Hello community I am trying to combine two different things and cannot figure out how. I am looking at a certain action and counting how many times this is observed per IP address and day. Then I’m plotting per IP by day to try to find recurring events based on IP address. I got this far: <base-search> earliest="-7d@d" latest="@d" | chart count over ip by date_wday Which does exactly what is intended, tough the details are lost as there are a lot if single events per IP address. So, I’d like to filter out any IP address with only 1 event during the period (here one week). This works fine for filtering: | stats count as sum by ip | search summa > 1 But then I loose the details needed for the chart part. I figured maybe I could use eval to filter out based on total count but could not put together anything which worked. Even when I tried to combine stats and eval I either failed or ended up with something which could not be presented graphically. Any suggestions are more than appreciated Best regards // G

Hi All, I am trying to create an efficient way to pull out certain win events for my report but I am not sure it would return the results I want. It truncates some of the results. I might be doing something wrong. Please see the code that I am currently running and suggest an improvement. Thank you all!   index=mbda_windows_server sourcetype=XmlWinEventLog EventCode=4718 OR 4728 OR 4729 OR 4730 OR 4732 OR 4733 OR 4756 OR 4757 OR 4762 OR 4796 OR 5136 | dedup src_user, MemberSid, Group_Domain, Group_Name, host, _time  | convert timeformat="%d/%m/%Y %H:%M" ctime(_time) | rename src_user AS Login, MemberSid AS Account, Group_Domain AS Domain, Group_Name AS Group, host AS Host, _time AS Min_NormDateMin, name AS EventName | table Login, Account, Domain, Group, Host, Min_NormDateMin, EventCode, EventName | sort EventCode

How many values are allowed in an IN clause which is part of where clause? I want to read 277 values to be precise. index=abc sourcetype="ccinfrap.dc_pqr_jws:app" "[SubscriptionService] Consumer sent message" "Not Predicted to Finish" | rex mode=sed "s/^.*message {/{/" | rex mode=sed "s/\n}.*/\n}/" | spath | fillnull jobStreamName value="BLANK" | where jobStreamName IN( "stream1" ,"stream2" ,"stream3" . . ,"stream277" )

Hi everyone,  I am new to Splunk and I am learning as I go. I'd like to know if anyone has any idea what I am doing wrong here because it is supposed to return 36 events but I am getting 36 events but column 1 (FULLNAME) just keeps giving me more with empty columns for the rest. I just wished it would stop the FULLNAME column at 36.    index=....firstSearch.....CLOSEDATE="*" (TYPE=10 OR TYPE= 11) | rename ID as UNIQUE_ID | dedup PARENT UNIQUE_ID | eval CLOSEDATETIME=strptime(CLOSEDATE, "%Y-%m-%d %H:%M:%S") | eval from_date=relative_time(now(), "-10d" ) | eval to_date=relative_time(now(), "-3d" ) | where CLOSEDATETIME >= from_date AND CLOSEDATETIME <= to_date | fields PARENT UNIQUE_ID DESCRIPTION CLOSEDATE | table PARENT UNIQUE_ID DESCRIPTION CLOSEDATE | appendcols [search index= ...secondsearch... TYPE=0 | eval FULLNAME=FIRST." ".LAST] | fields FULLNAME PARENT UNIQUE_ID DESCRIPTION CLOSEDATE | table FULLNAME PARENT UNIQUE_ID DESCRIPTION CLOSEDATE   Any help greatly appreciated. I am so stuck on this and I don't understand why column 1 (FULLNAME) just keeps giving me more than the necessary 36 events and keeps giving me more full names with blank parent numbers and all of the other columns (UniqueID, description, closedate) beyond 36 number of records (events). Eventually I will need to do another appendcols because I only need one column to append it to the overall table at the end. Is this a good approach? join are too costly and it is not giving me what I need. This is the closes thing that is working so far. Thank you and have a good day,   Diana

My actual query as all this data.   but after i use transpose  | sort by _time desc | eval mytime=strftime(_time, "%B %d %Y") | fields - _* | transpose header_field=mytime I only see the result for first 5 columns    How can i make transpose work for all more than 5days of data Also is there a way to generically format the color. Because the date changes. 

So I have a field (plugin_output)that has a paragraph of hardware info as one value. The only part of the value I'm concerned with is the "Computer SerialNumber". Is it possible to break this value down into multiple values? I've tried field extraction with no luck, it may be possible to do a string search, but I would also need variables to account for the actual serial number value I want. <plugin_output> Computer Manufacturer : VMware, Inc. Computer Model : VMware7,1 Computer SerialNumber : VMware-65 6d 69 60 3b 89 2a a0-3b 4e bb 3f 2a 95 2f 49 Computer Type : Other Computer Physical CPU's : 2 Computer Logical CPU's : 4 CPU0 Architecture : x64 Physical Cores: 2 Logical Cores : 2 CPU1 Architecture : x64 Physical Cores: 2 Logical Cores : 2 Computer Memory : 8190 MB RAM slot #0 Form Factor: DIMM Type : DRAM Capacity : 8192 MB </plugin_output>

I have a basic SPL using mstat but I can't use treills with it? Any ideas why I can't select "severity"       | mstats count("mx.process.logs") as count WHERE "index"="murex_metrics" BY severity            

Hello, we have issue reindexing archives as gz files even using crcSalt = <SOURCE> or crcSalt = REINDEXMPLEASE We CAN'T go on each UF and clean fishbucket.   UF (V7.1.4) linux splunkd.log : 07-19-2022 18:19:09.129 +0200 INFO ArchiveProcessor - Handling file=/var/log/MAJ-OS.log-20220601.gz 07-19-2022 18:19:09.130 +0200 INFO ArchiveProcessor - reading path=/var/log/MAJ-OS.log-20220601.gz (seek=0 len=1356) 07-19-2022 18:19:09.281 +0200 INFO ArchiveProcessor - Archive with path="/var/log/MAJ-OS.log-20220601.gz" was already indexed as a non-archive, skipping. 07-19-2022 18:19:09.281 +0200 INFO ArchiveProcessor - Finished processing file '/var/log/MAJ-OS.log-20220601.gz', removing from stats It also says "new tailer already processed path..." inputs.conf app from deployment-apps (V8.2.2) : [monitor:///var/log/MAJ-OS.log*] blacklist = archives disabled = false index = inf-servers sourcetype = MAJ-OS crcSalt = <SOURCE>   Thanks for your help.