Input: Message                                                          ID ... tt_1 ... tt_2 ... tt_9 ... tt_3                        1 ... tt_6 ... tt_4 ... tt_5                                      2   Ouput: Message                                                          ID     TT ... tt_1 ... tt_2 ... tt_9 ... tt_3                        1       tt_1 tt_2 tt_9 tt_3 ... tt_6 ... tt_4 ... tt_5                                      2.     tt_6 tt_4 tt_5 In the above "Message" field the "..." indicates some random text in between. So basically I want to extract all words starting with "tt_" and display it as in the table shown above. Can anyone help be with the splunk query of it.

Hello, What is the recommended way to create Apps from SPLUNK CLI, do you think > $SPLUNK_HOME/etc/apps/splunkdj createapp MyAppName should work? Your recommendation will be highly appreciated, thank you.  

Hi, Has anyone tried using the node.js agent to see if it will work with detecting the Next.js framework? Next.js is an open-source web development framework built on top of Node.js, so don't know if it will at least partially work.

In the iOS mobile app, the time range picker for all the dashboards is defaulting to 15 mins, instead of 'Today' as the web version. How to update the time range picker default value to show the same as the web?

How do I configure my AWS application (which is mostly lambda functions called by state machines) to properly propagate trace context? Right now I see traces that represent portions of my state machines, but not the whole state machine Can splunk ingest the x-ray traceID generated by AWS Step Functions (if I turn on x-ray tracing for step function)? I am assuming that without that traceID being generated, splunk APM won't be able to track lambda functions across a state machine.

I have three total servers in a Windows deployment.  A Splunk Search server, a Splunk Index server and a Splunk deploy server.  I would like to upgrade the KV Store but I'm not clear if I need to use the cluster implementation instructions or the single KV Store instructions.  I am currently running 8.2.6 and upgraded a few months ago from 8.0.x.  When I run the command "start-shcluster-migration kvstore -storageEngine wiredTiger -isDryRun true", I get "Admin handler 'shclustercaptainkvstoremigrate' not found".   This is Step1 in a clustered KV Store setup.  If I try the REST API option, for Step 1, the command errors out because -d is listed twice in the command: curl -k -u admin:changeme https://localhost:8089/services/shcluster/captain/kvmigrate/start -d storageEngine=wiredTiger -d isDryRun=true Also in the single deployment instructions, you edit the server.conf file: [kvstore] storageEngineMigration=true  I don't see this in the cluster implementation instructions unless I missed something.    

Dears, I am new to splunk, just installed trail versions through wget, Splunkd is running but unable to connect with 8000 port after adding inbound rules in aws! what needs to be done? can anyone help me on this? Thanks in advance.

We are excited to announce the preview of Splunk ITSI custom threshold windows (CTW). ITSI CTW allows you to adjust your severity levels when an expected abnormal behavior may arise - e.g. public holidays, peak day of the year or month, or large retail moment like Black Friday. Need access to the ITSI CTW preview? Complete this brief application, we will contact you if there is space and availability to participate!  Already have access to the preview?  Want to access product docs? ITSI custom threshold windows Docs offers detailed guidance on how to use the feature  Want to request more features? Add your ideas and vote on other ideas at ITSI custom threshold windows Ideas Portal    Please reply to the thread below with any questions or to get support from the Splunk team, our product and engineering teams are subscribed to this post and will be checking for feedback and questions!

Hi, I have a table as the main search using dbxquery below: | dbxquery connection=my_connection query="SELECT id, start_date, end_date FROM my_table" Sample records: id, start_date, end_date 1, 2020-01-01, 2020-01-04 2, 2020-01-03, 2020-01-05 ...... And I have another lookup csv with only two columns below: date, amount 2020-01-01, 10 2020-01-02, 20 2020-01-03, 10 2020-01-04, 10 2020-01-05, 20 ...... The output I want is: id, start_date, end_date, total 1, 2020-01-01, 2020-01-04, 50 # total sum of 2020-01-01 to 2020-01-04 (10+20+10+10) 2, 2020-01-03, 2020-01-05, 40 # total sum of 2020-01-03 to 2020-01-05 (10+10+20) What could be the best way to get this done? Thanks in advance!

Cisco ACI APP for Splunk, when I enable this collection, it creates a huge load on the APIC. [script://$SPLUNK_HOME/etc/apps/TA_cisco-ACI/bin/collect.py -classInfo aaaModLR faultRecord eventRecord] I have attempted to widen the interval, but it just reduces the number of times the load happens. The APIC is almost unusable while this collection is happening.  I removed these one at a time, and it appears to be the poll of the eventRecord that is causing the drag on the APIC. I thought Splunk would only pull in the new information since the last poll, but that does not appear to be what is actually happening.  Is this expected? Is there a way to remedy this issue?