structure which Splunk is able to parse (the "outer json") and within that you have completely unparsed message field. And this field is "kinda like a json but not quite" so it doesn't parse properly (and I suspect there can be other types of events in that message field so no single parsing schema would work here). In the long run it would be best if you could force admins of your source solution to provide data in a more sane format.
dont post wrong answers to delete all the data
1. It's more of a PowerShell question than a Splunk one. 2. For simple file monitoring it's easier to use UF (or other solutions capable of writing to a HEC endpoint if you find UF "too big" or "too... See more...
1. It's more of a PowerShell question than a Splunk one. 2. For simple file monitoring it's easier to use UF (or other solutions capable of writing to a HEC endpoint if you find UF "too big" or "too closed source"). 3. You haven't even told us at which point this error is raised.
Hi there, I'd like to have a dedicated threat intel feed which goes to a custom created lookup (non-default), is that even possible?   
Hi @bhaskar5428 , here you can find all the information https://hurricanelabs.com/splunk-tutorials/the-indexed-extractions-vs-search-time-extractions-splunk-case-study/  Anyway, you can add INDEXED... See more...
Hi @bhaskar5428 , here you can find all the information https://hurricanelabs.com/splunk-tutorials/the-indexed-extractions-vs-search-time-extractions-splunk-case-study/  Anyway, you can add INDEXED_EXTRACTIONS on the props.conf on the UFs and or the SHs or use something like this: [your_sourcetype] INDEXED_EXTRACTIONS = JSON or in search index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" | spath Ciao. Giuseppe
Hello Jubin.Patel, Thanks for posting question on the community. Controller determines status of db agents with the same name based on latest start time.  Hence we could fetch last agent start ... See more...
Hello Jubin.Patel, Thanks for posting question on the community. Controller determines status of db agents with the same name based on latest start time.  Hence we could fetch last agent start time from controller db and then judge which one is active / passive. Please access controller and use the query command below: (You need to use real account name in this SQL): select acn.name as nodeName, ag.type as agentType, ag.agent_version as agentVersion, from_unixtime(ag.last_agent_start_timestamp/1000) as lastAgentStartTime from application app inner join application_component ac on ac.application_id = app.id inner join application_component_node acn on acn.application_component_id = ac.id inner join application_component_node_agent_mapping acnm on acnm.application_component_node_id=acn.id inner join agent ag on ag.id=acnm.agent_id inner join account a on a.id = app.account_id where a.name='<account name>' and ag.type = 'DB_AGENT'; (E.g.) mysql> select acn.name as nodeName, ag.type as agentType, ag.agent_version as agentVersion, from_unixtime(ag.last_agent_start_timestamp/1000) as lastAgentStartTime from application app inner join application_component ac on ac.application_id = app.id inner join application_component_node acn on acn.application_component_id = ac.id inner join application_component_node_agent_mapping acnm on acnm.application_component_node_id=acn.id inner join agent ag on ag.id=acnm.agent_id inner join account a on a.id = app.account_id where a.name='xxxxxxxx' and ag.type = 'DB_AGENT'; +---------------------------------------------+-----------+-------------------------------------------------------------------------------+--------------------------+ | nodeName | agentType | agentVersion | lastAgentStartTime | +---------------------------------------------+-----------+-------------------------------------------------------------------------------+--------------------------+ | cDBAgent_Mao|host:cDBAgent-Secondary-Mao | DB_AGENT | Database Agent v24.5.0.4126 GA compatible with 4.5.2.0 Build Date 2024-05-15 | 2024-07-16 05:48:48.8930 | | cDBAgent_Mao|host:cDBAgent-Primary-Mao | DB_AGENT | Database Agent v24.5.0.4126 GA compatible with 4.5.2.0 Build Date 2024-05-15 | 2024-07-16 05:48:48.8890 | +---------------------------------------------+-----------+-------------------------------------------------------------------------------+--------------------------+ 2 rows in set (0.00 sec)   Hope this helps. Best regards, Xiangning
Hi,  I try to send logs my Windows server to Splunk via Powershell but I have this type of error :   Cannot convert value to type System.String. This is my code : # Function to send log files with... See more...
Hi,  I try to send logs my Windows server to Splunk via Powershell but I have this type of error :   Cannot convert value to type System.String. This is my code : # Function to send log files with HEC function Send-LogToSplunk { param ( [string]$filePath ) $logContent = Get-Content -Path $filePath -Raw $fileName = [System.IO.Path]::GetFileName($filePath) $fileDirectory = [System.IO.Path]::GetDirectoryName($filePath) $splunkServer = "$splunkHost/services/collector/event" $header = @{"Authorization" = "Splunk $splunkToken"} $payload = @{ event = $logContent host = $env:COMPUTERNAME sourcetype = "log" source = $filePath } | ConvertTo-Json #Write-Host "Log Content $logContent"; #Write-Host "Payload to be sent: $payload"; Write-Host "FileDirectory $fileDirectory"; try { $response = Invoke-RestMethod -Method Post -Uri $splunkServer -Headers $header -Body $payload Write-Host "Log sent successfully: $fileName" } catch { Write-Host "Failed to send log: $filePath Code Error: '$global:errorConnectionCode'" Write-Host "Error details: $_" Exit $global:errorConnectionCode } } Thanks in advance