Hello everyone ! After a few hours of research i come ask your help. Here is my data : Username_column clientip_column username1 xxx.xxx.xxx.xxx username1 xxx.xxx.xxx.xxx username1 xxx.xxx.xxx.xxx username1 yyy.yyy.yyy.yyy username2 xxx.xxx.xxx.xxx username2 zzz.zzz.zzz.zzz username3 yyy.yyy.yyy.yyy username3 xxx.xxx.xxx.xxx   So, what i would like to do is to create another column called "countUsername" which contain the number of usernames by clientip without duplicates (of usernames). Here is my dream table (what i want) : Username_column clientip_column countUsername username1 xxx.xxx.xxx.xxx 3 username1 xxx.xxx.xxx.xxx 3 username1 xxx.xxx.xxx.xxx 3 username1 yyy.yyy.yyy.yyy 2 username2 xxx.xxx.xxx.xxx 3 username2 zzz.zzz.zzz.zzz 1 username3 yyy.yyy.yyy.yyy 2 username3 xxx.xxx.xxx.xxx 3   I tried various of things like : | eventstats values(count(Username_column)) as countUsername by clientip_column  creating a multivalue column and trying of mvdedup(). combine my Username_column and my clientip_column like so : | eval countUsername=Username_column. " " . clientip_column  and doing lots of things on that, if(mach)), regex, ... But everything that i tried didn't work. The best thing that i can get is : | eventstats count(Username_column) as countUsername by clientip_column  But with this line, my usernames are duplicated. (like the table bellow, i tried some things with this result but no results on my side) Username_column clientip_column countUsername username1 xxx.xxx.xxx.xxx 5 username1 xxx.xxx.xxx.xxx 5 username1 xxx.xxx.xxx.xxx 5 username1 yyy.yyy.yyy.yyy 2 username2 xxx.xxx.xxx.xxx 5 username2 zzz.zzz.zzz.zzz 1 username3 yyy.yyy.yyy.yyy 2 username3 xxx.xxx.xxx.xxx 5   Maybe you are wondering why i'm using eventstats instead of stats. The reason is that before this line, i have a large search with multiple stats commands, and if i don't use eventstats, all my others columns at the end of my large request won't show up. Kind regards,

Hi everyone, I'm sure this is a question that's been answered before, but my google-fu is failing me.  I am running Splunk Cloud 8.2 (Victoria), Salesforce App for Splunk version 4.11, and Splunk Add-on for Salesforce version 4.4.0-1651043262.  I have the Salesforce app configured and data inputs set and I have data in my index from all the sources: What I don't have, however, is literally any data populating any of my dashboards: I'm wondering if it has anything to do with the lookup tables being broken: Could not load lookup=LOOKUP-SFDC-USER_NAME I have enabled the saved search and run it, successfully (per the Add-on docs); however, the App docs have saved Lookup searches that, when I run, don't return data: So the lookups aren't populated.  Also there are only 3 lookups, not 4 like in the docs.  I'm sure I'm missing something *very* simple; but anyone have any ideas?

Hello,  In ES when we run the following macro for Last 30 mins or Last 24 H time range,  splunk ends up displaying results from all the way back in time as in last 6 months data as well.  Why is that so ?  Its as if its completely ignores the date/time range whatever we specify.   BTW,  This is Out of the box macro.         |`incident_review` | table _time owner rule_id rule_name status_label          My requirement is to show  the Notables triggered based on the date range we select. Secondly, does anyone know how to show  Number of Incidents (Notable alerts) worked on by each SOC analyst ?   Basically i m trying to generate performance metrics of each analyst, how many alerts they worked on, time to close each alert etc, details of each status change etc.    The default provided SOC operations dashboard sucks.

I am trying to use a search to find fields that I want to use in another search as a table field. The first search should return all fields that are used in a datamodel. This looks like this:     | datamodel "Authentication" | spath output=foo path=objects{} | spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName | spath input=foo output=field path=fields{}.displayName | eval fields = mvappend(calc_field , field) | mvexpand fields | table fields         Then I want to use the list of fields in the table command. I do this for the reason to be able to check the coverage of the CIM fields in the search. Unfortunately, so far without success, so I am grateful for all ideas and any kind of input. My first guess was something like:     index="main" sourcetype="XmlWinEventLog" tag="authentication" | table [ | datamodel "Authentication" | spath output=foo path=objects{} | spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName | spath input=foo output=field path=fields{}.displayName | eval fields = mvappend(calc_field , field) | mvexpand fields | format "" "" "," "" "" "" | rex mode=sed field=search "s/fields=//g" | rename search as table ]        

I have a CSV with numerous fields with bad field names. They have spaces and special characters such as up and down arrows. I don't know ahead of time what the field names will be. How do I locate and rename all of them to more "safe" Splunk field names that work easily in all Splunk commands without funky syntax?

Hi, I have a json coming from CI with this template : {"source":"1","sourcetype":"json","event":{"type":"build","id":"061","durartion":"48","run_id":"1","paths":["value1",".value2","value3"]} the filed are listed in splunk as: id, duration, sourcetype, paths{} and i can list all the values but my issue is i want to count paths{} (more then 11k values)  I tried using mvcount as  | eval totalpaths = mvcount(paths) retuns nothing | eval totalpaths = mvcount(paths{}) return 1 is there a way how i can return the number of total path ?  how i can list all paths ? I tried using  | stats values(paths{}) as paths | stats count(eval(paths)) AS totalbazelpaths returns 378 while the actual value is above 11k.  when expanding paths{} field I can see all 11k paths. what im doing wrong here? thanks    

I have newly installed latest version of the Splunk Supporting Add-on for Microsoft Active Directory on Splunk ES. Firstly, no matter how many times, I click on the "+" sign to add new domain, nothing happens. Even if I add details on the default section and click "test connection", literally nothing happens. The last time I had worked on this addon was 4-5 years ago, even then its UI behavior was weird, but at least then the connection test use to be working but not it seems to have become even more terrible. Despite so many versions, I don't know what improvements they have exactly made. Can anyone please help in how to fix this ?

Hi, I have a multi-value field numbers with each of its values in the format of two numbers separated by a comma (for example 52,29).  For all of these values, I want to have an if statement that does a comparison on both the first number and second number and then return either "true" or "false".  Currently I have been using the foreach loop with the multi-value mode. However, when debugging why I am receiving the error below, I found that the default template value <<ITEM>>  appears to always return null instead of the values of numbers (isnotnull('<<ITEM>>') returns False). Shown below is how I am trying to extract the leftmost number using regex with replace and then check if it is greater than 5. Is there something wrong with this search? | foreach mode=multivalue numbers     [| eval results=if(tonumber(replace('<<ITEM>>'),  ",\d+",  "")) > 5, "true", "false")]   This is the error I get for the search above:   Thanks in advance.

I run this query to extract all IP address from the events. There are multi ip based on one event. index=* | rex max_match=0 field=_raw "(?<ipaddr>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | dedup ipaddr | table _time, ipaddr   The result is as below, My question is, how to exclude private IP from the the result? Thanks!