I have following eval based macro to return a string, in the end I am expecting macro to return something like "earliest=08/20/2022:18:39:14 latest=08/20/2022:18:55:14" so that i can use it in search as follows.  index=main org_name="cards-org" app_name="service-prod" `search_range("2022-08-20 19:15:14.104",2)`| table _time msg But I am getting below error.  Please help to understand what is wrong with this and how to achieve this. "Error in 'SearchParser': The definition of macro 'search_range(2)' is expected to be an eval expression that returns a string." Eval based macro definition as follows. | makeresults |eval Date="$daterange$" | eval minutes=$seconds$ | eval formattedEarlyts = strftime((strptime(Date, "%Y-%m-%d %H:%M:%S.%3N") - (minutes * 60)),"%m/%d/%Y:%H:%M:%S") | eval formattedLatestts = strftime((strptime(Date, "%Y-%m-%d %H:%M:%S.%3N") + (minutes * 60)),"%m/%d/%Y:%H:%M:%S") | eval timerange= " earliest="+formattedEarlyts+" "+"latest="+formattedLatestts | fields - Date minutes formattedEarlyts formattedLatestts | eval case (1==1,timerange)

Hi Folks,  I'm looking into a blackouts alert that weren't working properly, and the alerts fire for jobs that should be blacked out(ERROR: While inserting Into spm_Delta at line 590 /ERROR DESCRIPTION: ORA-0001 deadlock detected while waiting for resources). Is there anybody can help point me where I should start to fix this problem please. Thanks!

I am looking to upgrade our previous app that was https://splunkbase.splunk.com/app/291/ that has long not been updated since 2011. Upgrading to our new Splunk instance I am looking at our apps and trying to see which ones we want to migrate over. Since this app is so old and might not even make it to 9.0 when we move I am looking for another app. Currently I see this one: https://splunkbase.splunk.com/app/5482/#/overview which has been recently updated and looks promising, but it doesn't say that it is compatible with 9.0.  While comparing I found this one: https://splunkbase.splunk.com/app/4183/#/overview that is compatible with 9.0, isn't Splunk supported nor has been updated since 2020.  Is there a better MAXMIND kind of app or is there any advice on these current ones I found? Maybe the update for 9.0 on the second link just hasn't come out yet and it will soon? Need some community opinions and/or possibly creator updates for those apps?  Thank you!

So scenario is a vm that can ping another vm. 1st vm is linux rhel : I installed splunk enterprise and made it the deployment server  also yes I enabled receiving on 9997 2nd vm is a win 10 64 bit: Installed universal forwarder and did the customize option and put in IP of linux box for receiver and for deployment server. when I got to add data I get this error:  There are currently no forwarders configured as deployment clients to this instance. Learn More  I tried making the deployment server also be the deployment client but according to my reading you can't do that is this right? do I need a third box and make it either my deployment server or deployment client?  

We need to run some scripts from the TA for Unix and Linux but some of them require privileges. Since we arent running Splunk with sudo, each time the script runs returns privileges errors. The scripts we are trying to run are: vmstat.sh and nfsiostat.sh We tried configuring this scripts with suid so they run with owner root, but it is not working. Is there anyway we can run this scripts without running Splunk with sudo?

I have spent days working on this, can someone help?   how to populate previous week results? Also there are different license keys for same errors that is why it is showing 2 entries. I have the following code index=test sourcetype=dhi:testdata ErrorCode!=0 | `DedupDHI` | bucket _time span=1w | lookup table1 LicenseKey OUTPUT CustomerName | eval CustomerName=coalesce(CustomerName,LicenseKey) | stats count as Result by CustomerName,ErrorCode,_time | eventstats sum(Result) as Total by CustomerName | eval PercentOfTotal = round((Result/Total)*100,3) | streamstats current=f latest(Result) as Result_Prev by CustomerName,ErrorCode | eval PercentDifference = round(((Result/Result_Prev)-1)*100,2) | fillnull value="0" | append [ search index=test sourcetype=dhi:testdata ErrorCode!=0 | `DedupDHI` | lookup table1 LicenseKey OUTPUT CustomerName | eval CustomerName=coalesce(CustomerName,LicenseKey) | stats count as Result by CustomerName | eval ErrorCode="Total", PercentOfTotal=100] | fillnull value="0" | lookup table2 ErrorCode OUTPUT Description | lookup table1 LicenseKey OUTPUT CustomerName | eval CustomerName=coalesce(CustomerName,LicenseKey) | eval Error=if(ErrorCode!="Total", ErrorCode+" ("+coalesce(Description,"Description Missing - Update table2")+")", ErrorCode) | rename Result_Prev as "Previous Week Results", PercentDifference as " Percent Difference", PercentOfTotal as "Percent of Total" | fields CustomerName, Error, Result,"Previous Week Results", " Percent Difference" , "Percent of Total" | sort CustomerName, Error, PercentDifference OUTPUT - CustomerName Error Result Previous Week Results  Percent Difference Percent of Total _time customer_1 1002 (Invalid Address State Code. The two digit state code is invalid) 4 0 0 3.361 2022-08-12T00:00:00.000-0500 customer_1 1003 (Invalid Birth Year) 1 0 0 0.84 2022-08-12T00:00:00.000-0500 customer_1 1006 (Invalid UnderwritingState) 1 0 0 0.84 2022-08-12T00:00:00.000-0500 customer_1 1013 (Invalid Drivers License Format) 12 0 0 10.084 2022-08-12T00:00:00.000-0500 customer_1 1013 (Invalid Drivers License Format) 1 12 -91.67 0.84 2022-08-19T00:00:00.000-0500 customer_1 1023 (Invalid Name) 3 0 0 2.521 2022-08-12T00:00:00.000-0500 customer_1 1027 (Invalid UnderwritingState) 87 0 0 73.109 2022-08-12T00:00:00.000-0500 customer_1 1027 (Invalid UnderwritingState) 1 87 -98.85 0.84 2022-08-19T00:00:00.000-0500 customer_1 1305 (Unable to connect to data provider) 9 0 0 7.563 2022-08-12T00:00:00.000-0500 customer_1 Total 119 0 0 100 1969-12-31T18:00:00.000-0500 customer_2 1023 (Invalid Name) 16 0 0 55.172 2022-08-12T00:00:00.000-0500 customer_2 1201 (Lookback Date Not Set / Offset = 0) 1 0 0 3.448 2022-08-12T00:00:00.000-0500 customer_2 1305 (Unable to connect to data provider) 11 0 0 37.931 2022-08-12T00:00:00.000-0500 customer_2 1305 (Unable to connect to data provider) 1 11 -90.91 3.448 2022-08-19T00:00:00.000-0500 customer_2 Total 29 0 0 100 1969-12-31T18:00:00.000-0500 customer_3 1023 (Invalid Name) 3 0 0 20 2022-08-12T00:00:00.000-0500 customer_3 1027 (Invalid UnderwritingState) 11 0 0 73.333 2022-08-12T00:00:00.000-0500 customer_3 9999 (Timeout expired (9999)) 1 0 0 6.667 2022-08-12T00:00:00.000-0500 customer_3 Total 15 0 0 100 1969-12-31T18:00:00.000-0500 customer_4 1003 (Invalid Birth Year) 1 0 0 3.846 2022-08-12T00:00:00.000-0500 customer_4 1013 (Invalid Drivers License Format) 5 0 0 19.231 2022-08-12T00:00:00.000-0500 customer_4 1013 (Invalid Drivers License Format) 1 5 -80 3.846 2022-08-19T00:00:00.000-0500 customer_4 1023 (Invalid Name) 14 0 0 53.846 2022-08-12T00:00:00.000-0500 customer_4 1026 (Drivers License Number is a required field) 3 0 0 11.538 2022-08-12T00:00:00.000-0500 customer_4 9999 (Timeout expired (9999)) 1 0 0 3.846 2022-08-12T00:00:00.000-0500 customer_4 9999 (Timeout expired (9999)) 1 1 0 3.846 2022-08-19T00:00:00.000-0500 customer_4 Total 26 0 0 100 1969-12-31T18:00:00.000-0500

Hi everyone,   State ID APP _time INFO ABC Car 19/08/22 19:51 INFO ABC Car 19/08/22 19:52 INFO DEF Car 20/08/22 19:53 INFO ZZZ Book 30/08/22 19:51 INFO ZZZ Book 19/08/22 19:55 WARN ABC Car 19/08/22 19:56 WARN XYZ Car 20/08/22 19:51 WARN ZZZ Book 19/08/22 19:58 WARN ZZZ Book 19/08/22 19:59 ERROR ABC Car 19/08/22 20:00 ERROR ABC Car 19/08/22 20:01 ERROR XYZA Car 30/08/22 19:51   I have following data as mentioned in table above, and i have to create a statistical analysis for following requirement Find out count of distinct ID By APP for any given STATE   Ex.:  For State=Info, My Results should be: APP Count Car 2 Book 1   For State=ERROR, My Results should be: APP Count Car 2   Currently i am trying like this:       index=testdata | stats count(eval(searchmatch("*INFO*"))) BY APP         But i am Not getting count of  records with Distinct ID.    My Question is: How to use stats command with eval function and distinct function on two separate columns.

Hi, We are trying to integrate gmail logs into our Splunk Cloud instance.  We have tried the 'Splunk Addon for Google Workspace(https://splunkbase.splunk.com/app/5556/)'. The integration was smooth, and we were able to see gsuite header logs in Splunk. But the problem in this case was it eventually generated large bills from Google for the bigqueries. Hence we were forced to disable it temporarily. When we did an analysis, we found that the current approach in this addon is to query all partition at once using the below query: "SELECT * FROM `{gcp_project_id}.gmail_logs_dataset.daily_*` "                     "WHERE event_info.timestamp_usec > {start_time_usec} "                     "AND event_info.timestamp_usec < {end_time_usec} "                     "ORDER BY event_info.timestamp_usec ASC" Instead of querying the whole partition, we would like to query the table of each day, it would massively reduce the cost.  I did raise a support ticket with Splunk on this, and they have confirmed it requires a code change and they cannot assure any timeline for this. Even though we tried to manually edit this part of code and upload it via custom app, it didnt succeed the vetting process.  It would be really helpful if someone could provide me an alternate solution for integrating gmail logs or a way to upload the modified addon. Much appreciated, Archa

I would like to have six intermediate forwarders before indexers.Also i am interested to configure prasing on intermediate forwarders only.can some help me how to configuration. I have done the basic configuration where i am facing parsing quees and tail reader error on IF and traffic is getting blocked. can you please help me solve this problem