I have a search that is generating the results like below. I need a search where if TAC, CellName and Date are same in 2 rows, it would remove those rows where SiteName and Address is "NULL", and if the TAC, CellName and Date are different in 2 rows, rows with "NULL" value for field SiteName and Address remains.  

Hi, Can someone suggest to me a method to ensure, my scheduled report will run without being skipped. Cron = 8,18,28,38,48,58 * * * * with a schedule window of 15 minutes. I use a custom timeframe larger than required to cater for when the report is skipped. Generally the report will run 2 times an hour sometimes 3, but at times does not run for a full hour. When I run the report adhoc, it takes less than a minute.

Hi, I want the alert to trigger if there are extracts where TOTAL_PIECES >0 and RETRIEVAL_ATTEMPT= 10 Is there anybody can help with this please? My search is, index=A source=B sourcetype=c | fillnull value=0 TOTAL_PIECES RETRIEVAL_ATTEMPT | where RETRIEVAL_ATTEMPT= 10 | rename "SASP_CTRL_SEQ_NBR" as "Extract_Seq_ID" ,"IV_STS" as "IV_Status", "RETRIEVAL_ATTEMPT" as "Retrieval_Attempt","PSTG_STMT_N" as "Pos_St","TOTAL_PIECES" as "Piece_Count" | table "Extract_Seq_ID","IV_Status","Retrieval_Attempt","Pos_St","Piece_Count"  

Hello Splunk Community, History of problem: I recently was trying to update OSSEC agents and some needed to be reinstalled to be fixed. So in my plan of action for targeting, the main OSSEC server got targeted and reinstalled as an agent instead, thus having me to reconfigure everything becauase we did not have a backup. After a weekend of configuration recovery, all 100+ agents got reconnected and authenticated with new keys and updated configs for both the server and agents. Everything is connected and communicating, reporting alerts to the alerts.log, local_rules.xml file is updated. We use Splunk Forwarder to forward the logs and we get log information, but it looks like it's not being processed correctly....this is our issue. Problem and End-Result Needed: Splunk is receiving information from OSSEC server but the data is having trouble being processed by the IDS data model. Splunk field for Log "sourcetype" seems to be the root of the issue. We need to have Datamodels process this information or have the Splunk OSSEC add-on properly configured because we have the path on the splunk server, but not fully configured: /opt/splunk/etc/apps/Splunk_TA_ossec/ What we noticed in Splunk search: Before Sourcetype=alerts Current needing fix Sourcetype=alerts-4 and Sourcetype=alerts-5 IDS (Intrusion Detection) Splunk data model needs to process logs by severity and update the dashboard accordingly Splunk Add-on is not properly configured Some pictures are attached of the issue. --------------------- Resources --------------------- https://docs.splunk.com/Documentation/AddOns/released/OSSEC/Setup https://docs.splunk.com/Documentation/CIM/5.0.1/User/IntrusionDetection https://docs.splunk.com/Documentation/AddOns/released/OSSEC/Sourcetypes

Below is the sample input for my search   BusinessIdentifier : 09 ***** MessageIdentifier : 3308b7dd-826c-4e98-8511-6a018c5f8bcc ***** TimeStamp : 2022-03-16T11:08:30.013Z ***** ElapsedTime : 0.25 ***** InterfaceName : NLTOnline ***** ServiceLayerName : OSB ***** ServiceLayerOperation : CreateQPBillingEvents ***** ServiceLayerPipeline : requestPipeline ***** SiteID : ***** DomainName : ***** ServerName : DEVserver ***** FusionErrorCode : ***** FusionErrorMessage : ***** <Body xmlns="http://schemas.xmlsoap.org/soap/envelope/"><com:createQPBillEvents xmlns:com="com.alcatel.lucent.on.ws.manager"> <com:ACTION_DATE>2021-08-30T23:59:59+08:00</com:ACTION_DATE> <com:ADR_BLDG_TYPE>HDB</com:ADR_BLDG_TYPE>   =============   I need to extract the values of the below    ElapsedTime : 0.25   InterfaceName : NLTOnline ServiceLayerName : OSB   ServiceLayerOperation : CreateQPBillingEvents  ServiceLayerPipeline : requestPipeline  Using xmlkv its not working. can someone help to provide the right command?

Hi can anyone think of a way to get Splunk versions reported from universal forwarders when in a Intermediate forwarder environment. I have tried searches like  index=_internal sourcetype=splunkd group=tcpin_connections but it only returns the agent version of the intermediate layer, not the UF versions behind it. Are there any commands that can be deployed via to each UF to collect that information?

I have scheduled a Splunk report and set the search Time frame as Previous Week. The report I am getting is for Sunday to Saturday results. But I want the search to happen from Monday to Sunday results (Previous week). Please help here.

I have a search that counts  the vulnerabilities for a given team and places them on a Bar chart on a dashboard based on the "Risk" field to display how many Critical, High, medium or low events. Problem I have is that not all teams have all 4 levels of vulnerabilities so the graphs look a bit rubbish. Some only have one level, others have 3 or 4 and the graphs only show the vulnerabilities that have a value I would like to always have Critical, High, Medium AND Low on the x-axis for every team even though the value for these may be Zero. For example, if a team has 5 Mediums, the graph only shows one bar. How to I create a Bar chart that shows: Critical =0 High=0 Medium =5 Low=0 Thanks