I am trying to use the correlate command in Splunk but keep receiving "1.0" or other numbers as the correlation value when it should not. For example, I have two columns in my table, each with values "increase" or "decrease" based on how much data it is ingesting hour to hour. When I use correlate after that, however, I get 1.0 as the correlation value when it is not 100%. So what exactly is the command correlating, is it not the table? Is it something with the indexes behind the scenes? Also, how do you use parentheses after the correlate command to input fields? All help is appreciated, I have been working on this for a while.

Hi everyone! I would appreciate your help with the following search, I can't find how to do that,  I need to add the customer name to the list of hosts  1. the below search return a list of hosts and their Guid with certificates that going to be expired : index= indexname environment=prod | eval host=rtrim(host, ".prod.net") | eval host=(host."-prod") |lookup host-guid hostName as host Output hostGuid |table host hostGuid 2. the below search return the customer name per host : | inputlookup workspace where poolGuid!=* [| inputlookup workspaceServer where hostGuid=".*" | rename workspaceServerGuid as currentWorkspaceServerGuid | return currentWorkspaceServerGuid] | lookup workspaceServer workspaceServerGuid as currentWorkspaceServerGuid output hostGuid name as core | lookup host hostGuid output hostName | rename currentCustomerGuid as customerGuid name as workspaceName | lookup customer customerGuid output name as customerName | stats count by hostName hostGuid core customerName customerGuid workspaceName workspaceGuid | fields - count how I can combine for those 2 queries and get the customer name just for hosts from the first search #1  Thank you

Hi I need to update the Universal Forwarder credential package manually. Due to our configuration, I can't follow the steps out line here in this document. I unpacked the `.spl` file that's required for the update and noticed that it follows the directory structure of our current splunk configuration. Is there a way we can manually unpack and make this update?    What does the '/opt/splunkforwarder/bin/splunk install app' actually do with the .spl package? 

Hey, I have an inputlookup and I need to perform a stats values on one of the columns "Migration Comments". So, I am able to use the stats functions on every column EXCEPT the one column I actually need to perform the function on. It seems recognises the field name, even though I am copying the name of the field into the query. Here is the data table:   And here is what the query I am trying to run looks like?   What am I doing wrong??? Many thanks,

Hello Splunkers, A few days ago most of serverclasses on our Deployment Server uninstalled itself an output app. As a result, splunkd was restarted on UFs and data stopped being forwarded from hosts. For info, each serverclass in our environment consists of a deployment app with inputs.conf where we specify sources and another deployment app  called 'output_app' with outputs.conf to get data forwarded to indexer cluster. Example logs from one of affected UFs: 06-29-2022 12:15:47.893 +0200 INFO DeployedServerclass - Serverclass=inputs_test_prod is uninstalling app=/opt/splunkforwarder/etc/apps/output_app 06-29-2022 12:15:47.893 +0200 INFO DeployedApplication - Removing app=output_app at='/opt/splunkforwarder/etc/apps/output_app' 06-29-2022 12:15:47.904 +0200 WARN DC:DeploymentClient - Restarting Splunkd... 06-29-2022 12:15:47.905 +0200 WARN Restarter - Splunkd is configured to run as a systemd service, skipping external restart process 06-29-2022 12:15:47.905 +0200 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_123.456.7.89_8089_z1il0123.xyz.ai_z1il0123.zyx.ai_95C4E8F1-731A-4280-9F09-93B03EAFB3DE 06-29-2022 12:15:48.206 +0200 INFO loader - Shutdown HTTPDispatchThread 06-29-2022 12:15:48.206 +0200 INFO ShutdownHandler - Shutting down splunkd 06-29-2022 12:15:48.206 +0200 INFO ShutdownHandler - shutting down level "ShutdownLevel_Begin" 06-29-2022 12:15:48.207 +0200 INFO ShutdownHandler - shutting down level "ShutdownLevel_FileIntegrityChecker" 06-29-2022 12:15:48.207 +0200 INFO ShutdownHandler - shutting down level "ShutdownLevel_JustBeforeKVStore" 06-29-2022 12:15:48.207 +0200 INFO ShutdownHandler - shutting down level "ShutdownLevel_KVStore" 06-29-2022 12:15:48.207 +0200 INFO ShutdownHandler - shutting down level "ShutdownLevel_DFM" 06-29-2022 12:15:48.207 +0200 INFO ShutdownHandler - shutting down level "ShutdownLevel_Thruput" 06-29-2022 12:15:48.207 +0200 INFO ShutdownHandler - shutting down level "ShutdownLevel_TcpInput1" 06-29-2022 12:15:48.207 +0200 INFO TcpInputProc - Running shutdown level 1. Closing listening ports. 06-29-2022 12:15:48.207 +0200 INFO TcpInputProc - Done setting shutdown in progress signal. outputs.conf  # Turn off indexing on the master [indexAndForward] index = false [tcpout] defaultGroup = splunk_prod forwardedindex.filter.disable = true indexAndForward = false [tcpout:splunk_prod] server=z1il0001.zyx.ai.zz:9997,z1il0002.zyx.ai.zz:9997, z1il0003.zyx.ai.zz:9997, z1il0004.zyx.ai.zz:9997, z1il0005.zyx.ai.zz:9997, z1il0006.zyx.ai.zz:9997 autoLB = true Have you ever encountered such an issue? How it is possible that serverclass gets rids off an app itself? Last changes that we did was a Deployment Server upgrade from 8.2.3.3 to 9.0, but we did it on 24.06.  Any idea what can be a root cause? Greetings, Dzasta

Hello everybody, I have a question for the community: Is there a reverse split command? I'll explain my problem: I have a: | eval Holidays = "01 / 01.01 / 06.08 / 15.11 / 01.12 / 08.12 / 25.12 / 26.05 / 01.04 / 25.06 / 02" with the holidays that I want to remove from the day count (I create it, it can be a single value or a multivalue) now I have to add the current year: | eval year = strftime (now (), "% Y") and have this day excluded from the final count: | eval dates = mvrange (C3, now (), 86400) | eval dates = mvfilter (NOT match (dates, "(Excluded)")) | convert ctime (dates) timeformat = "% A" | eval dates = mvfilter (NOT match (dates, "(Saturday | Sunday)")) | eval noOfDays = mvcount (dates) I want to create an Excluded field that has holidays with the current year as value for example: Excluded = "1640991600.000000 | 1641423600.00000 | 1660514400.000000 | ........" It's possible? Is there a reverse split command? Tks Br

Hello community After a small "snafu" with new dashboards and version number, I noticed that after the rollout in our distributed environment there was, what seemed like, a local backup present:     /opt/splunk/etc/apps/<appname>/default.old.20220705-235555/ The date lines up with the rollout of dashboards receiving a "This dashboard view is deprecated and will be removed in future versions of Splunk software" error.  Hence, I suspect these are connected in some way. So the dashboards were "repaired" by just dropping the version number by "1", though the "backup files" are still there. The only difference I notice are the install_source_checksum and the changes made to dashboards. So, is it OK to just delete this "backup" folder? If so, is there a preferred way to do so or just remove it?