I'm using Splunk to collect the state of Microsoft IIS web server app pools. I've noticed that when the Universal Forwarder collects Perfmon data that has instance names with spaces in, and when ingested into a Metrics index, that the instance name after the first space is lost. But this doesn't happen if I ingested into a normal index. Here is my configuration in the inputs.conf file: [perfmon://IISAppPoolState] interval = 10 object = APP_POOL_WAS counters = Current Application Pool State instances = * disabled = 0 index = metrics_index mode=single sourcetype = perfmon:IISAppPoolState It is on a machine which has IIS pools which have spaces in there names - ie "company website" "company portal" "HR web" When this data is ingested into the metrics index and accessed via the following Splunk command: | mstats latest(_value) as IISAppPoolState WHERE index=metrics_index metric_name="IISAppPoolState.Current Application Pool State" by instance, host I end up with instance values that truncate at the first space. So "company website" becomes just "company" (and who knows what happens to "company portal"). However if I direct the data into a normal index the instance names are wrapped in quotes and the space in the instance name persevered. Is there anyway to fix this behaviour? Collecting this data into a metrics index has worked fine until now but thanks to this server having IIS site names with spaces in them it's causing a real problem.   Thanks for your thoughts! Eddie

I am trying to send events from my host machine to splunk using HEC. My Function: Invoke-RestMethod -Method Post -Uri $hecUri -Headers @{"Authorization" = "Splunk $hecToken"} -Body $jsonEventData -ContentType "application/json" Error:  Invoke-RestMethod : Unable to connect to the remote server At C:\Users\myusername\OneDrive\Desktop\Lab3.ps1:29 char:1 + Invoke-RestMethod -Method Post -Uri $hecUri -Headers @{"Authorization ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Invoke-RestMethod], WebException + FullyQualifiedErrorId : System.Net.WebException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

With MLTK, when looking at accumulated runtime, the outliers are detected cleanly (three out of three spikes), whereas with the anomaly detection app, only two of the three spikes are detected (along with one false positive, even at medium sensitivity). The code generated by the MLTK is as follows -   index=_audit host=XXXXXXXX action=search info=completed | table _time host total_run_time savedsearch_name | eval total_run_time_mins=total_run_time/60 | convert ctime(search_*) | eval savedsearch_name=if(savedsearch_name="","Ad-hoc",savedsearch_name) | search savedsearch_name!="_ACCEL*" AND savedsearch_name!="Ad-hoc" | timechart span=30m median(total_run_time_mins) | eval "atf_hour_of_day"=strftime(_time, "%H"), "atf_day_of_week"=strftime(_time, "%w-%A"), "atf_day_of_month"=strftime(_time, "%e"), "atf_month" = strftime(_time, "%m-%B") | eventstats dc("atf_hour_of_day"),dc("atf_day_of_week"),dc("atf_day_of_month"),dc("atf_month") | eval "atf_hour_of_day"=if('dc(atf_hour_of_day)'<2, null(), 'atf_hour_of_day'),"atf_day_of_week"=if('dc(atf_day_of_week)'<2, null(), 'atf_day_of_week'),"atf_day_of_month"=if('dc(atf_day_of_month)'<2, null(), 'atf_day_of_month'),"atf_month"=if('dc(atf_month)'<2, null(), 'atf_month') | fields - "dc(atf_hour_of_day)","dc(atf_day_of_week)","dc(atf_day_of_month)","dc(atf_month)" | eval "_atf_hour_of_day_copy"=atf_hour_of_day,"_atf_day_of_week_copy"=atf_day_of_week,"_atf_day_of_month_copy"=atf_day_of_month,"_atf_month_copy"=atf_month | fields - "atf_hour_of_day","atf_day_of_week","atf_day_of_month","atf_month" | rename "_atf_hour_of_day_copy" as "atf_hour_of_day","_atf_day_of_week_copy" as "atf_day_of_week","_atf_day_of_month_copy" as "atf_day_of_month","_atf_month_copy" as "atf_month" | fit DensityFunction "median(total_run_time_mins)" by "atf_hour_of_day" dist=expon threshold=0.01 show_density=true show_options="feature_variables,split_by,params" into "_exp_draft_ca4283816029483bb0ebe68319e5c3e7"   And the code generated by the anomaly detection app -   ``` Same data as above ``` | dedup _time | sort 0 _time | table _time XXXX | interpolatemissingvalues value_field="XXXX" | fit AutoAnomalyDetection XXXX job_name=test sensitivity=1 | table _time, XXXX, isOutlier, anomConf     The major code difference is that with MLTK, we use -   | fit DensityFunction "median(total_run_time_mins)" by "atf_hour_of_day" dist=expon threshold=0.01 show_density=true show_options="feature_variables,split_by,params" into "_exp_draft_ca4283816029483bb0ebe68319e5c3e7"   whereas with the anomaly detection app, we use -   | fit AutoAnomalyDetection XXXX job_name=test sensitivity=1 | table _time, XXXX, isOutlier, anomConf     Any ideas why the fit function uses DensityFunction vs AutoAnomalyDetection parameters, and why the results are different?

original query: index=splunk-index   |where  message="start"  |where NOT app IN("ddm", "wwe", "tygmk", "ujhy") |eval day= strftime(_time, "%A") |where _time >= relative_time(_time,  "@d+4h") AND _time <= relative_time(_time, "@d+14h") |where NOT day IN("Tuesday", "Wednesday", "Thursday") To suppress my alert, i created a lookup file and added the alert name and holidays dates as shown below: Alert Holidays_Date App Relative Logs Data 8/12/2023 App Relative Logs Data 8/13/2023 App Relative Logs Data 8/14/2023 App Relative Logs Data 8/18/2023   Query with inputlookup holiday list: |inputlook HolidayList.csv |where like(Alert, "App Relative Logs Data") AND Holidays_Date=strftime(now(), "%m/%d/%y") |stats count |eval noholdy=case(count=1, null(), true(), 1) |search  noholdy=1 |fields noholdy |appendcols [search index=splunk-index   |where  message="start"  |where NOT app IN("ddm", "wwe", "tygmk", "ujhy") |eval day= strftime(_time, "%A") |where _time >= relative_time(_time,  "@d+4h") AND _time <= relative_time(_time, "@d+14h") |where NOT day IN("Tuesday", "Wednesday", "Thursday")] When i used this query i am still receiving alert on the dates mentioned in the .csv file. But i don't want to receive  the alerts. is there something wrong in my query, please help 

Hi All, greetings for the day! my manager asked me to create the usecase but I am new to splunk and know the basics of splunk. 1. so please guide me where to start and end to create the usecase. 2. is there any community for creating the usecasae. Thanks, Jana.P