I have the following 2 logs DRT.log:  This consists of the following log lines:   {"date_time":"20220823-13:11:11.622475033","severity":"INFO","dc":"DRT"} {"date_time":"20220823-13:11:11.622475099","severity":"INFO","version":"1.1.1"} {"date_time":"20220823-13:11:11.622475099","severity":"INFO","state":"running"}   And CME.log: This consists of the following logs lines:   {"date_time":"20220823-13:11:11.622475033","severity":"INFO","dc":"CME"} {"date_time":"20220823-13:11:11.622475099","severity":"INFO","version":"2.2.2"} {"date_time":"20220823-13:11:11.622475033","severity":"INFO","state":"down"}   The output I want to display is a table that looks like the following:   DataCenter Version State DRT 1.1.1 running CME 2.2.2 down   I have noticed that if I specify the explicit source file then them my search query works for that individual source.   As example:    index=exc_md_qa sourcetype="ctc:md:tickerplant" source="/splunk_log/DRT.log" | spath | search severity="INFO" | dc, version, state | stats values(dc) as DataCenter latest(version) as Version latest(state) as State This above search returns: DataCenter Version State DRT 1.1.1 running   And likewise if I replace the source with the other log file, I get this...   index=exc_md_qa sourcetype="ctc:md:tickerplant" source="/splunk_log/CME.log" | spath | search severity="INFO" | fields dc, version, state | stats values(dc) as DataCenter latest(version) as Version latest(state) as State This search yields the following: DataCenter Version State CME 2.2.2 down   However if I run the search with a wildcard for the source, I only get partial results...     index=exc_md_qa sourcetype="ctc:md:tickerplant" source="/splunk_log/*.log" | spath | severity="INFO" | fields dc, version | stats values(dc) as DataCenter latest(version) as Version latest(state) as State This yields the following (with missing data from DRT) DataCenter Version State CME 2.2.2 down DRT Or sorting by DataCenter then I don;t get the state at all... index=exc_md_qa sourcetype="ctc:md:tickerplant" source="/splunk_log/*.log" | spath | severity="INFO" | fields dc, version | stats latest(version) as Version latest(state) as State by dc This yields: DataCenter Version State CME 2.2.2 DRT 1.1.1   So the question is how do I combine them into one search.  I think the brunt of the issue is tying the dc, state and version fields to the same source, but not sure how to do that   Any help is much appreciated!  

Hello Splunk team, I have two doubts please help me with details, 1. We are using Splunk cloud platform for Enterprise security. Is there any way to know the time span of buckets for how many days we have configured. For example Hot - 90 days Warm- 90 days like this data how to get to know from Splunk GUI, I have used "| dbinspect" in search query but I am unable to get the timing for how many days we have kept Hot, warm etc.,  2. While using a search query we can see the time range "All Time", so here what does it actually mean. Is this mean from when we have configured Splunk or from when logs got ingested or else only the Hot & Warm buckets database data. Thanks in advance for letting me know the details.

Hi Folks, I'm very new at syslog server configuration but I have a question about this. I have an IF (universal forwarder) and I want it to act as a syslog server as well. I want it to receive the syslog logs on a different port (not 514). The port 30001 for example.  That port should be open from the Splunk side or from my network side? I appreciate any comment or documents to further understand this. Thanks.

Hi! I have a log like this eventtype=000111 msg=malicious srcip=11.11.22.22 eventtype=123 msg=traffic srcip=11.11.22.22 hostname=MyMachine Both lines are on the same index, would like to get something like this eventtype=000111 msg=malicious srcip=11.11.22.22 hostname=MyMachine I´ve tryied using joins, but they just could get results when indexes are different. because the initial condition of eventtype doesn´t match with the second event. this is the query which doesn´t work index=index_ logid=1122 | fields * | join srcip [search index=index_ | table hostname ] | table eventtype msg srcip hostname Can you help me? Thanks!!

We currently have our Splunk Enterprise instance all running on a stand-alone vm but are looking to add an additional vm for some sort of replication sort of a hot cold standby option or whatever the best practice may be.  Has anyone had experience doing this and what were your steps? 

Hello All -  Using version 1.7.6 on Splunk Enterprise 8.2.3: Search Error: Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'. | tstats summariesonly=t count from datamodel=Web WHERE (*) sourcetype="websense:cg:kv" Web.mid IN (*) Web.id IN (*) Web.user IN ("**") Web.action IN ("*") Web.src IN ("**") Web.status IN ("*") Web.http_method IN ("*") Web.category IN ("*") Web.dest IN ("***") Web.http_user_agent IN ("**") by Web.http_user_agent | rename Web.* as * | stats sum(count) as "count" by http_user_agent | lookup user_agents http_user_agent | table count ua_family http_user_agent | sort 0 -count From Job Inspector: 08-30-2022 14:30:38.150 ERROR ScriptRunner [53774 StatusEnforcerThread] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py http_user_agent ua_os_family ua_os_major ua_os_minor ua_os_patch ua_os_patch_minor ua_family ua_major ua_minor ua_patch ua_device': File "/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py", line 54 08-30-2022 14:30:38.150 ERROR ScriptRunner [53774 StatusEnforcerThread] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py http_user_agent ua_os_family ua_os_major ua_os_minor ua_os_patch ua_os_patch_minor ua_family ua_major ua_minor ua_patch ua_device': results = user_agent_parser.Parse(http_user_agent) 08-30-2022 14:30:38.150 ERROR ScriptRunner [53774 StatusEnforcerThread] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py http_user_agent ua_os_family ua_os_major ua_os_minor ua_os_patch ua_os_patch_minor ua_family ua_major ua_minor ua_patch ua_device': ^ 08-30-2022 14:30:38.150 ERROR ScriptRunner [53774 StatusEnforcerThread] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py http_user_agent ua_os_family ua_os_major ua_os_minor ua_os_patch ua_os_patch_minor ua_family ua_major ua_minor ua_patch ua_device': TabError: inconsistent use of tabs and spaces in indentation 08-30-2022 14:30:38.153 ERROR ExternalProvider [53774 StatusEnforcerThread] - Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'. 08-30-2022 14:30:38.153 ERROR SearchStatusEnforcer [53774 StatusEnforcerThread] - StatusEnforcerThread failed with error: Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'. 08-30-2022 14:30:38.153 INFO ReducePhaseExecutor [53774 StatusEnforcerThread] - ReducePhaseExecutor=1 action=CANCEL 08-30-2022 14:30:38.153 INFO DispatchExecutor [53774 StatusEnforcerThread] - User applied action=CANCEL while status=0 08-30-2022 14:30:38.153 ERROR SearchStatusEnforcer [53774 StatusEnforcerThread] - sid:_amFzb25faG90Y2hraXNzQGFvLnVzY291cnRzLmdvdg_amFzb25faG90Y2hraXNzQGFvLnVzY291cnRzLmdvdg_bmxzX1VJX2Rldg__search32_1661869827.397931_B7BA11EF-467A-4E74-B057-FC9CAC03F269 Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'. Any suggestions on how to fix this?  Thank you.

Hello all, I know this has been asked many different ways but, I cant seem to get the search correct.  I am attempting to "Don't Display Data that is less than 10 days old. I have to set-up a whitelist via a look table, the idea here is we add IP's or URL that show no threat, so want to stop seeing alerts coming in. But - we want to recheck the data again in 10 days. This is my test search, But it still shows IP or URL's in the lookup table.       | from datamodel:"Threat_Intelligence"."Threat_Activity" | search NOT [| inputlookup my_whitelist.csv | fields threat_match_value] | where lastSeen>=relative_time(now(),"-10d") AND _time<=now() | table _time threat_match_value       My look table fields are 

Good afternoon! I receive messages from systems on splunk, several messages from one system line up in a message chain. As a rule, six messages from one system line up in a chain of six messages. By message chain, I mean that splunk receives six messages with the same field: "srcMsgId". Messages arrive one after another at different intervals, but the interval should not exceed the value of N. Tell me how can I set up Alert in splunk, in case the interval between messages in the chain exceeds the value N.

I hate to have a newbie question here but, I am deploying a Linux Splunk server with several windows workstations. The workstations show up in the forwarders area however, I cannot find the hostname of the Linux server I am on. Do I need to include a forwarder on the splunk server? I have never worked at the application level with splunk before so I apologize if this is a silly question.

Hi Splunkers ,   Im trying to build a dashboard to capture all the triggered alerts with some custom actions to be applied for each alert Im trying to make a table with  Alert Name , Alert triggered Time and Alerts results URL(which we actually get in an email when we enable  email notification) I would like to know how to get url for each triggered alert results and pass that into a dashbaord....so that users can view that results by clicking that link and take actions based on that