All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

index=oncall_prod originOnCall="Prod" incidentNumber=497764 | sort _time desc | rex field=entityDisplayName "(?<Priorité>..) - (?<Titre>.*)" | eval startAlert = if(alertType == "CRITICAL", _time, ""... See more...
index=oncall_prod originOnCall="Prod" incidentNumber=497764 | sort _time desc | rex field=entityDisplayName "(?<Priorité>..) - (?<Titre>.*)" | eval startAlert = if(alertType == "CRITICAL", _time, "") | eval startAlert = strftime(startAlert,"%Y-%m-%d %H:%M:%S ") | eval ackAlert = if(alertType == "ACKNOWLEDGEMENT", _time, "") | eval ackAlert = strftime(ackAlert,"%Y-%m-%d %H:%M:%S ") | eval endAlert = if(alertType == "RECOVERY", _time, "") | eval endAlert = strftime(endAlert,"%Y-%m-%d %H:%M:%S ") | eventstats values(startAlert) as startAlert, values(ackAlert) as ackAlert, values(endAlert) as endAlert, values(ticket_EV) as ticket_EV by incidentNumber
Hello @ITWhisperer, Thank you for your help, I tried to add your line but it aggregates all the lines between them and if in absolute terms, I see everything on a single line, I cannot manipulate ... See more...
Hello @ITWhisperer, Thank you for your help, I tried to add your line but it aggregates all the lines between them and if in absolute terms, I see everything on a single line, I cannot manipulate the data (for example, put a message when there has been no acknowledgment): Example : | eval ticket_EV = if(alertType == "RECOVERY" AND (isnull(ackAlert)), "No ticket", ticket_EV) Sincerely, Rajaion
You can convert/upgrade in place, Red Hat has an utility (Convert2RHEL) that allows you to upgrade CentOS 7 to RHEL 8. We've done this across thousands of CentOS servers with various configurations a... See more...
You can convert/upgrade in place, Red Hat has an utility (Convert2RHEL) that allows you to upgrade CentOS 7 to RHEL 8. We've done this across thousands of CentOS servers with various configurations and apps and had no issues.
Thanks @isoutamo     So, I understood it correctly. We do not need to restore the backup. As soon as we add the detached node back to cluster, all configuration and data will be resynced as it is? ... See more...
Thanks @isoutamo     So, I understood it correctly. We do not need to restore the backup. As soon as we add the detached node back to cluster, all configuration and data will be resynced as it is? correct me If my understanding is incorrect. For me, its bit confusing as how the configuration files will be restored without restoring the backup? Also, data might be replicated as soon as sync starts but it may take ages to complete the sync considering 4 TB of data. what do you think?   Thanks
Hi @Ismail_BSA , see  in the Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435 ) and you should find the updated versions of this searches. Ciao. Giuseppe
Hi @neltonk , field extractions at search time must always be configured on Search Heads (both clustered or not clustered), infact you should install on the SHs all the add-ons that you need. If yo... See more...
Hi @neltonk , field extractions at search time must always be configured on Search Heads (both clustered or not clustered), infact you should install on the SHs all the add-ons that you need. If you have index time extractions, you must add them on Indexers (using The Cluster Manager) or, if present on Heavy Forwarders. But usually field extractions are done at search time, so on SHs. Ciao. Giuseppe
index=oncall_prod originOnCall="Prod" incidentNumber=497764 | sort _time desc | rex field=entityDisplayName "(?<Priorité>..) - (?<Titre>.*)" | eval startAlert = if(alertType == "CRITICAL", _time, ""... See more...
index=oncall_prod originOnCall="Prod" incidentNumber=497764 | sort _time desc | rex field=entityDisplayName "(?<Priorité>..) - (?<Titre>.*)" | eval startAlert = if(alertType == "CRITICAL", _time, "") | eval startAlert = strftime(startAlert,"%Y-%m-%d %H:%M:%S ") | eval ackAlert = if(alertType == "ACKNOWLEDGEMENT", _time, "") | eval ackAlert = strftime(ackAlert,"%Y-%m-%d %H:%M:%S ") | eval endAlert = if(alertType == "RECOVERY", _time, "") | eval endAlert = strftime(endAlert,"%Y-%m-%d %H:%M:%S ") | stats values(alertType) as alertType, values(Priorité) as Priorité, values(Titre) as Titre, values(startAlert) as startAlert, values(ackAlert) as ackAlert, values(endAlert) as endAlert, values(ticket_EV) as ticket_EV by incidentNumber
Hello community, I need to set up a dashboard that tracks the status of an alert from Splunk OnCall. An alert can have 2 to 3 statuses and I would like to retrieve the _time of each step and keep it... See more...
Hello community, I need to set up a dashboard that tracks the status of an alert from Splunk OnCall. An alert can have 2 to 3 statuses and I would like to retrieve the _time of each step and keep it in memory for each state (to make duration calculations in particular) : I manage to retrieve the _time for each state in a dedicated field but I cannot transfer this value to the other states:   index=oncall_prod originOnCall="Prod" incidentNumber=497764 | sort _time desc | rex field=entityDisplayName "(?<Priorité>..) - (?<Titre>.*)" | eval startAlert = if(alertType == "CRITICAL", _time, "") | eval startAlert = strftime(startAlert,"%Y-%m-%d %H:%M:%S ") | eval ackAlert = if(alertType == "ACKNOWLEDGEMENT", _time, "") | eval ackAlert = strftime(ackAlert,"%Y-%m-%d %H:%M:%S ") | eval endAlert = if(alertType == "RECOVERY", _time, "") | eval endAlert = strftime(endAlert,"%Y-%m-%d %H:%M:%S ") | table _time, incidentNumber, alertType, Priorité, Titre, startAlert, ackAlert, endAlert, ticket_EV   Do you have any idea how to do this? I searched the forum but couldn't find a solution that matched my problem. Sincerely, Rajaion
It's easier to add extractions on SHC so you can modify them if you need. On indexers they will be fixed once indexed.
This is the log and we want the list of tag coming under "c7n:MatchedFilters" 4844905100000003", "GroupId": "sg-016abb0533b5b9082" }, { "GroupName": "gsus... See more...
This is the log and we want the list of tag coming under "c7n:MatchedFilters" 4844905100000003", "GroupId": "sg-016abb0533b5b9082" }, { "GroupName": "gsus-prod-net-01-win-sg-20220512164844866600000001", "GroupId": "sg-0257bb3846318d5fd" }, { "GroupName": "gsus-prod-net-01-app-4567-prod-1-web-1-sg", "GroupId": "sg-08a32c6c1fd77d74c" } ], "Ipv6Addresses": [], "MacAddress": "12:82:2d:d7:0e:77", "NetworkInterfaceId": "eni-0cf7cff30aa78de47", "OwnerId": "189682858917", "PrivateDnsName": "ip-172-23-42-148.ec2.internal", "PrivateIpAddress": "172.23.42.148", "PrivateIpAddresses": [ { "Primary": true, "PrivateDnsName": "ip-172-23-42-148.ec2.internal", "PrivateIpAddress": "172.23.42.148" } ], "SourceDestCheck": true, "Status": "in-use", "SubnetId": "subnet-07a45e67dbf4d63aa", "VpcId": "vpc-0e8954f5da98fe98d", "InterfaceType": "interface" } ], "RootDeviceName": "/dev/sda1", "RootDeviceType": "ebs", "SecurityGroups": [ { "GroupName": "gsus-prod-net-01-cmdb-sg-2022051216484634970000000a", "GroupId": "sg-04908349d0f791aec" }, { "GroupName": "gsus-prod-net-01-web-sg-20220512164845489300000007", "GroupId": "sg-031fac541f8a85381" }, { "GroupName": "gsus-prod-net-01-dtc-sg-20220512164844905100000003", "GroupId": "sg-016abb0533b5b9082" }, { "GroupName": "gsus-prod-net-01-win-sg-20220512164844866600000001", "GroupId": "sg-0257bb3846318d5fd" }, { "GroupName": "gsus-prod-net-01-app-4567-prod-1-web-1-sg", "GroupId": "sg-08a32c6c1fd77d74c" } ], "SourceDestCheck": true, "Tags": [ { "Key": "Repository", "Value": "https://github.thehartford.com/HIG/gs_tfe_servicebus_app4567" }, { "Key": "hig-data-classification", "Value": "CompanyConfidential" }, { "Key": "module_name", "Value": "terraform-aws-ec2-instance" }, { "Key": "BackupGroup", "Value": "GSUSProdSilverEC2" }, { "Key": "DynatraceMonitoring", "Value": "true" }, { "Key": "Domain", "Value": "ad1.prod" }, { "Key": "Comments", "Value": "" }, { "Key": "hig-billing", "Value": "APP-4567" }, { "Key": "hig-environment-type", "Value": "PROD" }, { "Key": "AppTier", "Value": "Web" }, { "Key": "IMDSv2 Date", "Value": "04/24/2023, 16:15:21" }, { "Key": "IMDSv2", "Value": "Enabled" }, { "Key": "Hosted Region", "Value": "US" }, { "Key": "Owner", "Value": "HIG" }, { "Key": "Schedule", "Value": "" }, { "Key": "ServiceTier", "Value": "Silver" }, { "Key": "Name", "Value": "ServiceBus-app-4567-prod-ue1-web02" }, { "Key": "DB Nodes", "Value": "None" }, { "Key": "Description", "Value": "" }, { "Key": "Hostname", "Value": "a4567e1pdweb002" }, { "Key": "ThirdParty", "Value": "Yes" }, { "Key": "OS", "Value": "Windows 2016" }, { "Key": "module_version", "Value": "v4.3.2" }, { "Key": "Environment", "Value": "PROD" }, { "Key": "DataClassification", "Value": "CompanyConfidential" }, { "Key": "AppClass", "Value": "Silver" }, { "Key": "Lifecycle", "Value": "Provisioning" }, { "Key": "hig-planit-appid", "Value": "APP-4567-PROD" }, { "Key": "AppName", "Value": "Service Bus" }, { "Key": "Billing", "Value": "APP-4567" }, { "Key": "Pipeline", "Value": "https://jenkinsci.thehartford.com/iac-1/job/IAC/job/GS/job/ServiceBus-4567/job/gsus_4567_servicebus-ue1_aws_gsprod/" }, { "Key": "map-migrated", "Value": "d-server-026syrvrlphyig" }, { "Key": "PatchingFlag", "Value": "Tag Applied" }, { "Key": "LOB", "Value": "Global Specialty" }, { "Key": "AppOwner", "Value": "Marty Cabeceiras" }, { "Key": "Alias Names", "Value": "asbngwebprod02" }, { "Key": "AppId", "Value": "APP-4567" }, { "Key": "hig-owner", "Value": "marty.cabeceiras@thehartford.com" }, { "Key": "PatchGroup", "Value": "Non DB Node B" } ], "VirtualizationType": "hvm", "CpuOptions": { "CoreCount": 4, "ThreadsPerCore": 2 }, "CapacityReservationSpecification": { "CapacityReservationPreference": "open" }, "HibernationOptions": { "Configured": false }, "MetadataOptions": { "State": "applied", "HttpTokens": "required", "HttpPutResponseHopLimit": 1, "HttpEndpoint": "enabled", "HttpProtocolIpv6": "disabled", "InstanceMetadataTags": "disabled" }, "EnclaveOptions": { "Enabled": false }, "PlatformDetails": "Windows", "UsageOperation": "RunInstances:0002", "UsageOperationUpdateTime": "2023-04-24T15:58:42+00:00", "PrivateDnsNameOptions": { "HostnameType": "ip-name", "EnableResourceNameDnsARecord": false, "EnableResourceNameDnsAAAARecord": false }, "MaintenanceOptions": { "AutoRecovery": "default" }, "CurrentInstanceBootMode": "legacy-bios", "c7n:MatchedFilters": [ "tag:AccountType", "tag:Attributes", "tag:EnvironmentType", "tag:ImageBuilder" ] }, { "AmiLaunchIndex": 0, "ImageId": "ami-08435a7e5e61bc00b", "InstanceId": "i-0b307f45f965d4222", "InstanceType": "r5b.2xlarge", "KeyName": "gsus-prod-net-01-key", "LaunchTime": "2024-07-19T15:42:09+00:00", "Monitoring": { "State": "disabled" }, "Placement": { "AvailabilityZone": "us-east-1b", "GroupName": "", "Tenancy": "default" }, "Platform": "windows", "PrivateDnsName": "ip-172-23-43-196.ec2.internal", "PrivateIpAddress": "172.23.43.196", "ProductCodes": [], "PublicDnsName": "", "State": { "Code": 16, "Name": "running" }, "StateTransitionReason": "", "SubnetId": "subnet-03aa1e87392c5e63d", "VpcId": "vpc-0e8954f5da98fe98d", "Architecture": "x86_64", "BlockDeviceMappings": [ { "DeviceName": "/dev/sda1", "Ebs": { "AttachTime": "2024-07-19T15:41:21+00:00", "DeleteOnTermination": false, "Status": "attached", "VolumeId": "vol-0d39da483194fdffa" } }, { "DeviceName": "/dev/xvdf", "Ebs": { "AttachTime": "2023-07-06T19:30:04+00:00", "DeleteOnTermination": false, "Status": "attached", "VolumeId": "vol-07813f09191a4af20" } }, { "DeviceName": "/dev/xvdg", "Ebs": { "AttachTime": "2023-07-06T19:30:15+00:00", "DeleteOnTermination": false, "Status": "attached", "VolumeId": "vol-05d213e8588431029" } }, { "DeviceName": "/dev/xvdh", "Ebs": { "AttachTime": "2023-07-06T19:29:54+00:00", "DeleteOnTermination": false, "Status": "attached", "VolumeId": "vol-08849724290ff4ff0" } }, { "DeviceName": "/dev/xvdi", "Ebs": { "AttachTime": "2023-07-06T19:29:54+00:00", "DeleteOnTermination": false, "Status": "attached", "VolumeId": "vol-0711192d14ffdc4ff" } }, { "DeviceName": "/dev/xvdj", "Ebs": { "AttachTime": "2023-07-06T19:30:25+00:00", "DeleteOnTermination": false, "Status": "attached", "VolumeId": "vol-0d8db3494a8c7254c" } }, { "DeviceName": "/dev/xvdk", "Ebs": { "AttachTime": "2023-07-06T19:30:16+00:00", "DeleteOnTermination": false, "Status": "attached", "VolumeId": "vol-0cba7f29aec3d9a35" } }, { "DeviceName": "/dev/xvdl", "Ebs": { "AttachTime": "2023-07-06T19:30:15+00:00", "DeleteOnTermination": false, "Status": "attached", "VolumeId": "vol-0810a5ac78ecf0e11" } }, { "DeviceName": "/dev/xvdm", "Ebs": { "AttachTime": "2023-07-06T19:30:15+00:00", "DeleteOnTermination": false, "Status": "attached", "VolumeId": "vol-0e4ec2b5f1bf4d871" } }, { "DeviceName": "/dev/xvdn", "Ebs": { "AttachTime": "2023-07-06T19:29:54+00:00", "DeleteOnTermination": false, "Status": "attached", "VolumeId": "vol-092a40b78baeeac7f" } }, { "DeviceName": "/dev/xvdo", "Ebs": { "AttachTime": "2023-07-06T19:29:55+00:00", "DeleteOnTermination": false, "Status": "attached", "VolumeId": "vol-0b1e2d02d509f3f5e" } }, { "DeviceName": "/dev/xvdp", "Ebs": { "AttachTime": "2023-07-06T19:30:15+00:00", "DeleteOnTermination": false, "Status": "attached", "VolumeId": "vol-01cabf285c719295f" } } ], "ClientToken": "terraform-20230706192857135700000004", "EbsOptimized": true, "EnaSupport": true, "Hypervisor": "xen", "IamInstanceProfile": { "Arn": "arn:aws:iam::189682858917:instance-profile/hig/WindowsEC2Role", "Id": "AIPASYKP2XOSSBXPPW5LL" }, "NetworkInterfaces": [ { "Attachment": { "AttachTime": "2023-07-06T19:28:58+00:00", "AttachmentId": "eni-attach-09192f2a4fbf5a17d", "DeleteOnTermination": false, "DeviceIndex": 0, "Status": "attached", "NetworkCardIndex": 0 }, "Description": "", "Groups": [ { "GroupName": "gsus-prod-net-01-cmdb-sg-2022051216484634970000000a", "GroupId": "sg-04908349d0f791aec" }, { "GroupName": "gsus-prod-net-01-sql-sg-20220512164845082300000004", "GroupId": "sg-0b214ef19d0a4c0f7" }, { "GroupName": "gsus-prod-net-01-app-4587-v2sql-sg-20230707183929669400000001", "GroupId": "sg-0c2f333cbfb09b29f" }, { "GroupName": "gsus-prod-net-01-win-sg-20220512164844866600000001", "GroupId": "sg-0257bb3846318d5fd" } ], "Ipv6Addresses": [], "MacAddress": "12:90:ce:a5:ca:a1", "NetworkInterfaceId": "eni-0086b400faa99451d", "OwnerId": "189682858917", "PrivateDnsName": "ip-172-23-43-196.ec2.internal", "PrivateIpAddress": "172.23.43.196", "PrivateIpAddresses": [ { "Primary": true, "PrivateDnsName": "ip-172-23-43-196.ec2.internal", "PrivateIpAddress": "172.23.43.196" }, { "Primary": false, "PrivateDnsName": "ip-172-23-43-163.ec2.internal", "PrivateIpAddress": "172.23.43.163" }, { "Primary": false, "PrivateDnsName": "ip-172-23-43-141.ec2.internal", "PrivateIpAddress": "172.23.43.141" } ], "SourceDestCheck": true, "Status": "in-use", "SubnetId": "subnet-03aa1e87392c5e63d", "VpcId": "vpc-0e8954f5da98fe98d", "InterfaceType": "interface" } ], "RootDeviceName": "/dev/sda1", "RootDeviceType": "ebs", "SecurityGroups": [ { "GroupName": "gsus-prod-net-01-cmdb-sg-2022051216484634970000000a", "GroupId": "sg-04908349d0f791aec" }, { "GroupName": "gsus-prod-net-01-sql-sg-20220512164845082300000004", "GroupId": "sg-0b214ef19d0a4c0f7" }, { "GroupName": "gsus-prod-net-01-app-4587-v2sql-sg-20230707183929669400000001", "GroupId": "sg-0c2f333cbfb09b29f" }, { "GroupName": "gsus-prod-net-01-win-sg-20220512164844866600000001", "GroupId": "sg-0257bb3846318d5fd" } ], "SourceDestCheck": true, "Tags": [ { "Key": "Description", "Value": "" }, { "Key": "hig-owner", "Value": "mahesh.vidyasagar@thehartford.com" }, { "Key": "Billing", "Value": "APP-4587" }, { "Key": "Repository", "Value": "https://github.thehartford.com/HIG/gs_tfe_peoplesoft_app4587" }, { "Key": "Schedule", "Value": "None" }, { "Key": "mssql_adou", "Value": "OU=SQL-GS,OU=Windows,OU=Cloud,OU=Servers,DC=ad1,DC=prod" }, { "Key": "child_module_name", "Value": "terraform-aws-ec2-db-mssql" }, { "Key": "mssql_instancename", "Value": "MSSQLSERVER" }, { "Key": "module_name", "Value": "terraform-aws-ec2-instance" }, { "Key": "Pipeline", "Value": "https://jenkinsci.thehartford.com/iac-1/job/IAC/job/GS/job/PeopleSoft-4587/job/gsus_4587_peoplesoft_aws_gsprod/" }, { "Key": "IMDSv2", "Value": "Enabled" }, { "Key": "IMDSv2 Date", "Value": "07/06/2023, 19:30:24" }, { "Key": "PatchGroup", "Value": "Multiple DB Node AZ2" }, { "Key": "module_version", "Value": "v4.0.6" }, { "Key": "BackupDBGroup", "Value": "ec2-sqldb-prod-silver" }, { "Key": "mssql_version", "Value": "2019" }, { "Key": "AppOwner", "Value": "Mahesh Vidyasagar" }, { "Key": "hig-planit-appid", "Value": "APP-4587-PROD" }, { "Key": "ServiceTier", "Value": "Silver" }, { "Key": "DBNodes", "Value": "Secondary" }, { "Key": "Hostname", "Value": "a4587ue1pwsag06" }, { "Key": "mssql_datavolumes", "Value": "4" }, { "Key": "mssql_installtype", "Value": "SAG" }, { "Key": "hig-data-classification", "Value": "CompanyConfidential" }, { "Key": "PatchingFlag", "Value": "Tag Applied" }, { "Key": "Environment", "Value": "prod" }, { "Key": "Owner", "Value": "HIG" }, { "Key": "hig-billing", "Value": "APP-4587" }, { "Key": "mssql_environment", "Value": "prod" }, { "Key": "Domain", "Value": "ad1.prod" }, { "Key": "AppName", "Value": "PeopleSoft" }, { "Key": "ThirdParty", "Value": "No" }, { "Key": "child_module_version", "Value": "v2.2.1" }, { "Key": "Hosted Region", "Value": "US" }, { "Key": "Name", "Value": "PeopleSoft-4587-PROD-sag-06" }, { "Key": "BackupGroup", "Value": "ec2-nobackup" }, { "Key": "LOB", "Value": "Global Specialty" }, { "Key": "Patching Group", "Value": "Multiple DB Node AZ1" }, { "Key": "backup_s3bucket", "Value": "gs-gsus-prod-net-01-sqlbackup-us-east-1" }, { "Key": "DynatraceMonitoring", "Value": "true" }, { "Key": "mssql_collation", "Value": "Latin1_General_BIN" }, { "Key": "DataClassification", "Value": "CompanyConfidential" }, { "Key": "AppId", "Value": "APP-4587" }, { "Key": "AppTier", "Value": "DB" }, { "Key": "hig-environment-type", "Value": "PROD" }, { "Key": "backup_s3bucketkms", "Value": "arn:aws:kms:us-east-1:189682858917:key/e4b94c9a-82ad-4322-98ec-48d610f6548b" }, { "Key": "Comments", "Value": "" } ], "VirtualizationType": "hvm", "CpuOptions": { "CoreCount": 4, "ThreadsPerCore": 1 }, "CapacityReservationSpecification": { "CapacityReservationPreference": "open" }, "HibernationOptions": { "Configured": false }, "MetadataOptions": { "State": "applied", "HttpTokens": "required", "HttpPutResponseHopLimit": 1, "HttpEndpoint": "enabled", "HttpProtocolIpv6": "disabled", "InstanceMetadataTags": "disabled" }, "EnclaveOptions": { "Enabled": false }, "PlatformDetails": "Windows", "UsageOperation": "RunInstances:0002", "UsageOperationUpdateTime": "2023-07-06T19:28:58+00:00", "PrivateDnsNameOptions": { "HostnameType": "ip-name", "EnableResourceNameDnsARecord": false, "EnableResourceNameDnsAAAARecord": false }, "MaintenanceOptions": { "AutoRecovery": "default" }, "CurrentInstanceBootMode": "legacy-bios", "c7n:MatchedFilters": [ "tag:AccountType", "tag:Attributes", "tag:EnvironmentType", "tag:ImageBuilder" ] }, {
Try something like this | timechart span=1d count(B) by B | addtotals fieldname=count | streamstats time_window=30d avg(count) as A | eval A=round(A,0)
We also had some inconsistencies with these field extractions. Figured out that we needed to push the new limits configuration to the indexers, as well as the search head. Only pushing to the search ... See more...
We also had some inconsistencies with these field extractions. Figured out that we needed to push the new limits configuration to the indexers, as well as the search head. Only pushing to the search head will work if you have a centralizing command before the spath field extraction, but not for streaming field extractions.
Hi. We are starting to use Splunk Infrastructure monitoring, and want to deploy the Otel-Collector using our existing Splunk infrastructure (Deployment Server). We would really like to send the Ote... See more...
Hi. We are starting to use Splunk Infrastructure monitoring, and want to deploy the Otel-Collector using our existing Splunk infrastructure (Deployment Server). We would really like to send the Otel data to IM using a HTTP_PROXY, but do not want to change the dataflow for the entire server, so only a local HTTP_PROXY for the otel-collector. As I read the documentation you need to set environment variables for the entire server and not just the otel-collector process. Has anyone any experience using HTTP_PROXY and Otel-Collector?   Kind regards las
You can do just like almost any other dashboard, just click magnifying glass on right bottom corner of panel. It open a new window with that SPL query.
You can do this without custom code and without calling a child playbook. With your list, use format block with %% in front and after  you format your API to then call HTTP app's action using form... See more...
You can do this without custom code and without calling a child playbook. With your list, use format block with %% in front and after  you format your API to then call HTTP app's action using format_1:formatted_data.* (important you pass in the formatted data using the formatted_data.* with asterisk) to the http action. This will cause the http action to be triggered once for each item in the list.
You said crash several times.  This makes me think that your server may not have enough memory for that giant eventstats. (Again, this all depends on how many unique host name and IP addresses are in... See more...
You said crash several times.  This makes me think that your server may not have enough memory for that giant eventstats. (Again, this all depends on how many unique host name and IP addresses are in those tens of thousands of events.  If that number is unusually large, it could exceed system RAM.  But it also makes me suspect that your search heads might be under provisioned.) If you are willing to use inventory lookup, things can improve.  Given that only one field from index B is useful in your logic, inventory should come from this index. (You also said index B is smaller.) Here is my suggested setup for inventory.csv. index = B sourcetype="foo" | dedup Reporting_Host | table Reporting_Host | outputlookup inventory.csv After this, index=A sourcetype="Any" | fields "IP address" Hostname OS | dedup "IP address" Hostname OS | eval Hostname = lower(Hostname) | lookup inventory.csv Reporting_Host as Hostname output Reporting_Host as match | lookup inventory.csv Reporting_Host as "IP address" output Reporting_Host as match | eval match = if(isnull(match), "missing", "ok") | table Hostname "IP address" OS match
Make sure you are setting a valid label for the container.  Also, double check for valid severity and sensitivity being set on container.   You can check for errors when Splunk tries to create cont... See more...
Make sure you are setting a valid label for the container.  Also, double check for valid severity and sensitivity being set on container.   You can check for errors when Splunk tries to create container in SOAR. Run this SPL: index=cim_modactions error
thanks!
Thanks
No difference with inputlookup. fields is usually preferred if working with an index search that fetches actual events.