Hello, Looking for some real guidance here. We just implemented Splunk with an Implementation team. We are pulling out Notables to send to our case management product and then closing the notable ( this way we are only searching for open notables to send and if for some reason it doesnt send it doesnt close so it can attempt again) .   We are having to add a |head 1 to this search in order for the update Notable command knows which notable to update and set to close ( Not having the Head command caused issues updating the notable to closed.....seeing say 5 notables and then trying to update became to confusing for splunk) . This has caused us to make this search real-time search ( we get 10 Notables at the same time we dont want to wait 10 minuets for that event to get over to us) . I am going to provide some of the SPL and see if anyone knows a better way....we have been waiting for 4 months from Splunk on this. `notable` | where (status==1 AND notable_xref_id!="") Some eval commands and table | head 1 | sendalert XXXX param.X_instance_id=X param.alert_mode="X" param.unique_id_field="" param.case_template="X" param.type="alert" param.source="splunk" param.timestamp_field="" param.title=X param.description=X param.tags="X" param.scope=0 param.severity=X param.tlp=X param.pap=X | table status event_id | eval status=5|updatenotable Has anyone attempted to search in the notable index and pull multiple events and tried to update the notable in that search and had successful results for multiple entries? 

I have two sourcetypes containing login information and user information Sourcetype1: Login information (useful paramaters: UserId, status) Sourcetype1: Id = accountId Sourcetype2: User information (useful parameters: username. Id) Sourcetype2; Id = userId Both sourcetypes contains the parameter Id but refers to different information. I want to get a list/table with number of logins and the result for each user Mapping login data with user data: UserId (Sourcetype1) = Id (Sourcetype2)   Example: username     status        count aa@aa.aa     success     3  

I am building a dashboard with the new dashboard builder and I have a dynmic dropdown which returns me these values: timerange, rangeStart, rangeEnd, date 2024-03-07T09:10:23/2024-03-07T23:34:39 2024-03-07T09:10:23 2024-03-07T23:34:39 07/03/24-07/03/24 2024-03-08T19:41:25/2024-03-08T23:28:54 2024-03-08T19:41:25 2024-03-08T23:28:54 08/03/24-08/03/24 2024-03-11T19:36:52/2024-03-11T23:19:36 2024-03-11T19:36:52 2024-03-11T23:19:36 11/03/24-11/03/24   These ranges can go over multiple days. I use the date column as my label in the dropdown which works fine. My problem now is that I want to use the rangeStart and rangeEnd as the earliest and latest times for my graphs. My dropdown config looks like this: {     "options": {         "items": ">frame(label, value, additional_value) | prepend(formattedStatics) | objects()",         "token": "testrun",         "selectFirstSearchResult": true     },     "title": "Testrun",     "type": "input.dropdown",     "dataSources": {         "primary": "ds_w86GnMtx"     },     "context": {         "formattedConfig": {             "number": {                 "prefix": ""             }         },         "formattedStatics": ">statics | formatByType(formattedConfig)",         "statics": [],         "label": ">primary | seriesByName(\"date\") | renameSeries(\"label\") | formatByType(formattedConfig)",         "value": ">primary | seriesByName(\"rangeStart\") | renameSeries(\"value\") | formatByType(formattedConfig)",         "additional_value": ">primary | seriesByName(\"rangeEnd\") | renameSeries(\"additional_value\") | formatByType(formattedConfig)"     } } The token name for the dropdown is testrun    My query config for the graph looks like this: {     "type": "ds.search",     "options": {         "query": "QUERY",         "queryParameters": {             "earliest": "$testrun$rangeStart$",             "latest": "$testrun$rangeEnd$"         },         "enableSmartSources": true     },     "name": "cool graph" } It seems like the token $testrun$ itself returns the rangeStart, but these $testrun$rangeStart/rangeEnd$ don't work. Is it even possible to do something like that, that the dropdown returns multiple values? If not is there a way to use the timerange from above and split it in the middle to get earliest and latest? "earliest": "$testrun.timerange.split(\"/\")[0].strptime('%Y-%m-%dT%H:%M:%S')$", "latest": "$testrun.timerange.split(\"/\")[1].strptime('%Y-%m-%dT%H:%M:%S')$" I tried also this in different ways which I also couldn't get to work. The error I am getting is always "invalid earliest_time".

Hello! Since 7.3.0 I'm seeing the reload process for assets and identities failing frequently. Any ideas?   RROR pid=20559 tid=MainThread file=base_modinput.py:execute:820 | Execution failed: 'SplunkdConnectionException' object has no attribute 'get_message_text' Traceback (most recent call last): File "/app/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 601, in simpleRequest serverResponse, serverContent = h.request(uri, method, headers=headers, body=payload) File "/app/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1710, in request conn, authority, uri, request_uri, method, body, headers, redirections, cachekey, File "/app/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1425, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File "/app/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1377, in _conn_request response = conn.getresponse() File "/app/splunk/lib/python3.7/http/client.py", line 1373, in getresponse response.begin() File "/app/splunk/lib/python3.7/http/client.py", line 319, in begin version, status, reason = self._read_status() File "/app/splunk/lib/python3.7/http/client.py", line 280, in _read_status line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1") File "/app/splunk/lib/python3.7/socket.py", line 589, in readinto return self._sock.recv_into(b) File "/app/splunk/lib/python3.7/ssl.py", line 1079, in recv_into return self.read(nbytes, buffer) File "/app/splunk/lib/python3.7/ssl.py", line 937, in read return self._sslobj.read(len, buffer) socket.timeout: The read operation timed out During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/app/splunk/etc/apps/SA-IdentityManagement/bin/identity_manager.py", line 483, in reload_settings raiseAllErrors=True File "/app/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 613, in simpleRequest raise splunk.SplunkdConnectionException('Error connecting to %s: %s' % (path, str(e))) splunk.SplunkdConnectionException: Splunkd daemon is not responding: ('Error connecting to /services/identity_correlation/identity_manager/_reload: The read operation timed out',) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/app/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 811, in execute log_exception_and_continue=True File "/app/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 380, in do_run self.run(stanzas) File "/app/splunk/etc/apps/SA-IdentityManagement/bin/identity_manager.py", line 586, in run reload_success = self.reload_settings() File "/app/splunk/etc/apps/SA-IdentityManagement/bin/identity_manager.py", line 486, in reload_settings logger.error('status="Failed to reload settings" error="%s"', e.get_message_text()) AttributeError: 'SplunkdConnectionException' object has no attribute 'get_message_text'    

Hi, I am trying to find what is my Splunk ID for the purpose of purchasing additional users licenses. I am unable to find any useful info on my dashboard and the support portal seems to be down. Regards, Alvin