Hi everyone,   basically I am trying to count how many unique customers I had in a period and that worked well with dc(clientid). Until I wanted to know "How many unique Customers do I have by product group"           |stats dc(clientid) as Customers by year quarter product_toplevel product_lowerlevel           which, when for example looking at only 1 specific client who purchased 3 products within one group can return entries like year quarter product_toplevel product_lowerlevel Customers 2022 1 Group A Article 1 1 2022 1  Group A Article 2 1 2022 1  Group A  Article 3 1   Now Splunk is not wrong here. Looking at each product there is 1 unique customer. However if I were to sum up the Customers-column it would look like I have 3 Customers in total. I would much rather have it return the value "0.3" for "Customers" in the above example so that I can export the table to excel and work with pivot-tables while retaining the 'correct' total of unique customers. For that purpose I intend to use eventstats to create a sort of column-total and then divide the value of Customers by that column total. But I can not figure out how to do it. Any ideas?

HI, I want to disable multiple alerts/reports using curl (TA-webtools)..so basically my results look like below- title app id report1  app1 https://abc.com:8089/servicesNS/nobody/app1/saved/searches/report1 report2  app2 https://abc.com:8089/servicesNS/nobody/app2/saved/searches/report2 report3  app3 https://abc.com:8089/servicesNS/nobody/app3/saved/searches/report3   How I can disable all id alert/reports in single query? any help is appreciated! @jkat54 

I have a query that must search 9 weeks of data, and then applies a filter against a single field (dv_opened_at) looking for specific events that occurred within an 8 week period.  Initial 9 week search is necessary to catch events that were modified after the end of the last week, yet had a dv_modified_at time within the last 8 weeks.  query     index=cmdb (dv_number=* OR number=*) dv_state=* dv_assigned_to[| inputlookup cmdb_users.csv| table dv_assigned_to ] earliest=-8w@w latest=now() | table _time number dv_number dv_opened_at dv_assigned_to dv_short_description dv_watch_list dv_sys_updated_on dv_state close_notes | dedup number | eval dv_opened_at=strptime(dv_opened_at,"%Y-%m-%d %H:%M:%S") | where dv_opened_at>=relative_time(now(), "-8w@w") AND dv_opened_at<=relative_time(now(), "@w") | eval _time=dv_opened_at | bin _time span=1w | eval weeknumber=strftime(_time,"%U") | rename dv_assigned_to AS Analyst | timechart limit=0 useother=false span=1w count BY Analyst     The problem is, the timechart outputs 9 weeks of data, and as expected the last week is all 0's.  How do I eliminate the current week from the output, but keep the current week in the initial query? Output     _time Analyst1 Analyst2 Analyst3 Analyst4 2022-05-08 19 6 0 0 2022-05-15 5 4 0 0 2022-05-22 8 2 0 1 2022-05-29 7 4 0 0 2022-06-05 1 3 1 39 2022-06-12 7 1 4 51 2022-06-19 3 2 0 59 2022-06-26 25 5 2 26 2022-07-03 0 0 0 0 #how to drop this row each weekly report    

Our login page is developed by team1 and the main home page (After login) is developed by team2. The event logs from each use completely different structures. I strongly suspect unique system identifiers in the login logs may be carried into the home page logs, but I don't know which fields (out of 20-50 fields in each log) may contain similar values.  Is there a method to find fields that have the same value in both sources if I don't know which fields to match on?  (index=A sourcetype="login" colA="apple", colB="ABC123" , colC="purple") (index=B sourcetype="home" field1="yellow", field2="orange", ..., field20="ABC123", field21="Monkey") How can I search both sources to identify ( login.colB == home.field20) if I don't know in advance those fields match? I may not find ANY common values...

We have a Syslog server collecting data from Meraki Wireless devices.  There is a UF installed on the Syslog server sending data to Splunk.  I have been trying to use Blacklist to filter out the ICMP protocol events which we don't need and I have been unable to drop them.  The entry in my inputs.conf file for this are: [monitor:///syslog0/syslog/meraki/*/*.log] disabled=0 host_segment = 4 blacklist1 = protocol=icmp blacklist2 = "(?192.\168.\30.\143.)" blacklist3 = 10.\12.\239.\7 index = network sourcetype = meraki I have tried a number of variations and have been unable to get the "protocol=icmp" to drop.  Is there something obvious that I am missing? Thanks in advance for any suggestions.

Good afternoon. We currently have our Splunk cloud receiving logs from firewall, office 365 and azure. And now we want to send windows logs, but when installing the universal forwarder on the windows machine, we are not able to view the logs in the splunk cloud. We can see that the collector is receiving the logs, but we don't see it in the splunk cloud. According to the images, the host is correct, but we are not receiving the correct index logs. Could someone please help?

Hello,  I am using the Splunk enterprise free trial. I want to add another admin. I am on the local host, so how would the other user (happens to be in another state) access their account? Could they just download the free trial and log in with the credentials I gave them for the account?  Or is it more complicated than that?