Hello, I have XML files with Multi Line field values and have some issues with extracting those values. Sample field extraction code for first 2 values and sample data/events are given below. Any help will be highly appreciated. Thank you!   Sample code <USER>(?P<USER>.+)<\/USER>\\n\\r<USERTYPE>(?P<USERTYPE>.+)<\/USERTYPE>   Sample Data <MTData>                                 <USER>TEST05GLBC</USER>                                 <USERTYPE>Admin</USERTYPE>                                 <SUBJECT />                                 <SESSION>hp0vtlg001</SESSION>                                <SYSTEM>DS</SYSTEM>                                 <EVENTTYPE>USER_Supervisor</EVENTTYPE>                                 <EVENTID>VIEW</EVENTID>                                 <SIP>10.210.345.254</SIP>                                 <EVENTSTATUS>120</EVENTSTATUS>                                 <EMSG />                                 <STATUS>FALSE</STATUS>                                 <STIME>2022-06-02 19:10:57.967</STIME>                                 <VADDATA>2019:00-00002; 2019:00-0000002; 2019:00-00003</VADDATA>                                 <TIMEPERIOD />                                 <CODE />                                 <RTYPE />                                 <DTFTYPE />                                 <DIP>10.225.35.45</DIP>                            <DEVICE>Laptop</DEVICE>                 </MTData>                   <MTData>                                 <USER>TEST06HLDC</USER>                                 <USERTYPE>Power</USERTYPE>                                 <SUBJECT />                                 <SESSION>hp2ftlg021</SESSION>                                <SYSTEM>Test</SYSTEM>                                 <EVENTTYPE>USER_MANAGER</EVENTTYPE>                                 <EVENTID>Update</EVENTID>                                 <SIP>10.210.345.254</SIP>                                 <EVENTSTATUS>122</EVENTSTATUS>                                 <EMSG />                                 <STATUS>TRUE</STATUS>                                 <STIME>2022-06-02 19:20:57.967</STIME>                                 <VADDATA>2019:00-00012; 2019:00-0000002; 2019:00-00024</VADDATA>                                 <TIMEPERIOD />                                 <CODE />                                 <RTYPE />                                 <DTFTYPE />                                 <DIP>10.225.35.45</DIP>                             <DEVICE>Laptop</DEVICE>                 </MTData>  

A scheduler issue may be described as: - reduced number of completed scheduled searches running during certain periods - scheduler locks up and doesn’t run any scheduled searches for a period of time - high number of skipped/deferred scheduled searches How can I provide Splunk Support the right diagnostics to solve my problem and determine root cause? 

I am befuddled why the below two searches return different counts for the same period of time. The tstats one returns a smaller count. I would expect them to be the same number with tstats just finishing faster. Anyone have thoughts on this?     | tstats count where index=* index!=_*     and     index=* index!=_* | stats count      

Uploading Splunk-Enterprise-Security package (800MB .spl file) from user machine to deployer via deployer web UI results in the following exception: 413 Request Entity Too Large nginx environment: Environment is Azure AKS Search Heads behind NGINX Ingress controller attempted to add the application via the Deployer instance Upload Page. Click Upload and it fails instantly with: 413 Request Entity Too Large nginx

hi I am fairly new to Splunk and inherited an environment and would like to know why some of our Dashboards source code starts with the <dashboard> tag where others don't have that tag and start with the <form> tag furthermore if I add the <dashboard> tag above the <form> tag (of course terminate it at the end of the code as well with </dashboard>) I get the following Alerts / error: This dashboard has no panels. Start editing to add panels.

Hello Splunkers,  I have a query as follows    My query blah blah blah |stats latest(description) as description latest(result) as result latest(object) as object by host source _time   which gives the result as follows    As highlighted with yellow color on the above results there are two different time values one under _time and the other under description.    Now I want to filter the results for the hosts that has more than 24 hours in the difference between _time and the time in the description. Something like below  difference time = (_time - time_in_the_description) > 24 hours 

Dear Community, I would like to get some assistance and/or clarification regarding Splunk’s base-search/post-processing functionality. I have read it/heard that using one base-search and post processing instead of several similar queries is cost effective, we can save SVCs (splunk virtual computes) with it. In practice, unfortunately I have experienced quite the opposite: Let’s say, I have a dashboard (call it “A”) with these queries:       index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | stats dc(user_id) as "Unique users, who has logged ..." index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | timechart count by result index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | dedup user_id | timechart span=1h count as "per hour"| streamstats sum("per hour") as "total" index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | timechart dc(user_id) as "Unique users" index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Failed" AND reason != "bbb" | timechart count by reason       I cloned this “A” dashboard (let’s call the clone “B”). I got some issues, like I got no data, or the numbers were different on “B” than “A”, but after some googling, reading Splunk community, I managed to get the same results on “B” with: A base search:       index="myIndex" "[OPS] [INFO] event=\"asd\"" | stats count by user_id is_aaaaa_login environment result reason _time       Post-processes:       search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | stats dc(user_id) as "Unique users, who has logged ..." search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | timechart count by result search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | dedup user_id | timechart span=1h count as "per hour"| streamstats sum("per hour") as "total" search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | timechart dc(user_id) as "Unique users" search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Failed" AND reason != "bbb" | timechart count by reason       I have added ‘refresh=”180”’ to the top of these two dashboards and leave them open in my browser for about one hour (and the common date-picker was set to “last 24 hours”). After this, I was surprised when I saw that dashboard “A” in “Splunk App for Chargeback” consumed around 5 SVCs while dashboard “B” used around 15 SVCs. So the dashboard with the base-search was way more expensive than the “normal” one. I thought that it will be much cheaper. Why is that? Did I construct my base/post-process queries badly? If yes, what should I change? I searched a lot, I found only one comment on Splunk community here: https://community.splunk.com/t5/Dashboards-Visualizations/Base-Search-for-dashboard-optimization/m-p/348795 “However, I do not recommend it when dealing with large data because base search is slow.” which implies that maybe base search is not always a cheaper solution?! So I executed only my base-search in Splunk for a 24 hours interval, it gave back a table with around 3,000,000 rows. Does this mean a large data set? Should I forget using base-searches? Thank you very much for your help!

Need some help. I can't wrap my head around this. Need to lookup a csv which contains clientip, and compare against my results with IP also in field clientip to show in a new column as matching or not matching  | index=foo  .... [|inputlookup IPlist.csv | fields clientip | rename clientip AS knownIP] | eval isMatching = if(clientip == knownIP, "matching", "notmatch") | table clientip, field x, field y, field z, isMatching Am I way off base here? Should I be looking at other commands? I get zero results with this. Without it, my main search runs fine and many events with IPs show. Much appreciated