I have a field called DNS whos field values contain the hostname in the lookup. There is also another field called Identified_Host that has similar values. I will show the difference below: DNS Identified_Host host1.domain.com host1.domain.com host1-admin.domain.com host1.domain.com host1-mgt.domain.com host1.domain.com host2.domain.com host2.domain.com host2-admin.com host2.domain.com host2-mgt.admin.com host2.domain.com host3.domain.com host3.domain.com host3-admin.com host3.domain.com   From this example. it's shown that Indetified_Host is the main name of the host. I need to find out which hosts in Identified_Hosts have values in DNS with the same name but also end with -admin and/or -mgt. 

Hi, For some reason we cannot receive data to _interal or other indexes(all of them). Old indexes are still available through database. It looks like a generic problem, not related to any specific index. All I can see is _audit. Maybe it's ok to backup $SPLUNK_HOME/etc, and then reinstall splunk sw? or if possible restart some processes, or modify config file. input, output.conf   Rgds Geir

  Hello all, I have created and applied the configuration in props.conf file: SEDCMD-XXXXX = s/XXXXXX//g The field I wanted deleted is deleted from the logs... or it appears that way.  Looking at the raw logs, the field/values are not there, but once I expand it (with the tab in the upper-left corner of the log entry), the field is there...? As if that field/value pair was not deleted but hidden?? The field shows in the left-side column of "All Fields" too. Hope someone can guide/explain it - I have not been able to find an answer (if it even has one)... Thanks!

Hello I am working on creating a dashboard to monitor some data flow info. this dashboard will have many panels so I was thinking I could hide them all when loaded and then only display the ones that the user selects in a multiselect input(maybe a better way?). I am unsure how to accomplish this though or if it can even be done. Does anyone have any ideas on how I could accomplish this task? Thanks for the help!

Hello, We currently have the following chart created. I would like to show each district split by week over a 4wk time period as shown in the Administration bar below. However, I'm struggling to get the results we want. Any assistance would be greatly appreciated!   Base search:   ```Grab badging data for the previous week``` index=* sourcetype="ms:sql" CARDNUM=* earliest=-4w@w latest=-0@w | bin span=1d _time | eval week_number=strftime(_time,"%U") | dedup _time CARDNUM | rename CARDNUM as badgeid ```lookup Ceridian and Active Directory and return fields associated with employeeID and badgeid``` | join type=left badgeid ```Use HR records to filter on only Active and LOA employees``` [search index=identities sourcetype="hr:ceridian" ("Employee Status"="Active" OR "Employee Status"="LOA*") earliest=-1d@d latest=@d | eval "Employee ID"=ltrim(tostring('Employee ID'),"0") | stats count by "Employee ID" | rename "Employee ID" as employeeID | fields - count ```Filter on Hybrid Remote users in Active Directory that are not Board Members and are in the Non-Branch region``` | lookup Employee_Data_AD_Extract.csv employeeID OUTPUT badgeid badgeid_1 RemoteStatus District employeeID Region] | where like(RemoteStatus,"%Hybrid%") AND NOT like(District,"Board Members") AND Region="Non-Branches" ```Calculate the number of badge check-ins in a given week by badgeid``` |stats latest(Region) as Region latest(employeeID) as employeeID latest(District) as District latest(RemoteStatus) as status count as "weekly_badge_in" by badgeid week_number ```Compensate for temporary badge check-in (primary badge= badgeid temporary badge =badgeid_1``` | append [|stats latest(Region) as Region latest(employeeID) as employeeID latest(District) as District latest(RemoteStatus) as status count as "weekly_badge_in" by badgeid_1 week_number | rename badgeid_1 as badgeid ] | eval interval=case('weekly_badge_in'>=3,">=3", 'weekly_badge_in'<3,"<3") ```Calulation to determine the number of employees within District that are Hybrid Remote but have not badged-in ``` | join District [| inputlookup Employee_Data_AD_Extract.csv | fields badgeid badgeid_1 RemoteStatus District employeeID Region | where like(RemoteStatus,"%Hybrid%") AND NOT like(District,"Board Members") AND Region="Non-Branches" | stats count as total by District]  

Hello, Our customer has decided to end use of Splunk in lieu of Sumo Logic, but we are looking to keep up internal use of Splunk due to 110GB worth of Perpetual licensing we have leftover.  We are currently filtering out non-essentials, and for us one of the big players is linux syslog.  I am attempting to use transforms and props to filter out everything that aren't authentication failures.  The regular expression is looking for the string of text "authentication failure".  I tested my regex in regex101 and everything checks out, but when I turn on the syslog sourcetype, the proverbial flood gates are still opening up. Can someone take a look at these and let me know what looks wrong here?  The transforms are meant to bring in only events with "authentication failure" and toss out everything else. Props.conf [syslog] TRANSFORMS-set=set_parsing,set_null Transforms.conf [set_parse] REGEX = \bauthentication\b\s\bfailure\b DEST_KEY = queue FORMAT = indexQueue [set_null] REGEX = . DEST_KEY = queue FORMAT = nullQueue