I am wondering if one can relate extracted fields to a specific source rather than a source type. The event structure that comes in changes based on the source even though they are the same source type and so one extracted field will get the correct value and another will not if I don't specify the source I am looking for. I also have the problem where events of the same host, source, and source type will have different event structures from event to event. I am not sure how to extract the fields from this situation either.  Any suggestions are much appreciated.

Hi All, I have two set of logs in two different sources in splunk, one containing the predefined list of VPNs and Queues and the other containing list of VPNs and Queues where activity is done. Now I have to compare the list of the 2nd set with the 1st set and create a table. Set 1: log:  10.96.195.70/SEMP/v2/monitor/msgVpns/CPGC_S_SIT/queues/gcg.apac.eventcloud.publish.hk.twa/txFlows 10.96.195.70/SEMP/v2/monitor/msgVpns/EHEM_S_SIT/queues/gcg.emea.eventcloud.publish.ae.cops/txFlows 10.96.195.70/SEMP/v2/monitor/msgVpns/EHEM_S_SIT/queues/gcg.emea.eventcloud.publish.ae.sendprioritycommandretrycomm/txFlows 10.96.195.70/SEMP/v2/monitor/msgVpns/EHEM_S_SIT/queues/gcg.emea.eventcloud.publish.ae.triggerbatchtocommhub/txFlows 10.96.195.70/SEMP/v2/monitor/msgVpns/ALERTSGC_S_SIT/queues/gcg.ap.cop_163124.card.lightning.eas.queue So I created the below query to get the VPN & Queue: *** | source="*/sit_solace_updated.txt" | rex field=_raw max_match=0 "msgVpns\/(?P<VPN_Name>[^\/]+)\/queues\/(?P<Queue_Name>[^\/]+)\/" | table VPN_Name,Queue_Name | eval row=mvrange(0,mvcount(VPN_Name)) | mvexpand row | foreach *_* [| eval <<FIELD>>=mvindex(<<FIELD>>,row)] | fields - row Set 2: log1:  "activationTime":1652444666, "clientName":"source.solace.emea.ae.custmgt.cops.cops.raw.int.rawevent-05d1d1b@gtgcb-csrla01s.nam.nsroot.net/59133/#00a00005/VIzOONZsrL", "msgVpnName":"EHEM_S_SIT", "queueName":"gcg.emea.eventcloud.publish.ae.cops", log2: "activationTime":1650620233, "clientName":"BW-ALERTS_JMS_CONN-queue-ALERTSServices-1-1-AlertServices_ALERTSServices_a37s_01", "msgVpnName":"ALERTSGC_S_SIT", "queueName":"gcg.ap.cop_163124.card.lightning.eas.queue", And here I used the below query to create a table: *** | source="*/final_sol_queue.txt" | rex field=_raw "Time\"\:(?P<Act_Time>[^\,]+)\," | rex field=_raw "clientName\"\:\"(?P<Client_Name>[^\"]+)\"\," | rex field=_raw "VpnName\"\:\"(?P<VPN_Name>[^\"]+)\"\," | rex field=_raw "queueName\"\:\"(?P<Queue_Name>[^\"]+)\"\," | eval Activation_Time=strftime(Act_Time,"%a, %d %b %Y %H:%M:%S") | table Activation_Time,Client_Name,VPN_Name,Queue_Name | dedup Activation_Time,Client_Name,VPN_Name,Queue_Name it gave the below table: Activation_Time Client_Name VPN_Name Queue_Name Fri, 22 Apr 2022 15:28:39 BW-ALERTS_JMS_CONN-queue-ALERTSServices-1-1-AlertServices_ALERTSServices_a37s_01 ALERTSGC_S_SIT gcg.ap.cop_163124.card.lightning.eas.queue Fri, 13 May 2022 17:54:26 source.solace.emea.ae.custmgt.cops.cops.raw.int.rawevent-05d1d1b@gtgcb-csrla01s.nam.nsroot.net/59133/#00a00005/VIzOONZsrL EHEM_S_SIT gcg.emea.eventcloud.publish.ae.cops However, I want to create a table that contains the missing VPNs & Queues also from set1 as below: Activation_Time Client_Name VPN_Name Queue_Name Fri, 22 Apr 2022 15:28:39 BW-ALERTS_JMS_CONN-queue-ALERTSServices-1-1-AlertServices_ALERTSServices_a37s_01 ALERTSGC_S_SIT gcg.ap.cop_163124.card.lightning.eas.queue Fri, 13 May 2022 17:54:26 source.solace.emea.ae.custmgt.cops.cops.raw.int.rawevent-05d1d1b@gtgcb-csrla01s.nam.nsroot.net/59133/#00a00005/VIzOONZsrL EHEM_S_SIT gcg.emea.eventcloud.publish.ae.cops Not_Available Not_Available EHEM_S_SIT gcg.emea.eventcloud.publish.ae.triggerbatchtocommhub Not_Available Not_Available EHEM_S_SIT gcg.emea.eventcloud.publish.ae.sendprioritycommandretrycomm Not_Available Not_Available CPGC_S_SIT gcg.apac.eventcloud.publish.hk.twa   Please help to modify the query in a way that it compares set1 and set2 for the VPN & Queue values and produce the table in the above manner. Thank you All..!!

In going through the SplunkCloud SPL tutorial, we are told to upload California drought data into Splunk, and we create a Dashboard from it.  That worked just as explained, but the next day the data is gone.  I was using the "AllTime" filter, so it was not that I missed data that was getting older, and skipped by filters. source="us_drought_monitor.csv" State = CA date_year=2018| rex field=County "(?<County>.+) County"| eval droughtscore = D1 + D2*2 + D3*3 + D4*4| stats avg(droughtscore) as "2018 Drought Score" by County| geom ca_county_lookup featureIdField=County above is the search SPL for the demo.  While I have your attention, in the tutorial they add a min and max function, ""2018 Drought Score" max(droughtscore) as "Max 2018 Drought Score" min(droughtscore) as "Min 2018 Drought Score" by County"  This provided SPL code broke the Dashboard yesterday when it was working. is there something wrong with this SPL, that was provided?

Hi, I have below sample event. All field values are getting extracted fine using Splunk's auto extraction. However, some fields are not getting extracted correctly and they get extracted partially. These fields are FindingDetails and FindingDescription highlighted below. How can I get auto extraction in place to extract them all using rex OR how can I extract only these two fields at search time with two separate regexes? All fields are seperated by comma in raw event below and all values are encapsulated in double quotes. Feed is setup via DBConnect running SQL against a DB table and data gets in as is. Splunk Enterprise is @ 8.x. Thanks in advance!!   2022-06-21 10:29:05.000, ID="1234567890", System="SAMPLE", GSystem="SAMPLE", Environment="1 PROD", Datasource="SAMPLE", DBMSProduct="ORACLE", FindingType="Fail", SeverityCode="2 HIGH", SeverityScore="8.0", TestID="1234", TestName="SAMPLE", TestDescription="Application users privileges should be restricted to assignments using application user roles. Granting permissions to accounts is error prone and repetitive. Using roles allows for group management of privileges assigned by function and reduces the likelihood of wrongfully assigned privileges. We recommend assigning permissions to roles and then grant the roles to accounts. This test excludes grantees from a predefined Guardium group called "Oracle exclude default system grantees", APEX_%, ANONYMOUS and PUBLIC grantees. It also excludes grantees for tables SAMPLE and SAMPLE, excludes the DBMS_REPCAT_INTERNAL_PACKAGE table and table name like '%RP'. To exclude certain grantees, you can create an exception group, populate it with authorized grantees and link your group to this test.", FindingDescription="Application users privileges are not restricted to assignments using application user roles. Including 205 items present in test detail exceptions.", FindingDetails="The following users have direct privileges on the tables: Grantee = SAMPLE : Privilege = DELETE : Owner = SAMPLE: Object_name = SAMPLE", TestResultID="123456789", RemediationRule="295", RemediationAssignment="TEST", RemediationAnalysis="Finding passes in the Baseline Configuration. Project needs to initiate tickets in coordination with their DBA to remediate. Specifically a Role needs to be created and the permission flagged in this test added to the role, the user should then be granted to the role and the original permission removed from the user. This is a finding even if documented in the XYZ.", RemediationGuidance="Application users privileges should be restricted to assignments using application user roles. We recommend revoking privileges assigned directly to database accounts and assigning them to roles based on job functions. You can use the following command to revoke privileges: revoke <privilege> on <object name> from <user name>; To exclude certain grantees, you can create an exception group, populate it with authorized grantees and link your group to this test.", ExternalReference="STIG_Reference : STIG_SRG", VersionLevel="19", PatchLevel="19.15.0.0.0", Reference="123", VulnerabilityType="PRIV", ScanTimestamp="2022-06-21 06:29:05.0000000", FirstExecution="2022-01-04 06:38:25.0000000", LastExecution="2022-06-21 06:29:56.0000000", CurrentScore="Fail", CurrentScoreSince="2022-01-04 06:38:25.0000000", CurrentScoreDays="168", Account="TEST", AcknowledgedServiceAccount="Yes", SecurityAssessmentName="TEST", CollectorID="123456789045444444", ScanYear="2022", ScanMonth="6", ScanDay="21", ScanCycle="2", Description="TEST", Host="abcdef.sample.net", Port="0000", ServiceName="SAMPLE"  

Hi Team,                   Recently we have received a notification from Splunk to upgrade to Victoria Experience. And I want to know Is it good to upgrade to Victoria or else stay with the classic experience.??   Dear Splunk Cloud Platform Customer, We are reaching out to inform you of an upcoming maintenance window for Splunk to deliver a cloud migration for your stack: ***** This migration is known as the Victoria Experience. This is the message we received from Splunk team, does anyone have any idea regarding this classic and Victoria experience? Please do suggest which one is better to go with