Please see this search - i'm trying to add missing field values from another index to this search.   index=1 earliest=-9d latest=now ExternalApiType=Event_DetectionSummaryEvent | fillnull | stats values(ComputerName) AS ComputerName values(DetectName) AS DetectName values(UserName) AS User values(event_platform) AS Platform values(FileVersion) AS SensorVersion P values(MachineDn) AS OU values(SiteName) AS SiteName count(_time) AS count BY _time EventUUID | sort 0 - _time | eval Time=strftime(_time, "%m/%d/%Y %H:%M:%S") | appendcols [ search earliest=-9d latest=now index=json "AuditKeyValues{}.Key"=new_state "AuditKeyValues{}.ValueString"=* | spath | spath AuditKeyValue{} ]   Index=1 has fields ComputerName, DetectName, UserName, _time, EventUUID index=main has fields event_platform, FileVersion, MachineDn, SiteName   I want to pull the fields from index=main into the stats command of the index=1. I thought  it's as simple as adding the index=main at the beginning of the search with an OR: (index=json ExternalApiType=Event_DetectionSummaryEvent) OR (index=main FileVersion=*). But it's not working. I have to have the ExternalApiType value and it's only in the first index. I also tried join with the subsearch, but it didn't work. The original search is for 90 days, so I shouldn't use a subsearch anyways. Thank you.

I would like to know about to add a single field value to outputlookup, as currently there are some fields like id, condition, value is there , but the need is only to ingest condition, Can anyone provide the query for this.

I want to trigger a Splunk SOAR playbook to iterate through a list of hosts every hour and check if they are online in our EDR tool, and if they are online to display a message to the user via the EDR API. Although the playbook is already complete, I can't think of a good way to have it execute every hour. I thought about using a Splunk app ingestion to query our Splunk instance every 60 minutes to create a dummy label and container that the playbook could be set to "active" on, but that seems like an awkward work around.    Is there some other app or setting I'm missing that could achieve this goal?  

Hi all, I'm working on a deploy with Universal Forwader, Heavy Forwarder and Indexer Cluster and Search Cluster. The problem is this: I'm indexing data from different csv since long time. For the first time yesterday I realized that not all the raw of my csv files are indexed at all.  For example: In a csv I count 24k rows and when I perform a stats count on the index I see only 16/17k rows. Each file rotates every minutes.  In the log there's anything that leads to an error. In the UNIVERSAL FORWARDE I've this in inputs.conf [batch:///var/opt/OV/shared/perfSpi/datafiles/metric/final/F5_ResurcesGroup*] disabled = 0 index = f5_metrics sourcetype = f5_metrics initCrcLength = 100000 move_policy = sinkhole In the HEAVY FORWARDER: props.conf [f5_metrics] INDEXED_EXTRACTIONS = CSV HEADER_FIELD_LINE_NUMBER=1 HEADER_FIELD_DELIMITER =, FIELD_DELIMITER=, HEADER_FIELD_LINE_NUMBER = 0 SEDCMD-dropheader = s/^"Node.+//g SEDCMD-select_fields = s/([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)/\1,\2,\4,\5,\9,\17,\18/g #SEDCMD-select_fields = s/([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)/\1,\4,\5,\9,\17,\18/g TRANSFORMS-f5_fields_name_extract=f5_fields_name_extract and in the transform.conf  [f5_fields_name_extract] REGEX=([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*) FORMAT=NodeID::$1 TimeStamp::$2 period_length::$3 ltmVirtualServStatClientCurConns::$4 ltmVirtualServStatVsUsageRatio1m::$5 DisplayAttribute::$6 PollingInterval::$7 #FORMAT=NodeID::$1 period_length::$2 ltmVirtualServStatClientCurConns::$3 ltmVirtualServStatVsUsageRatio1m::$4 DisplayAttribute::$5 PollingInterval::$6 WRITE_META = true Any suggestion ? Thanks Fabrizio      

I am investigating a customer's concern that this  particular search is not writing summary to 'stash' sourcetype. This is the SPL we have. I am relatively new to summary index. Any pointers where I should be looking at ? | tstats summariesonly=true count sum(Web.bytes_in) AS total_bytes_in sum(Web.bytes_out) AS total_bytes_out from datamodel=Web where sourcetype="qnet:proxysg:access*" groupby _time span=1d Web.category | rename Web.category AS category | eval total_bytes=total_bytes_in + total_bytes_out | collect index=security_summary source="SavedSearch.Qnet_Daily_Category_Stats" sourcetype="SavedSearch.Qnet_Daily_Category_Stats"

Hi All,   I have provided multiple inputs in my dashboard studio and their tokens are being  used across multiple searches in the same Dashboard. I am seeing this issue:   I have to click submit  button  multiple times. My multi select inputs look like this and  they are interdependent on each other:   Example: Values of B is dependent on A Values of C is dependent on A, B Values of D is dependent on A, B, C Values of  E is dependent on A,B,C,D   like that. Now say if i have selected A,B,C ....D will not  update its values until and  unless i click submit button.......similarly E will also not update its new values until and unless after selecting D, i press again submit button. Is there any option for refresh button ? If i remove submit button, my whole dashboard starts refreshing  with each selection of input and this eats away a  lot of time. 

Hi everyone. I am a new user to Splunk.  Recently, I have met some trouble with trying to extract a certain message out from a field I want. I have a field called Message, which logs the message sent to a web server. However, I only want to retrieve a specific field when the message contains the desired field that I want.  Example: I want to retrieve the user's name when service is invoked.  Time Message 2021-05-15T01:51:52.321Z Session ID 1234 has been created 2021-05-15T01:51:52.321Z Invoked by user David from IP 127.256.25.16 2021-05-15T01:51:52.321Z Configuration Reading - Start   Hence, I only want to extract the name David, when that specific message log containing the name appears. Does anyone have any clue how I can extract that field specifically when it appears? Thanks in advance.  EDITED: Hey Splunk Users,  If you met the same problem as I did, where the message logs change constantly, do make sure to search for the message you are looking for first, before drilling down for the specific field.  In my case: | search Message="Invoked by user *" | rex field=Message "Invoked by user (?<user>\w+)"

Hello everyone! I want to combine two searches or find another solution. Here my problem: I need a timechart where i can show the occurences of some ID´s (example for an ID: 345FsdEE344FED- 354235werfDF2) and put an average line over it. Graph Idea: Orange: Timechart with a distinct count for the ID´s Green: Stats with average for the count of the ID´s       index=example_dev | bin span=1m _time | stats dc(TEST_ID) as count_of_testid by _time     For the timeframe i want to be flexibel but for the span 15 minutes are ok. Thank you all a lot and have a nice day.

After following the jboss setup tutorial https://docs.splunk.com/Documentation/AddOns/released/JBoss/Setup I am able to search wildfly23 server jmx logs with index="main" sourcetype="jboss:jmx"  but when I search for server log with index="main" sourcetype="jboss:server:log" it is not showing any result. Below are the input.conf file [jboss://dumpAllThreads] disabled = 0 account = wildfly duration = 10 index = main sourcetype = jboss:jmx [monitor://D:/Wildfly_9/wildfly-23.0.2.Final/standalone/log/server.log*] disabled = false followTail = false index = main sourcetype = jboss:server:log [monitor://D:/Wildfly_9/wildfly-23.0.2.Final/standalone/log/*gc.log*] disabled = false followTail = false index = main sourcetype = jboss:gc:log [monitor://D:/Wildfly_9/wildfly-23.0.2.Final/standalone/log/access.log*] disabled = false followTail = false index = main sourcetype = jboss:access:log