Hello Everyone, I have a table like this: _time value1 value2 30/12/2021 06:30 12.1 25.2 30/12/2021 06:00 12.1 25.2 30/12/2021 05:30 11.2 26.4 30/12/2021 05:00 11.2 26.4 30/12/2021 04:30 12.1 24.5 30/12/2021 04:00 10.6 29.5 30/12/2021 03:30 10.6 29.5 30/12/2021 03:00 10.6 35.2 I want to select distinct of value 1 and get the corresponding _time and value2. When I do:  |stats values(*) as * by value1,  it returns only value1 and value2, no include _time   But I do want to see the _time. Do you have any solution please? Thanks, Julia

Hello, I have a csv file that have 209,946 rows of event as show   After some query to apply some condition, as |inputlookup VCCS_VIB.csv |eval TIME = strptime(Time,"%H:%M %d/%m/%Y") |where TIME>=1656090000 AND TIME<=1659286800 |stats count by TYPE NAME CMND CARDNUM The meaning is I want to find events that between 25/6 and 31/7 and filter out duplicate row that match NAME, CMND and CARDNUM. The query above show 207,460 events (note that all events are between the time constrain), when I order the count column, it show   So there are only two duplicate row -> the final number of row should have been 209,946 - 2 = 209,944, not 207,460. There are over two thousand events missing somewhere. Could anyone show me?

What is the role capability required to view all the indexes in splunk cloud settings? We have below capabilities in place accelerate_datamodel accelerate_search acs_conf admin_all_objects apps_backup apps_restore change_authentication change_own_password cloud_internal customer_cases delete_by_keyword delete_messages dispatch_rest_to_indexers dmc_deploy_apps dmc_deploy_token_http dmc_manage_topology edit_authentication_extensions edit_auto_ui_updates edit_bookmarks_mc edit_cmd edit_deployment_client edit_deployment_server edit_dist_peer edit_encryption_key_provider edit_field_filter edit_forwarders edit_global_banner edit_health edit_health_subset edit_httpauths edit_indexer_cluster edit_indexerdiscovery edit_ingest_rulesets edit_input_defaults edit_ip_allow_list edit_kvstore edit_local_apps edit_log_alert_event edit_manager_xml edit_metric_schema edit_metrics_rollup edit_modinput_journald edit_monitor edit_own_objects edit_restmap edit_roles edit_roles_grantable edit_scripted edit_search_concurrency_all edit_search_concurrency_scheduled edit_search_head_clustering edit_search_schedule_priority edit_search_schedule_window edit_search_scheduler edit_search_server edit_server edit_server_crl edit_sourcetypes edit_splunktcp edit_splunktcp_ssl edit_splunktcp_token edit_statsd_transforms edit_tcp edit_tcp_stream edit_telemetry_settings edit_token_http edit_tokens_all edit_tokens_own edit_tokens_settings edit_udp edit_upload_and_index edit_user edit_view_html edit_watchdog edit_web_features edit_web_settings edit_webhook_allow_list edit_workload_policy edit_workload_pools edit_workload_rules embed_report export_results_is_visible fsh_manage fsh_search get_diag get_metadata get_typeahead indexes_edit indexes_list_all input_file install_apps license_edit license_read license_tab license_view_warnings list_accelerate_search list_all_objects list_cascading_plans list_deployment_client list_deployment_server list_dist_peer list_forwarders list_health list_health_subset list_httpauths list_indexer_cluster list_indexerdiscovery list_ingest_rulesets list_inputs list_introspection list_metrics_catalog list_pipeline_sets list_remote_input_queue list_remote_output_queue list_search_head_clustering list_search_scheduler list_settings list_storage_passwords list_token_http list_tokens_all list_tokens_own list_tokens_scs list_workload_policy list_workload_pools list_workload_rules merge_buckets metric_alerts never_expire never_lockout output_file pattern_detect phantom_read phantom_write read_internal_libraries_settings refresh_application_licenses request_pstacks request_remote_tok rest_access_server_endpoints rest_apps_management rest_apps_view rest_properties_get rest_properties_set restart_reason restart_splunkd rtsearch run_collect run_commands_ignoring_field_filter run_custom_command run_debug_commands run_dump run_mcollect run_msearch run_noah_command run_sendalert run_walklex schedule_rtsearch schedule_search search search_process_config_refresh select_workload_pools upload_lookup_files upload_mmdb_files use_file_operator use_remote_proxy web_debug

Long post, newish to splunk, search strings are still a foreign language to me. So I am tasked with incorporating azure gov into splunk. Splunk support recommended to use a particular app for microsoft cloud services. The app is easy enough to configure and whatnot. But having issue with creating an index for the app and ingesting into splunk. We have the master node/deployment server, 8 indexers, 5 search heads, 2 heavy forwarders. How do i create an index in a index cluster?  I ask because the directions seem easy enough, however there are some hiccups. When I look at our indexes listed in splunk web, it does not match what is shown in the indexes.conf files. Which is in itself an issue. These are the locations that I have found indexes.conf $SPLUNK_HOME/var/lib/splunk    lists all my indexes and their dat files $SPLUNK_HOME/etc/system/default/  the default files $SPLUNK_HOME/etc/system/local/  has a listing of almost 80 indexes, but not all that are in the web portal search head, missing some of the sensitive indexes with naming conventions for systems like our txs and usr like txs_systemlog, usr-firewall, etc.   I went to our master node and the location $SPLUNK_HOME/etc/master-apps/_cluster/local/  to look at what the indexes.conf file says there...but its not present. Yet we obviously have indexes across our cluster. So here are the issues: 1 - This prevents me from creating the needed index "usr-azure" as I do not where to put it. 2 - why are some indexes, like the sensitive ones, not listed in the conf files but are listed in the /var/lib/splunk/ ? 3 - Why is my master node web showing 48 indexes   yet my indexers separately show 99 indexes?     Additionally, another issue. I know we need to use CLI and edit the indexes.conf file for a indexer cluster, but I tried to do it via the web on indexer1, Settings >  Indexes (under Data), and I can click the New Index button. All is good, but when I get to the the App selection, it only lists all the apps. Whereas all the indexes listed show TWC_all_indexes   Q4 - how do i get that for this app setting "TWC_all_indexes" for new index I am creating? I assume it has something to do with the index clustering and a setting on the master node. But I don't even see that option in the indexes.conf file.        

I'm looking for a way to extract a value from the middle of a sting. The value(green) I want is after the first underscore(blue) and before the dash(pink) Example: GET_tres_main.aspx_detail_showall-0

Hi all, I need to get the value Windows 7 from the below string . used something like OS[\n]+([^\n]+) , but then it captures from Value till Windows 7.  Could someone please help me in capturing only windows 7? DeviceProperties: [ [-] { [-] Name: OS Value: Windows 7     

Hello, I have complex JSON events ingested as *.log files. I have issues (or couldn't do) with extracting fields from this files/events. Any help on how to extract Key-Value pairs from these events would be highly appreciated. One sample event is given below. Thank you so much.   2022-07-15 12:44:03 - {     "type" : "TEST",     "r/o" : false,     "booting" : false,     "version" : "6.2.7.TS",     "user" : "DS",     "domainUUID" : null,     "access" : "NATIVE",     "remote-address" : "localhost",     "success" : true,     "ops" : [{         "address" : [             {                 "subsystem" : "datasources"             },             {                 "data-source" : "mode_tp"             }         ],   "address" : [                 {                     "cservice" : "management"                 },                 {                     "access" : "identity"                 }             ],             "DSdomain" : "TESTDomain"         },         {             "address" : [                 {                     "cservice" : "management"                 },   {             "operation" : "add",             "address" : [                 {                     "subsystem" : "finit"                 },                 {                     "bucket" : "TEST"                 },                 {                     "clocal" : "passivation"                 },                 {                     "store" : "file"                 }             ],             "passivation" : true,             "purge" : false         },         {             "operation" : "add",             "address" : [                 {                     "subsystem" : "finit"                 },                 {                     "bucket" : "TEST"                 }             ],             "module" : "dshibernate"         },         {             "operation" : "add",             "address" : [                 {                     "subsystem" : "finit"                 },                 {                     "bucket" : "hibernate"                 },                 {                     "clocal" : "entity"                 }             ]         },         {             "operation" : "add",             "address" : [                 {                     "subsystem" : "finit"                 },                 {                     "bucket" : "hibernate"                 },                 {                     "clocal" : "entity"                 },                 {                     "component" : "transaction"                 }             ],             "model" : "DSTEST"         },         {             "operation" : "add",             "address" : [                 {                     "subsystem" : "infit"                 },                 {                     "bucket" : "hibernate"                 },                 {                     "clocal" : "entity"                 },                 {                     "memory" : "object"                 }             ],             "size" : 210000         },   {             "operation" : "add",             "address" : [                 {                     "subsystem" : "DS"                 },                 {                     "workplace" : "default"                 },                 {                     "running-spin" : "default"                 }             ],             "Test-threads" : 45,             "queue-length" : 60,             "max-threads" : 70,             "keepalive-time" : {                 "time" : 20,                 "unit" : "SECONDS"             }         },         {             "operation" : "add",             "address" : [                 {                     "subsystem" : "DS"                 },                 {                     "workplace" : "default"                 },                 {                     "long-running-threads" : "default"                 }             ],             "Test-threads" : 45,             "queue-length" : 70,             "max-threads" : 70,             "keepalive-time" : {                 "time" : 20,                 "unit" : "SECONDS"             }         },       }] }