New to Splunk and banging my head against the wall with this problem for over a day now. Please help... Need to compare two different fields from two different events to determine whether the values of those fields match. I ran a search that returns events. All events have an ACCOUNT_NUM field. Depending on the event, it will have either a DATE_TYPE1 field or a DATE_TYPE2 field. The report should display each distinct ACCOUNT_NUM that has one of each DATE_TYPE - so, a column for ACCOUNT NUM, a column for DATE_TYPE1, a column for DATE_TYPE2, and a column for DATE_STATUS ("Match" or "No Match") to indicate whether the two dates match.  So far, I have:   | stats values(DATE_TYPE1) AS "Date One" values(DATE_TYPE2) AS "Date Two" count by ACCOUNT_NUM | where count > 1   This groups the distinct ACCOUNT_NUM and shows me the two DATE_TYPES but how do I indicate whether the two dates match? I tried adding:   | eval DATE_STATUS=if(DATE_TYPE1=DATE_TYPE2, "Match", "No Match")   but this returns "No Match" for all of the events. My understanding is this is because    | eval   is evaluating each event individually. Since no event has both date types, it is not finding a match. How can I get it to compare the date types of each distinct account number as grouped together by my   | stats   command?

Data is events with a date, username, company,  score. I want to calculate an NPS score by company. detractors = scores 1-6 passive = score 7-8 promoters = score 9-10 NPS=%promoters-%detractors   Help would be highly appreciated.    

Hello All, This is my first time posting to Splunk Community. I've found a lot of value here and hope you all are doing well. I have an add-on built with the Splunk Add-on Builder (I believe version 4.1.0) that contains an alert action that packages up search results and sends them to a HEC input. I am utilizing George Starcher's Python class for sending events to HEC inputs (https://github.com/georgestarcher/Splunk-Class-httpevent). The alert action works perfectly except when I enable the proxy - then I am hit with the error message:     Traceback (most recent call last): File "/opt/splunk/etc/apps/<appname>/bin/<appname>/splunk_http_event_collector.py", line 287, in _batchThread response = self.requests_retry_session().post(self.server_uri, data=payload, headers=headers, verify=self.SSL_verify,proxies=proxies) File "/opt/splunk/etc/apps/<appname>/bin/<appname>/aob_py3/requests/sessions.py", line 635, in post return self.request("POST", url, data=data, json=json, **kwargs) File "/opt/splunk/etc/apps/<appname>/bin/<appname>/aob_py3/requests/sessions.py", line 587, in request resp = self.send(prep, **send_kwargs) File "/opt/splunk/etc/apps/<appname>/bin/<appname>/aob_py3/requests/sessions.py", line 701, in send r = adapter.send(request, **kwargs) File "/opt/splunk/etc/apps/<appname>/bin/<appname>/aob_py3/requests/adapters.py", line 499, in send timeout=timeout, File "/opt/splunk/etc/apps/<appname>/bin/<appname>/aob_py3/urllib3/connectionpool.py", line 696, in urlopen self._prepare_proxy(conn) File "/opt/splunk/etc/apps/<appname>/bin/<appname>/aob_py3/urllib3/connectionpool.py", line 964, in _prepare_proxy conn.connect() File "/opt/splunk/etc/apps/<appname>/bin/<appname>/aob_py3/urllib3/connection.py", line 359, in connect conn = self._connect_tls_proxy(hostname, conn) File "/opt/splunk/etc/apps/<appname>/bin/<appname>/aob_py3/urllib3/connection.py", line 506, in _connect_tls_proxy ssl_context=ssl_context, File "/opt/splunk/etc/apps/<appname>/bin/<appname>/aob_py3/urllib3/util/ssl_.py", line 453, in ssl_wrap_socket ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls) File "/opt/splunk/etc/apps/<appname>/bin/<appname>/aob_py3/urllib3/util/ssl_.py", line 495, in _ssl_wrap_socket_impl return ssl_context.wrap_socket(sock) File "/opt/splunk/lib/python3.7/ssl.py", line 423, in wrap_socket session=session File "/opt/splunk/lib/python3.7/ssl.py", line 827, in _create raise ValueError("check_hostname requires server_hostname") ValueError: check_hostname requires server_hostname      Has anyone come across similar behavior? I am trying a variety of different things but this has quickly gone over my head. Any help or direction would be greatly appreciated. Please let me know what information I can provide. Thank you.

Hi, I have now filled out this web form twice in the last 24 hours to join the Splunk Usergroups Slack channel but I still have not received any reply as expected: https://docs.google.com/forms/d/e/1FAIpQLSd2PXSBiatZvCIpdE2wPFgnrUM29HBYjrkI0iDhlx26RwwE4A/viewform     Can anyone help as I need to join this Slack group for my current development work. Many thanks,

I'm posting this in case someone else has the problem I struggled with. I had was calculating a list of upload and download totals per webdomain per company location into a list.  The format of the table was such that I ended up with the company location, followed by a multivalued list of the web domains, and a multivalued list of the bytes totals.  The bytes totals being 7 to 8 digit numbers are easier to read with commas but the usual formatting solution: eval Download=tostring(Download, "commas") eval Upload=tostring(Upload, "commas") Had mixed results depending on where in the query I placed it.  After the initial transformation command, it messed up my sorting since now it was a string.  At the end, it summed the multi-value field and then put the commas in so that didn't help.  

I recently discovered that "tstats" is returning sourcetypes which do not exist.  Query:  | tstats values(sourcetype) where index=* by index  This returns a list of sourcetypes grouped by index. While it appears to be mostly accurate, some sourcetypes which are returned for a given index do not exist. For example, the sourcetype "WinEventLog:System" is returned for myindex, but the following query produces zero results:  index=myindex sourcetype="WinEventLog:System" This is the case for multiple indexes. If my understanding of "tstats" is correct, it works by only analyzing indexed fields which are stored in the tsidx files. If no events exist with a given sourcetype for a specific index, how could that value have possibly been saved in the tsidx files? 

Hi Splunkers, This may be easy, but I'm not able to solve it if anyone can help. I want to set a lower threshold to 15 standard deviation below the mean, and the upper threshold to 15 standard deviation above the mean, but I'm not sure how to implement that.  Thanks!

I’m trying to get a count for activity on around 10 different APIs. The search is: index=api_logs | bin span=5min _time | stats count by _time, APIName Is it possible to use stats count so the output includes an entry for each API in each 10 minute period and report a ‘0’ if there hasn’t been a call. I know you could chart it but I’d like the data in this particular format.