Case Scenario: Dashboard A is clicked, thus sending a token whose value is hostname ($hostnameToken$) to Dashboard B. Dashboard B with the following query has received $hostnameToken$ , then used on | search host_name , when search | search query returns “Results not Found”.         index=S score>=7.0         | lookup A.csv IP Address as ip OUTPUTNEW Squad         | lookup B.csv IP as ip OUTPUTNEW PIC, Email         | lookup C.csv ip as ip OUTPUTNEW host_name            IF        (true)                 | search host_name="$hostnameToken$"        THEN DO THIS:                  | stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email                    values(Squad) as squad by ip         ELSE   (false)                   | eval hostToken="$hostnameToken$"                   | lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip                   | search ip=ip               THEN DO THIS:                        | stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email)                                   as email values(Squad) as squad by ip   The next search is carried out by converting the hostname token value to IP via eval and lookup. If both ELSE conditions are not met (value is False), then the search stops.   Question: How to implement conditional statements into the above query? What is the right query to use?

Hey Splunkers,   I am working on a search but I have encountered a road block in my search. I am attempting to change a UTC time zone to CST within the search. I was able to change the EPOCH times to CST but I am struggling to locate any documentation on how I can convert the UTC time to match the same as my CST results. I need to change my time to match the other time zones.         2022-08-31T21:04:52Z       needs to be converted to the same format as       08/31/2022 16:21:16        

Hi Team, From the below raw JSON string in Splunk, I am trying to display only correlationId column in a table, can someone help with a query on how to achieve this?   Also wanted to know if it can be achieved from a regular expression.     index= test1, sourcetype=abc { "eventName": “test”, "sourceType”: “ats”, "detail": { "field": “abctest-1”, "trackInformation”: { "correlationId": “12345”, "components": [ { "publisherTimeLog”: "2022-08-31T13:19:18.726", “MetaData”: “cmd”, "executionTimeInMscs”: “2”5, "receiverTimeLog”: "2022-08-31T13:19:18.725" } ] }, "value": “imdb”, "timestamp": 1455677 }, } Output: ______ correlationID ——————— 12345    

I have two message threads, each thread consists of ten messages. I need to request to display these two chains in one. The new thread must consist of ten different messages: five messages from one system, five messages from another (backup) system. Messages from the system use the same SrcMsgId value. Each system has a unique SrcMsgId within the same chain. The message chain from the backup system enters the splunk immediately after the messages from the main system. Messages from the standby system also have a Mainsys_srcMsgId value - this value is identical to the main system's SrcMsgId value. Tell me how can I display a chain of all ten messages? Perhaps first messages from the first system (main), then from the second (backup) with the display of the time of arrival at the server.  Specifically, we want to see all ten messages one after the other, in the order in which they arrived at the server. Five messages from the primary, for example: ("srcMsgId": "rwfsdfsfqwe121432gsgsfgd71") and five from the backup: ("srcMsgId": "rwfsdfsfqwe121432gsgsfgd72"). The problem is that messages from other systems also come to the server, all messages are mixed (chaotically), which is why we want to organize all messages from one system and its relative in the search. Messages from the backup system are associated with the main system only by this parameter: "Mainsys_srcMsgId" - using this key, we understand that messages come from the backup system (secondary to the main one). Examples of messages from the primary and secondary system: Main system: { "event": "Sourcetype test please", "sourcetype": "testsystem-2", "host": "some-host-123", "fields": { "messageId": "ED280816-E404-444A-A2D9-FFD2D171F32", "srcMsgId": "rwfsdfsfqwe121432gsgsfgd71", "Mainsys_srcMsgId": "", "baseSystemId": "abc1", "routeInstanceId": "abc2", "routepointID": "abc3", "eventTime": "1985-04-12T23:20:50Z", "messageType": "abc4", .......................................................................................... Message from backup system: { "event": "Sourcetype test please", "sourcetype": "testsystem-2", "host": "some-host-123", "fields": { "messageId": "ED280816-E404-444A-A2D9-FFD2D171F23", "srcMsgId": "rwfsdfsfqwe121432gsgsfgd72", "Mainsys_srcMsgId": "rwfsdfsfqwe121432gsgsfgd71", "baseSystemId": "abc1", "routeInstanceId": "abc2", "routepointID": "abc3", "eventTime": "1985-04-12T23:20:50Z", "messageType": "abc4", "GISGMPRequestID": "PS000BA780816-E404-444A-A2D9-FFD2D1712345", "GISGMPResponseID": "PS000BA780816-E404-444B-A2D9-FFD2D1712345", "resultcode": "abc7", "resultdesc": "abc8" } } When we want to combine in a query only five messages from one chain, related: "srcMsgId". We make the following request: index="bl_logging" sourcetype="testsystem-2" | транзакция maxpause=5m srcMsgId Mainsys_srcMsgId messageId | таблица _time srcMsgId Mainsys_srcMsgId messageId продолжительность eventcount | сортировать srcMsgId_time | streamstats current=f window=1 значения (_time) as prevTime по теме | eval timeDiff=_time-prevTime | delta _time как timediff  

Hello, I have an app on our cloud SH named A and i wanted to rename it to B. Which config change is required to change an app name on Splunk cloud? I guess i need to open a case to splunk support since we doesn't have a backend access but i am curious to know whether in app.conf this app rename should be changed or any other conf file? please advise.     Thanks,  

This is the code  import requests import datetime now = datetime.datetime.now() # print(now) data = {'ticket_id':'CH-12345','response_code':200,'service':'Ec2','problem_type':'server_down','time':now} headers = { 'Content-Type': 'application/json' } response = requests.post('https://localhost:8089/servicesNS/nobody/TA-cherwell-data-pull/storage/collections/data/cherwell_data' ,headers=headers ,data=data, verify=False , auth=('admin' , 'changeme')) print(response.text)  This is the error I am getting  <msg type="ERROR">JSON in the request is invalid. ( JSON parse error at offset 1 of file "ticket_id=CH-12345&amp;response_code=200&amp;service=Ec2&amp;problem_type=server_down&amp;time=2022-08-31+20%3A28%3A53.237962": Unexpected character while parsing literal token: 'i' )</msg> Please let me know if you need any more help

Hello I have a little problem with Splunk! I have a table that basically contains data in the following way number value 1 A 1 B 2 C 3 D 3 E   I would like to have a table like number value 1 A B 2 C 3 D E As you can see, I would like to have the data in the same cells.   If you have a solution