I have the following search:     index=sandbox document_type=test-collat-record-json_v2 | where ((isnotnull(test_result)) AND project_short="LNL" AND collateral_type="fw" AND ingredient_type="ifwi_bin" AND ingredient="csme") | dedup test_collat_record_json_guid | join type=inner left=L right=R where L.project_short=R.project_short L.collateral_type=R.collateral_type L.ingredient_type=R.ingredient_type L.ingredient=R.ingredient [search document_type=test-collat-record-summary-json] | table L.collat_record_json_guid, L.project_short, L.collateral_type, L.ingredient_type, L.ingredient, L.version, L.test, L.test_result, R.number_of_tests, R.passing_threshold     I'm joining data from a set of test results and then I lookup info about what a passing set of results should look like from another data source. Hence the join. It's good. It works for me and the result yields the table: So great. Just want to aggregate the results and get counts of passing/failing tests and compare that with the passing_threshold field. So I added:      | stats count(eval(L.test_result=="SUCCESS")) as passingTests count(eval(L.test_result=="FAILURE")) as failingTests values(R.number_of_tests) as numTests, values(R.passing_threshold) as pass_threshold by L.collat_record_json_guid      But the two evaluations of success and failure tests are zero. But from the table above they are clearly not zero. Should be 2 and 1 respectively. What have I done wrong? Is eval not going to work on joined data? I am using the correct aliases for the data.

I created savedsearches.conf file to create a splunk alert and restart the splunk service, but I still can't see the new alert in the UI, I am using the following configuration: Thanks in advance!

I am creating a dashboard to show any new logs that are added to our environment within a period of time. For example - if we started ingesting AWS logs and Azure logs 2 days ago is there a way I can create a dashboard that shows these 2 new ingestions?  I am having trouble making a search query that can display a new value with the name of the recently added index added to the environment. Does anyone have any suggestions on how to solve this? Thanks.

Hello, i have a big doubt about the RF behavior about single and multi site cluster. When a single site is used an hypothetical configuration: Replication Factor=2 is quite easy i have two copies of the same data in the site (originating + copy). And only one peer can goes down In a multi site (example two sites) if i understood, with:  -  site_replication_factor = origin:1,site1:1,site2:1,total:2 - there are two copies (originating site=1 other site=1). Only one peer can be down, is it in total or one at site ? -   site_replication_factor = origin:2,site1:1,site2:1,total:3 - there are three copies (originating site=2 other site=1)  Only two peer scan be down, is it in total or two at site ? Using   site_replication_factor = origin:1,site1:1,site2:1,total:2 means that if i loss the peer in originating site the SHs redirect query to the second site (SF=2) ? Thanks  

Hi Everyone, we have another internal team that is trying to use the API to return some data we built for them. Unfortunately, they aren't able to get the payload but only the headers. Can someone suggest a solution or what we are doing wrong? the below is the response from the splunk API on their call.   Target: https://SomeHost:Port/servicesNS/user/search/search/jobs/export  Request body:         search=search inputlookup somefile.csv | table Day User emp_id Data           Response:         <results preview='0'> <meta> <fieldOrder> <field>Day</field> <field>User</field> <field>emp_id</field> <field>Data</field> </fieldOrder> </meta> </results>            

I want to do a field extraction for my sourcetype under the Fields-> Calculated Fields section. Confused how to draft the if condition to achieve the following logic. Condition. Some events contain  only the userid field, for those, check if it is not null/empty, then fetch the userid field as user or fill unknown Some events contain both userid and cmdid field, in this case (if the event has both these fields) cmdid is the real user field. so the logic in both cases should first compare the existence of those 2 fields and then accordingly derive.