Hi Splunkers, I spent a long time trying to figure out this story where:  I need to create a new alert under name (failed-handshake) in the custom email template to notify tech arch teams if we receive handshake errors in the web logs. The base search: index=X sourcetype=Y "Failed handshake due to 15 seconds timeout on channel"   I had some of these errors on 6/10, so I need to adjust the time range to build/test search and alert. The alert should display: 1) the host  2) the number of handshake errors 3) the time of the first instance of the error on the host 4) the time of the most recent instance of the error on the host Is there anybody can help with  this please?  

I have created a dashboard panel which displays events from a firewall log.  Importantly, this panel is intended to show a request within the context of other requests around it.  Filtering isn't desirable, as that removes the request from the context. the dashboard uses the search:        [ search index=firewall src_ip=$src$ dest_ip=$dest$ | eval earliest = min(_time)-60 | eval latest = max(_time)+60 | table earliest, latest ] index=firewall dest_zone=external src_ip=$src$ | sort _time asc | table _time src_ip dest_ip InitiatorPackets InitiatorBytes ResponderPackets ResponderBytes URL SSLServerName URLReputation URLCategory sourcetype       This search can result in many rows and the panel paginates them as expected.  However, because the panel is displaying results from both before and after the event in question, that event is likely to end up somewhere in the middle of the results and on a page after the first.  Is it possible to search within these results and have the panel automatically jump to the page where the expected result is displayed?  E.g. if the request with the matching $src$ and $dest ip addresses is on page 3, then after the panel loads the data, it auto-navigates to page 3?  As a secondary question, is it possible to add a search box to the panel which would allow searching within the table and jumping the panel to the page with the expected result?  E.g. I have some sort of text box above just that panel.  If I type 'foobar.com' in the textbox, the panel jumps to the first page where 'foobar.com' is seen in the SSLServerName column?

Hi, I have Splunk 8.1.4 with Splunk Add-on for CISCO ESA 1.5.0. I also have the old  app Cisco Secuirty Suite that even though it does not support Splunk 8.1.4, it shows results so I planned to get inspired by its query for Message tracking--> Transaction details.   index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="*" dest_interface="*" policy_direction="*" subject="*TEST*"   I think the ESA events are getting correctly to Splunk, I use Syslog Connector for Splunk.  The test I performed is the following : 1. send an email from my corporate email to GMAIL with the subject TEST 2. simply reply from gmail. With the above query I would expect to see two events but I only see the outgoing event. I tried to filter by recipient and it thrown zero results.   index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="xxxx@yyy.zz" dest_interface="*" policy_direction="*"   If I do a simpler query without the transaction command, I can see an event with the right internal recipient which corresponds to the incoming email that I could not find previously. But in that event there is no field subject.   index=cisco eventtype=cisco-esa recipient="xxxx@yyy.zz"   Could someone help me out with some query that consolidate inbound /outbound emails with filtering capabilities? thanks

I have a use case where once a particular datetime is entered as input on the dashboard. Need to show search log results panel from two time frames side by side.   say if the entered value is "07/06/2022:14:00:00" 1) -1hr from the time period entered (here in this case "07/06/2022:13:00:00 -"07/06/2022:14:00:00" 2) From the time period entered to till now (here in this case "07/06/2022:14:00:00 -NOW" I am capturing the datetime entered as a timetoken how to set another time token relative to the value entered on screen in dashboard? so that i can use both these tokens as earliest and latest for the first usecase. Thanks

Hello, the request below works perfectly thanks to the help found on this forum. Now I would like to automate this request to have it every week to receive it as a weekly report. I have tested the time range options but I have the impression that it is not consideration | inputlookup file1.csv | rename count as "file1" | append [| inputlookup file2.csv | rename count as "file2" ] | append [| inputlookup file3.csv | rename count as "file3" ] | append [| inputlookup file4.csv | rename count as "file4" ] | append [| inputlookup file5.csv | dedup _time | rename count as "file5" ] | append [| inputlookup file6.csv | rename count as "file6" ] | where _time > strptime("2022-06-26","%Y-%m-%d") AND _time < strptime("2022-07-04","%Y-%m-%d") | stats values(*) as * by _time | addtotals col=t row=f label=Total labelfield=_time   Thanks  

Problem replicating config (bundle) to search peer ' hostname:8089 ', Upload bundle="/SPLUNK/splunk/var/run/EF6-16xxx567.bundle" to peer name=hostname uri=https://hostname:8089 failed; error="Cannot resolve hostname". I constantly see this error on my search head. What causes this and how do I go about fixing it. Other files are being replicate except this bundle even though size if also only 75 MB just like other bundles.

Hi All,      I am trying to fetch events by comparing two conditions where i am  unable to do that. I have sample log like this: [15:53:12.172] [WARN ] [] [c.c.n.t.e.i.T.ServiceCalloutEventData] [] - channel="null", productVersion="2FE1-5634ab725", apiVersion="V1", uuid="2Fedec2-16f0-4988-b1fa-68db0c565a9f", eventDateTime="2022-07-11T05:53:12.172Z", severity="WARN", code="ServfefrventData", component="wDEGG", category="integrational-eFsdal", serviceName="Details", eventName="_RESPONSE", message="CadfSFDresponse",  start="1657518790580", stop="1657518792172", elapsed="1592", exceptionInfo="null", url="https://scdssfg.com/npp-mms/v1/mandates/actions/DVd", httpResponseCode="500", priority="NORM", servicingAgentBIC="CTBAAUSNXXX", swiftMessagePartnerBIC="RESTMP1", messageIdentification="beb727a900dd11edaf1a69ae7e224ce5", mandateIdentification="111536a1519111ec9bb20e6904f27a9e", returnCode="APS.API.6544"  I need to fetch all the events with all httpstatuscode and compare with returncode and then decide the severity type. For all statuscode type cannot differ but for only 500(httpstatus code)based on returncode the severitytype would differ. So i need to write query for httpstatus code when it hits 500 it has to check return code and for remaining no need to check any returncode.   index=a_audit |rex field=log "eventName=\"*(?<eventName>[^,\"\s]+)"|rex field=log "serviceName=\"*(?<serviceName>[^\"]+)"|rex field=log "severity=\"*(?<severity>[^\"]+)"|rex field=log "exceptionInfo=\"*(?<exceptionInfo>[^\"]+)"|rex field=log "httpResponseCode=\"*(?<httpResponseCode>[^\"]+)"|rex field=log "returnCode=\"*(?<returnCode>[^\"]+)"|stats count by eventName serviceName severity exceptionInfo httpResponseCode returnCode|search serviceName="Details" AND eventName="RESPONSE" AND (severity=ERROR OR severity=WARN) |eval severityType=(httpResponseCode=400 OR httpResponseCode=401 OR httpResponseCode=403 OR httpResponseCode=404 "FATAL") AND (httpResponseCode=500 IN (returnCode=APS.API.6544) |where count>1   i cant able to compare 2 conditions for same field.Can you help me on the same.

is the below statement correct ? When importing the same file:- by default, same files are determined by "the hash value calculated from the first 256 bytes of the file", but if the difference is "20MB even if they are the same file", then the file will be imported. 

Hello, I have a heavy forwarder install on a server to monitor a certain log file. We used to read that log just fine, but after some bug fixed about log generation(on server side) and that server restart, I can't read that log file at all.  Our inputs.conf was           [monitor:///data/ESB/ACH/LOG/] disabled = 0 sourcetype = napas.itso.app.achlog index = napas.ach.app.log           And it still can read all the logs file in there, but can't read the one that we need. I have restarted the agent, restart the server and restart splunkd connection but it still can't read the one that we need. We can read /data/ESB/ACH/LOG/iib_log_summary_2022-07-12.log but can't read /data/ESB/ACH/LOG/iib_log_detail_2022-07-12.log   We check the read permission on both file but they're the same. How can I troubleshoot it?

Hi, When I run a search against an index in smart/verbose mode, I am getting the below error with zero results, "Some events were removed by Timeliner because they were missing _time" However, when the same query is run in fast mode I am seeing results. Is there anything wrong with the time of the logs coming in? How should I fix this?

Hi,  Recently my team setup our ITSI environment and had a few service templates and KPI base searches created. When i try to create a new service and link it to a service template i tell it to backfill the KPIs. Everything up to this point looks great and the KPIs as well as the service analysis page display everything in the backfill as being healthy but nothing under the KPIs is displaying beyond the time i created the service and eventually everything returns to saying N/A.  Ive discovered that the KPI search acceleration using the summary index does not seem to be working. When i run the raw search everything will display. How do i get the itsi_summary index to be populated with the correct information? 

I am trying to include dynamic names for a notable event that I have triggering. When I try to use $variable$ it just shows that and does not pull the field value. My search: index = o365 sourcetype="mscs:azure:eventhub" body.operationName="User Risk Detection" "body.properties.riskLevel"=high | rename body.properties.userDisplayName AS "Display Name"   My Name: Office 365 Risky User Detected - $Display Name$ Can anyone help?