Hi Splunkers I'm trying to send alerts data from one index to another using a macro For ex: The macro is having 4 arguments like below and would like to send data to new index called "newidx" using collect command here is the macro called `newmacro` eval apple=xyz, banana=abc, mango=www, grape=123 | collect index=newidx the idea is wherever I reference this macro in an alert that exact alert raw data need to be copied to the newidx but the sourcetype always changes as stash instead of original. I don't see all original fields in summary index Is there any way to define a sourcetype something like |collect index=newidx sourcetype=$sourcetype$

Dear All, Unable to send data from universal forwarder, to Splunk Enterprise i have minimal knowledge in Splunk  I'm trying to configure universal forwarder but unable to success could you please help me in this regards Please find the below my configurations i am using Splunk Enterprise 9.0 and universal forwarder version 9.1.1using Cent OS 7.0 inputs.conf [root@Universalforwarders local]# [monitor:///var/log/messages] index=os disabled=0 outputs.conf [root@Universalforwarders local]# [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] [server://192.168.122.1:9997]   i used following command to check port status: netstat -an | grep 9997 tcp     0     0   0.0.0.0:9997   0.0.0.0:*   LISTEN localhost.localdomain --- my Splunk enterprise instance 127.0.0.1 --- my Splunk Universal forwarder   i want to know where i am doing mistake would be appreciate your kind support thanks in advance            

I am trying to create a dashboard panel that will have dropdowns different by the row you select.  I am using one of the searches that comes with the monitoring application as my search: index=_internal sourcetype=splunkd TERM(group=tcpin_connections) TERM("cooked") OR TERM("cookedSSL") (hostname!=*.splunk*.*) | dedup hostname | stats c as fwdCount by version | rex field=version "^(?<fwdV>\d+.\d+)" | eval splV= [ | makeresults | eval VERSION=7.0 | append [ | rest splunk_server=local count=1 /services/server/info | stats max(version) as VERSION] | rex field=VERSION "^(?<version>\d+.\d+)" | stats max(version) as splV | return $$splV ] | eval fwd_7_3_eos=relative_time(strptime("22-Oct-2021", "%d-%b-%Y"), "+1d@d"), fwd_8_0_eos=relative_time(strptime("22-Oct-2021", "%d-%b-%Y"), "+1d@d"), fwd_8_1_eos=relative_time(strptime("19-Apr-2023", "%d-%b-%Y"), "+1d@d"), fwd_8_2_eos=relative_time(strptime("30-Sep-2023", "%d-%b-%Y"), "+1d@d"), fwd_9_0_eos=relative_time(strptime("14-Jun-2024", "%d-%b-%Y"), "+1d@d"), fwd_9_1_eos=relative_time(strptime("28-Jun-2025", "%d-%b-%Y"), "+1d@d"), fwd_default_eos=relative_time(strptime("01-Jan-1971", "%d-%b-%Y"), "+1d@d") | eval expTimestamp = case( match($$fwd_version$$, "^7\.3"), fwd_7_3_eos, match($$fwd_version$$, "^8\.0"), fwd_8_0_eos, match($$fwd_version$$, "^8\.1"), fwd_8_1_eos, match($$fwd_version$$, "^8\.2"), fwd_8_2_eos, match($$fwd_version$$, "^9\.0"), fwd_9_0_eos, match($$fwd_version$$, "^9\.1"), fwd_9_1_eos, 1==1, fwd_default_eos) | fields - fwd_*_eos | eval warn=case( (now() > expTimestamp), fwdCount, 1==1, 0) | eval info=fwdCount-warn | rename warn as "Out of date", info as "Up to date" | fields - fwdV, splV, fwdCount, expTimestamp   What I want to do is to drop down based on the row I select (see attached snapshot)

Haven't been able to find this, but I want to basically calculate up time percentage for a host based on 2 unique events.  One gets logged when something is bad, the other gets logged when everything is fine.   An example would be to have a host log 10 minutes of "ok" events, then 4 minutes of "bad" events, then 18 minutes of "on" events, etc. I need to out put the following based on the search range of the query. Host | total_ok_duration | total_bad_duration | percentage_ok_duration this need to be run and return for multiple hosts as well.

Hello Splunkers, I’m looking for the best algorithm to search for events. with the below criteria. I have a lookup with only one field but multi-valued. About 10000 lines, for example, “vatsal, jagani” “10.0.0.1,“10.0.0.2” I want to search index=abc, for the last 2 hours (about 50 events) to see if there are at least two events (but can be more) that contain words from one set.   For example. event-1 - “hello, I’m Vatsal. event-2 - “hello, I’m jagani too.” here, two events have matching words from the same lookup field.   Another example, event-3 - “hi, vatsal” event-4 - “hello, vatsal” this also considers matching.   And I want to run this alert every hour.   Solution-1 - I could use the map command as below but I don't think that's very efficient.   | inputlookup words_lookup.py | eval or_field = <convert words to or list like "vatsal" OR "jagani"> | map max_count=1000000 "search index=abc $or_field$"     Solution-2 - I could write a Python script, but I'm not sure what algorithm to use.   I'm looking for a more efficient query or python algorithm to do this efficiently.