What happened to the date_wday, date_hour,  and the others?  Am I going nuts, waking from a dream where they used to be there all the _time? looks like date_mday and date_month are still there... on 8.2.6

Has anyone found a way to look at metrics for stored procedures that are not in the Top 200 queries.  I have been able to narrow the timeframe down to minutes and find some, but that is very time consuming and painful.  Is there an API that would allow us to pull metrics based on stored procedure name.  Or is there a way to increase the number of TOP queries to like 300? Any information related to accessing these low executed stored procedures would be appreciated.

I've been working on a project with JSON in the event where Tags are stored similar to this... { "Name": "example", "Tags": [ {"Key": "Building", "Value": "1"}, {"Key": "Floor", "Value": "2"}, {"Key": "Color", "Value": "Red"} ] } The default extract from spath provided the Tags{}.Key and Tags{}.Value fields which were pretty much useless as-is.  What I wanted was for each tag to be a field on the event so that you could use them in a search, ex. Building=1 AND Color=Red.  But the number of tags varies and the same value could appear in multiple tags (i.e. Building=1 AND Floor=1).    Here's what I came up with so far... I'm curious if anyone has a better suggestion. | rename Tags{}.Key as Key, Tags{}.Value as Value | eval zip=mvzip(Key,Value, ":") | mvexpand zip |rex field=zip mode=sed "s/$/\"}/g" |rex field=zip mode=sed "s/^/{\"tag./g"| rex field=zip mode=sed "s/:/\": \"/g" | spath input=zip | transaction Name This approach basically uses mvzip and mvexpand to pull apart the Tags, then uses rex with sed to rebuild a JSON object to pass back through spath.  It seems pretty complex, but I just can't see a better way to do it. I'm interested to hear if anyone has a better suggestion?

Hello, We currently utilize the Windows Defender ATP v 3.6.0 app in our Splunk SOAR Cloud instance.  I've discovered that the 'run query' action utilizes an outdated advancedqueries api endpoint that does not expose all of the tables available in Advanced Hunting. I'd like to update the 'run query' action to use the advancedhunting api endpoint that has the proper tables exposed.  I'm familiar with the code and where this needs to be updated, but not on how to create a custom version of this app. What is the proper way to customize the app and install it in our SOAR cloud?

Hi Team   I have a query where I am doing the TimeChart & % (not using the timechart and calculate the % in timechart line as this doesn't solve my purpose hence using it this say) The query is working fine however it shows all the data on field and I want to have that field only show top 10  by volume or count Query  index=xyz (catcode="*") (prodid="1") (prodcat="*") success="*" | bucket _time span="1d" | eval TheError=if(success="false" AND Error_Value like "%%",count,0) | eval Success=if(success="true",count,0) | stats sum(TheError) as "Failed", sum(Success) as "Passed", sum(count) as Total by _time, catcode | eval Failed_Percent=round((Failed/Total)*100,2) | fields _time, catcode, Failed_Percent | xyseries _time, catcode, Failed_Percent I don't want to do the 'eventstats' because it will count all on prodid level and not at catcode level hence this query This query counts all false with error on catcode....and count all attempts on individual catcode, then calculate the % with event stats the total count will be not at catcode but all prodid count i.e. all catcode's total attempt's count   Thanks in advance  

Hello community I am trying to set up a search to catch any succesfull logon after x failed within y minutes. However, I am strugling to see how I would build this search. Searching for succesful events is easy, index=<index> status="logged in" As well is finding unsuccesful events index=<index> message="Invalid credentials." status="nog logged"  I figured I could do a count by IP-address and/or username for the failed events, but how do I connect the two and add time? I am assuming this should be some combination of "and"/eval/if and where? Just to get a sense of what I am thinking: index=<index> ... ip-adress WHERE status="logged in" AND (index=<index> message="Invalid credentials." status="nog logged" >3 WHERE delta_time<10min) What I would like is an output with any ip-adress where any successful logon was perceeded by say 3 failed logons within 10 minutes. I am assuming this will be a large and complex search, at least for me, so any suggestions would really be appreciated. Best regards

I am getting the output time but i want to round the  time value for next 10th minute. the excepted output is the rounded_time. can anyone please guide me how to write a query for this File time rounded time 07/19/2022 12:16:48.303 07/19/2022 12:20:00.000 07/19/2022 12:11:36.660 07/19/2022 12:20:00.000 07/19/2022 09:33:48.091 07/19/2022 09:40:00.000 07/19/2022 00:30:24.749 07/19/2022 00:40:00.000