Hello, I have an alert that output a csv file that look like this Person Number_of_login Login_fail Person A 1   Person B 6 2 Person C 4 1   I run this search everyday and append upon the csv file. Upon a few days it'll look like this Person Number_of_login Login_fail Person A 1   Person B 6 2 Person C 4 1 Person A 2 1 Person B 7 1 Person C 4   .....       Now at the end of the month, I want to calculate the total number of login and number of login fail for each person, and also to calculate the percentage of login fail for each one. As far as I know addcoltotals don't have "by" like stats do (like stats count by Person). I want my final table to look like this Person Number_of_login Login_fail Person A 3  1 Person B 13 3 Person C 8 1 So how do I go about this?

Dashboard is taking a long time to load and it has 17 apps in one panel. I have also tried creating a token such as <set token="app_names">app1,app2</set> instead of using wildcard.  but query is not returning any result. Code snippet   <init> <set token="app_names">app1,app2,app3................</set> </init> ...... <row> <panel> <title>Dashboard</title> <table> <search> <query>index=idx ns=xyz* app_name=$app_names$ pod_container=xyz* ((" ERROR " OR " WARN ") |stats count by app_name | append [| stats count | eval app_name="app1,app2,app3........" | table app_name | makemv app_name delim="," | mvexpand app_name] .......     Please advise!

Hi, so for the context, I'm developing a custom reporting command that will allow running a python ML script over the result of a search, and yield a prediction over all the records in the search result. I've followed the template in https://github.com/splunk/splunk-app-examples/tree/master/custom_search_commands/python/reportingsearchcommands_app to create such a command. However, running this reportingcsc command (in my case, the command is `source="account202203.csv" | table date, new | reportingcsc cutoff=10 new`) over my dataset yields more than one statistics, while it's quite clear that the reduce method of this custom command would only yield one statistics over the search result.       def reduce(self, records): """returns a students count having a higher total marks than cutoff""" pass_student_cnt = 0 for record in records: value = float(record["totalMarks"]) if value >= float(self.cutoff): pass_student_cnt += 1 yield {"student having total marks greater than cutoff ": pass_student_cnt}       It looks like the search result is binned into different chunks, and each chunk goes thru the reduce() method once. However, as a matter of fact, the search result aren't actually binned: If I simply do `source="account202203.csv" | table date, new | stats sum(new)` then it would only yield only 1 statistic. Any suggestion to do this the right way would be greatly appreciated!

I see lots of suggestions in the Community for Linux but not Windows. Has anyone resolved this on a production Windows 2016 Server? Three errors when logging in to Splunk following the upgrade to 9.0 Failed to start the KV Store See mongod.log and splunkd.log for details. KV Store changed status to failed. KV Store process terminated. KV Store process terminated abnormally (exit code 1, status exited with code 1) See mongod.log and splunkd.log for details

I would like to know if Splunk has any documentation that shows some pre-created rules, like those of elastic for example. Below is the reference: https://www.elastic.co/guide/en/security/current/prebuilt-rules.html. I want to create some rules for firewall, antivirus and office 365. Thanks  

Hello Team, Did anyone find disadvantages by upgrading to Victoria Experience from classic experience. I have seen the advantages in this link https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/Experience  But I want to know the disadvantages of Victoria Experience when compared to Classic, I didn’t found any such links of this. So kindly help me in this.

I have 2 files I want to monitor for in the same directory with 2 different sourcetypes. My issue is both files are being picked up by sourcetype a because of the wildcard. The wildcard is needed for the dates that follow the log name. I tried blacklisting the diagnostic file from sourcetype a but that did not work.     [monitor://E:\path\to\log\directory\HFMWeb*-diagnostic.log] sourcetype = <sourcetype b> disabled = false index = <index> crcSalt = <SOURCE> [monitor://E:\path\to\log\directory\HFMWeb*.log] sourcetype = <sourcetype a> disabled = false index = <index> crcSalt = <SOURCE> blacklist = \-diagnostic     Any ideas on how I can exclude the diagnostic file from sourcetype a but then include in sourcetype b?

I am trying to ingest a new log and unfortunately, it doesn't include year or time zone as part of the message. The timestamp in the messages is in the following format:   Jun 30 01:02:03 <msg>   I wrote the following props.conf settings to extract the timestamp in the message:   [new_sourcetype] TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 15 TIME_FORMAT = %b %d %H:%M:%S    I see the following warnings under splunkd.log:   06-30-2022 14:05:59.555 -0600 WARN DateParserVerbose [1556614 merging] - The TIME_FORMAT specified is matching timestamps (Tue Jun 6 17:43:20 2023) outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source=/path/to/log|host=UF01|new_sourcetype|230    I'm confused where "(Tue Jun 6 17:43:20 2023)" is coming from because none of the logs have this string. How do I approach this? I've thought about using transforms to write into the DEST_KEY "_time" but I read that any key starting with "_" is not indexed. This data is being received from a syslog server so I thought about modifying the data as it's being received. What are you recommendations?

Hi I have a table similar to this: Brand ID_EMP Nike 123 Adidas 456 Lotto 123   other table like this: code name 123 Smith 456 Myers   The result should be Nike 123 Smith  Adidas 456 Myers  Lotto 123 Smith     but insted of this I'm getting: Nike 123 Smith john adidas 456 Myers. Mike   This is the query that I'm using. | dbxquery query="SELECT * FROM Clients ;" connection="Clients" | where NOT like(SAFE_NAME,"S0%") |rename ID_EMP as code | join type=left [|  inputlookup append=t Emp.csv | table code, name, STATUS ]| fillnull value="Blank" STATUS | dedup code | where STATUS!="Blank"

Hi everyone, Newbie here again. Is it possible to have query similar to the LIKE function in SQL where MM/DD/YYYY in Splunk to set different MAX VALUE and INTERVAL for the Y-Axis? Would it also be possible just to use the Month and Year for the condition to take effect so that regardless what Date the user may enter, it would not effect the result?