I am using below query for comparing todays, yesterday and 8days before data, when i use timechart command the timewrap works but when i use on stats I get 2 rows of data where as there will be multiple other URLs to compare, is it possible to compare it with stats? otherwise with timechart it creates a lots of colums with url avg and counts. <query> URL=* [| makeresults | addinfo | eval row=mvrange(0,3) | mvexpand row | eval row=if(row=2,8,row) | eval earliest=relative_time(info_min_time,"-".row."d") | eval latest=relative_time(info_max_time,"-".row."d") | table earliest latest] | eval URL=replace(URL,"/*\d+","/{id}") | bucket _time span=15m | stats avg(responseTime) count by URL _time| sort -_time URL | timewrap d

Hi All, I have a scripted input which gets Data from a URL and send it to Splunk. But now I have issue with event Formatting, Actual website data I am ingesting is as shown below: ##### BEGIN STATUS ##### #LAST UPDATE  :  Tue,  28  Nov  2023  11:00:16  +0000 Abcstatus.status=ok Abcstatus.lastupdate=17xxxxxxxx555     ###  ServiceStatus  ### xxxxx xxxxxx xxxx ###  SystemStatus  ### XXXX' XXXX   ###  xyxStatus  ### XXX XXX XXX . . . . So on....   But in splunk below lines are coming as a seperate events instead of being part of one complete event: ##### FIRST STATUS #####  - is coming as seperate event Abcstatus.status=ok  - this is also coming as a separate event   Below all events coming as one event which is correct and the above two lines should also be part of this one event: Abcstatus.lastupdate=17xxxxxxxx555 ###  ServiceStatus  ### xxxxx xxxxxx xxxx ###  SystemStatus  ### . . . So on.... #####   END STATUS  #####   Below is my props: DATETIME_CONFIG = CURRENT SHOULD_LINEMERGE=TRUE BREAK_ONLY_AFTER = ^#{5}\s{6}END\sSTATUS\s{6}\#{5} MUST_NOT_BREAK_AFTER=\#{5}\s{5}BEGIN\sSTATUS\s{5}\#{5} TIME_PREFIX=^#\w+\s\w+\w+\s:\s MAX_TIMESTAMP_LOOKAHEAD=200   Can you please help me with the issue?  

Hello,  I'm trying to create a RAG dashboard that will show different colours should an issue occur with a service e.g. if a service stops working the stat would show as one and the colour would turn red, I can do this but what I am struggling with is combining multiple index searches into one overall stat e.g. index "windows_perfmon" disk runs out of space, stat increases to 1, a winhostmon index service stops and that stat increases to one, I'm struggling to combine these into one overall stat which would be 2 in this example.  The current search I am using is:  (index=winhostmon host="Splunktest" "Type=Service" sourcetype=WinHostMon DisplayName="Print Spooler" OR DisplayName="Snow Inventory Agent" StartMode="Auto" State="Stopped") OR (index="windows_perfmon" host="Splunktest" object="LogicalDisk" counter="% Free Space" OR counter="Free Megabytes") | eval diskInfoA = if(counter=="% Free Space",mvzip(instance,Value),null()) | eval diskInfoA1 = if(isnotnull(diskInfoA),mvzip(diskInfoA,counter),null()) | eval diskInfoB = if(counter=="Free Megabytes",mvzip(instance,Value),null()) | eval diskInfoB1 = if(isnotnull(diskInfoB),mvzip(diskInfoB,counter),null()) | stats list(diskInfoA1) AS "diskInfoA1", list(diskInfoB1) AS "diskInfoB1" by host, instance, _time | makemv diskInfoA1 delim="," | makemv diskInfoB1 delim="," | eval freePerc = mvindex(diskInfoA1,1) | eval freeMB = mvindex(diskInfoB1,1) | eval usage=round(100-freePerc,2) | eval GB = round(freeMB/1024,2) | eval totalDiskGB = GB/(freePerc/100) | stats max(usage) AS "Disk Usage", max(GB) AS "Disk Free", max(totalDiskGB) AS "Total Disk Size (GB)" by host instance | where not instance="_Total" | where NOT LIKE(instance,"%Hard%") | search "Disk Usage" >90 | stats count The result I get is just count=1  Note in the above example I have stopped the print spooler on the server so the event count should be 2 as there is a disk that is also running above 90% I have also tried the append version but again I cannot get it to combine the results. index=winhostmon host="Splunktest" "Type=Service" sourcetype=WinHostMon DisplayName="Print Spooler" OR DisplayName="Snow Inventory Agent" StartMode="Auto" State="Stopped" | stats count|rename count as Service |append [ search index="windows_perfmon" host="Splunktest" object="LogicalDisk" counter="% Free Space" OR counter="Free Megabytes" | eval diskInfoA = if(counter=="% Free Space",mvzip(instance,Value),null()) | eval diskInfoA1 = if(isnotnull(diskInfoA),mvzip(diskInfoA,counter),null()) | eval diskInfoB = if(counter=="Free Megabytes",mvzip(instance,Value),null()) | eval diskInfoB1 = if(isnotnull(diskInfoB),mvzip(diskInfoB,counter),null()) | stats list(diskInfoA1) AS "diskInfoA1", list(diskInfoB1) AS "diskInfoB1" by host, instance, _time | makemv diskInfoA1 delim="," | makemv diskInfoB1 delim="," | eval freePerc = mvindex(diskInfoA1,1) | eval freeMB = mvindex(diskInfoB1,1) | eval usage=round(100-freePerc,2) | eval GB = round(freeMB/1024,2) | eval totalDiskGB = GB/(freePerc/100) | stats max(usage) AS "Disk Usage", max(GB) AS "Disk Free", max(totalDiskGB) AS "Total Disk Size (GB)" by host instance | where not instance="_Total" | where NOT LIKE(instance,"%Hard%") | search "Disk Usage" >90 | stats count|rename count as Disk ] The end goal of this is to just show one stat on a dashboard and when you click on that number it opens another dashboard that shows you the detail.    Any help would be appreciated. 

Using SPL and Splunk Search, I would like to search the logs array for each separate test_name and results and create a table with the results my current query looks something like: index="factory_mtp_events" | spath logs{}.test_name | search "logs{}.test_name"="Sample Test1" { logs: [ { result: Pass test_name: Sample Test1 { result: Pass test_name: Sample Test2 } { received: 4 result: Pass test_name: Sample Test3 } { expected: sample received: sample result: Pass test_name: Sample Test4 } { expected: 1 A S received: 1 A S result: Pass test_name: Sample Test5 } { expected: 1 reason: Sample Reason received: 1 result: Pass test_name: Sample Test6 } { pt1: 25000 pt1_recieved: 25012.666666666668 pt2: 20000 pt2_recieved: 25015.333333333332 pt3: 15000 pt3_recieved: 25017.0 result: Fail test_name: Sample Test7 } { result: Pass test_name: Sample Test8 tolerance: + or - 5 C recieved_cj: 239 user_temp: 250 } { expected: Open, Short, and Load verified OK. pt1: 2 pt1_recieved: 0 pt2: 1 pt2_received: 0 result: Fail test_name: Sample Test9 } { pt1: 2070 pt1_tolerance: 2070 pt1_received: 540 pt2: 5450 pt2_tolerance: 2800 pt2_received: 538 result: Fail test_name: Sample Test10 } { expected: Soft Start verified by operator received: Soft Start verified result: Pass test_name: Sample Test11 } { F_name: AUGER 320 F F_rpm: 1475 F_rpm_t: 150 F_rpm_received: 1500 F_v: 182 F_v_t: 160 F_v_received: 173 R_name: AUGER 320 R R_rpm: 1475 R_rpm_t: 150 R_rpm_received: 1450 R_v: 155 R_v_t: 160 R_v_ugc: 154.66666666666666 result: Pass test_name: Sample Test12 } { result: Pass rpm: 2130 rpm_t: 400 test_name: Sample Test13 received_rpm: 2126.6666666666665 received_v: 615.6666666666666 v: 630 v_t: 160 } ] result: Fail serial_number: XXXXXXXXXXXsample type: Test What is the purpose of the brackets after logs? I assume regex must be used to get the result from each test? How do I pull results from each test into a table containing the results of every separate log? I would like the table for each test to look something like: ** Sample Test1** Expected Actual Serial No. X X XXXXXXXsample Y Z XXXXXX2sample

I'm in the phase of the migration of the splunk component, where i need to migrate some add-ons from older sh and move it to new SH, coping the TA_crowdstrike-devices from old server to new server will this work?

Assistance with Custom Attribute Retrieval in VMware App for Splunk Hello everyone, I'm currently working on integrating custom attributes from VMware into Splunk ITSI using the Splunk Add-on for VMware Metrics. The standard functionality of the add-on doesn't seem to support custom attribute retrieval out-of-the-box and I need a "TechnicalService" custom attribute for an entity split. To tackle this, I am looking into extending the existing add-on scripts, particularly focusing on the CustomFieldsManager within the VMware API. I've explored the inventory_handlers.py, inventory.py, and mo.py scripts within the add-on and found a potential pathway through the CustomFieldsManager class in mo.py. However, I'd appreciate any insights or guidance from those who have tackled similar integrations or extensions. Specifically, I'm interested in: Best practices for extending the add-on to include custom attributes without affecting its core functionalities. Any known challenges or pitfalls in modifying these scripts for custom attribute integration. Advice on testing and validation to ensure stable and efficient operation post-modification. I'm open to suggestions, alternative approaches, or any resources that might be helpful in this context. Thank you in advance for your assistance and insights! kind regards, Charly