HI,  I concatenate strings that I want successfully, but i can't use it to find data when I put the strings into subsearch. Here's my code below: index="list"  device=C* | eval x="IPAD,NB,PC" | eval x=split(x, ",") | mvexpand x | eval combine= "device_No=" . x | stats values(combine) as combine | eval final_condition = mvjoin(combine, " OR ") | search final_condition

Can anyone point me to where this escaping is documented in the Splunk manuals? I can across it in a dashboard today and have not been able to track it down - very confusing until a colleague told me what it did.

It's not clear if your two datasets are in the same event or in different events. Generally you can use mvmap to compare multivalue fields in the same event for unique/missing, see this example. | makeresults | eval data1="{ \"iphone\": { \"price\" : \"50\", \"review\" : \"Good\" }, \"desktop\": { \"price\" : \"80\", \"review\" : \"OK\" }, \"laptop\": { \"price\" : \"90\", \"review\" : \"OK\" } }", data2="{ \"tv\": { \"price\" : \"50\", \"review\" : \"Good\" }, \"desktop\": { \"price\" : \"60\", \"review\" : \"OK\" } }" | eval p_name_1=json_array_to_mv(json_keys(data1)) | eval p_name_2=json_array_to_mv(json_keys(data2)) | eval p_unique = mvmap(p_name_1, if(isnull(mvfind(p_name_2, "^".p_name_1."$")), p_name_1, null())) | eval p_missing = mvmap(p_name_2, if(isnull(mvfind(p_name_1, "^".p_name_2."$")), p_name_2, null())) | table data1 data2 p_unique p_missing  

Hello, If I have additional fields (Score2, Score3), should I add those fields in the search like below? I am not how to do it on eval Name. Please suggest. Thank you for your help | streamstats count as row sum(Score) as running, sum(Score2) as running2, sum(Score3) as running3 | eventstats sum(Score) as total, sum(Score2) as total2, sum(Score3) as total3) | where row <= 7 | eval Score=case(row == 6, total - running + Score, row == 7, total, true(), Score) | eval Score2=case(row == 6, total2 - running2 + Score2, row == 7, total2, true(), Score2) | eval Score3=case(row == 6, total3 - running3 + Score3, row == 7, total3, true(), Score3) | eval Name=case(row == 6, "Other", row == 7, "Total", true(), Name) | fields - row running running2 running3  total total2 total3

Sorry for not being clear. The process of building these VMs is ongoing, and during this process we would like to be absolutely sure that these VMs are ready to host all the Splunk components. For example. our SE suggested to check the following - THP turned off. All internal logs are being forwarded to indexer tier. MC set-up Splunk running as correct user Splunk restart enabled So I wonder what would be the best way to ensure that these VMs are built correctly? I’m thinking about scripted input, and a dedicated dashboard to monitor and verify all the settings. Do you have any other suggestions, by any chance?

FYI and perhaps this will be helpful to others. I was getting all the same errors and finding little of use in the log files. In my case the problem was that something had deleted these files: C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\windows_x86_64\bin\dbxquery.exe C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\windows_x86_64\bin\server.exe Files of the same name still existed under: ...\windows_x86\bin ...\linux_x86\bin ...\linux_x86_64\bin So we suspect some antivirus or similar must have deleted them for some reason. As soon as I put them back DB Connect was fine.

Oh wait these have to be in order, what if I wanted to grab a field that is 10 fields before this.   Expanded Sample Data; dvchost=asdf.ghi.com NodeType=Windows Server NodeTypeLabel=Node Type Rule=Critical System Settings RuleLabel=Rule RuleType=Windows Registry Rule RuleTypeLabel=Rule Type fname=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoWebServices ChangeType=Added ChangeTypeLabel=Change Type SeverityName=High SeverityNameLabel=Tripwire Severity Name VersionOID=-1y2p0ij32e8cf:-1y2p0iizs0ilf VersionOIDLabel=Version OID SeverityNumber=10000 SeverityNumberLabel=Tripwire Severity Number sproc=C:\Windows\System32\svchost.exe licurl=https://abcd.ghi.com/console/lic.search.cmd?lic=true&managerId=nodeManager&pageId=nodeManager.elementFinderPage&searchCriteria=%7B%22search.element.nodeGroup.selectedObject%22%3A%22-1y2p0ij32e8bm%3A-1y2p0ij02lp4k%22%2C%22search.element.name.op%22%3A1%2C%22search.element.name%22%3A%22HKEY_LOCAL_MACHINE%5C%5CSoftware%5C%5CMicrosoft%5C%5CWindows%5C%5CCurrentVersion%5C%5CPolicies%5C%5CExplorer|NoWebServices%22%2C%22selectedSearchType%22%3A%22element%22%2C%22search.element.ruleGroup.selectedObject%22%3A%22-1y2p0ij32e7p1%3A-1y2p0ij32bgh0%22%2C%22criteria.searchExecuted%22%3Atrue%7D start=Jan 07 2024 06:07:45 duser=NT AUTHORITY\SYSTEM dvc=10.10.10.10 rt=Jan 29 2024 04:41:24 dhost=abcd.ghi.com SHA-1=Not available MD5=Not available Size=Not available content=0x00000001 (1) contentLabel=Current Version Content timezone=Pacific Standard Time timezoneLabel=Time Zone elementOID=-1y2p0ij32e8ca:-1y2p0ij02lo5f elementOIDLabel=Element OID blVersion=false blVersionLabel=Is baseline version hardCodedIP=10.10.10.10 Say I wanted the fields NodeType, RuleType, fname, duser, sproc?   Thanks

That's not the same regex as the one I provided.  Spaces are significant. Here's a variation with more explicit spaces. SEDCMD-accmasking = s/card number \d{4}\s\d{4}\s\d{4}\s(\d{4})/card number xxxx xxxx xxxx \1/