I have a real time Splunk index pushing records into two source types. Source type 1 holds fields including assignmentgroup, manager name , entity etc. Source type 2 hold fields including ticketnumber , assignmentgroup,priority etc. Sourcetype 2 has tickets updates coming in and each ticket can move from one assignmentgroup to another assignmentgroup which may or may not be present in Source type 1 I would like to find out how many tickets are there in Sourcetype 2 which moved out from assignmentgroups of Sourcetype 1? In other words, how many tickets are present in Sourcetype 2 whose assignmentgroup doesnt belong to the assignmentgroup present in Source type 1.  Any leads would be helpful. TIA! Just an update, this sourcetype 1 is actually pushed to a lookup file (that has same collumns as in Source type 1, Hence , I intend to use this lookup in the search query)

Hi, I have a timechart with the revenue of several shops (each shop is a field) over the month. I want to know the accumulate revenue of each shop over time so that if a shop earned 5$ on monday and 7$ on tuesday then on tuesday the graph will show 12$.  I know that the command accum does that for a given field but I don't know ahead how many fields there will be. Example: A B C A B C 8 3 5 -> 8 3 5 6 7 4 14 10 9 2   5    9                16   15   18   This is my code until now: <something> | timechart span=1d sum(revenue) by shop | accum A | accum B | accum C   The goal is for the fields to be dynamic and not hardcoded! Thank you

Thanks in Advance,  I have a search setup to see whenever someone access's a certain document. This works just fine, the issue comes with the results. Looking at the Extracted Fields, i get the users "Sid" instead of their username. I do however have Splunk Supporting Add-On for Active Directory, and have it configured. I have a report that pulls a CSV (users.csv) that gives me everyones sAMAccountName as well as their SIDs' and puts it in the location of my Lookup Table.  Trying to figure out how to get the |inputlookup     to compair the search results Sid with my excel doc and give me the AccountName in that specific Row as well. Any help?   I have this ( minus the output to create my users.csv) |ldapsearch search="(&(objectclass=user)(!(objectClass=computer)))" attrs="userAccountControl,sAMAccountName,objectSid,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,accountExpires" |makemv userAccountControl |search userAccountControl="NORMAL_ACCOUNT" |eval suffix="" |eval endDate="" |table sAMAccountName,objectSid,displayName,givenName,sn,whenCreated,   and my main search source="WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL" NOT %SYSTEM32*   Just need a input to get my results Sid to look at the Excel find the SID in the "objectSid" ( column B ) and give me the sAMAccountName(columnA) into my search results...   IF POSSIBLE!

Hello, I have some use cases where we need to delete files right after those are read/push by UF. How I would do it. There are any ways we may let the UF to do this task using batch in inputs.conf file. Any recommendation would be highly appreciated, thank you!