The obj is to only sends out alert if the  'low' and 'high' strings both detected more than 5 mins interval. Which means 5 min or less, the alert shld nt process or ignore it. More than 5 mins, process it and sends out alert if low or high received in the syslog. Currently below was wht configured in the splunk rules for both low and high. But i dont really understand it. Can someone explain how it works? Alert-Water High index="watersb" item="Water Level" | fields watersb_timestamp host machine_id location state status | transaction host maxspan=5m | eval status_count=mvcount(status) | search status_count=1 status=high | eval timestamp=strptime(watersb_timestamp,"%b %d %H:%M:%S") | convert timeformat="%d %b %Y %H:%M:%S" ctime(timestamp) | table timestamp host status machine_id location state   Alert-Water Low index="watersb" item="Water Level" | fields watersb_timestamp host machine_id location state status | transaction host maxspan=5m | eval status_count=mvcount(status) | search status_count=1 status=low | eval timestamp=strptime(watersb_timestamp,"%b %d %H:%M:%S") | convert timeformat="%d %b %Y %H:%M:%S" ctime(timestamp) | table timestamp host status machine_id location state

Hello,   How do we edit the tooltip of a chloropleth map to display an additional column and it's value.  and secondly how do we rename the count column to something else coz the moment we rename it the map doesn't render.

I want a main dashboard to pull results from multiple application dashboards. I do not want to do the same queries in the Main dashboard. Is this possible? example:  <row> <panel> <table> <title>Overall_Status</title> <search> <query>index=clo_application_logs host IN (xxxx.com) "Unable to read the file" OR "DB ERROR" OR "JMS Exception Occurred" OR "outOfMemory" OR "ERROR - PricingManager" OR "ERROR - DataService" | stats count | eval Overall_Status=case(count&gt;0,"CRITICAL", 1=1, "NORMAL") | append [search index=clo_application_logs host IN (xxxx.com xxxx.comm) "FAIL" | stats count | eval Overall_Status=case(count&gt;0,"CRITICAL", 1=1, "NORMAL")] | stats count by Overall_Status | eval colour=case(test=="NORMAL", "0", test=="CRITICAL", "1", 2=2, Unknown) | sort - colour | fields Overall_Status| head 1 | appendpipe [stats count | where count="0" | fillnull value="No Results" Overall_Status]</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <format type="color" field="Overall_Status"> <colorPalette type="map">{"CRITICAL":#DC4E41,"NORMAL":#53A051}</colorPalette> </format> </table> </panel> </row>

Newbie in Splunk here. How do I extract the value zzz@zzz.com(at the end of the below payload) in a new field named "user"?     POST /xxxxx/xxxx/xxx/xxxxx HTTP/1.1\r\nHost: xxxx.xxxx.com\r\nConnection: Keep-Alive\r\nAccept-Encoding: gzip\r\nCF-IPCountry: US\r\nX-Forwarded-For: 1.1.1.1, 2.2.2.2\r\nCF-RAY: 715ae60ec98f02ce-MIA\r\nContent-Length: 37\r\nX-Forwarded-Proto: https\r\nCF-Visitor: {""scheme"":""https""}\r\nsec-ch-ua: "" Not A;Brand"";v=""99"", ""Chromium"";v=""101"", ""Google Chrome"";v=""101""\r\nsec-ch-ua-mobile: ?1\r\nauthorization: *************\r\ncontent-type: application/json\r\nbundleid: com.xxx.xxxxx\r\naccept: application/json, text/plain, */*\r\nsecurekey: Sssssss==\r\nuser-agent: Mozilla/5.0 (Linux; Android 12; SM-A326U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Mobile Safari/537.36\r\nsec-ch-ua-platform: ""Android""\r\norigin: https://xxx.com\r\nsec-fetch-site: cross-site\r\nsec-fetch-mode: cors\r\nsec-fetch-dest: empty\r\nreferer: https://myxxx.com/\r\naccept-language: en-US,en;q=0.9\r\nCF-Connecting-IP: 1.1.1.1\r\nCDN-Loop: cloudflare\r\n\r\n{""user"":""zzz@zzz.com""}      

Under the "Compliance" Dashboard in InfoSec App for Splunk there is a number of accounts (AD) that are monitored but that number is different from the accounts monitored under the Health tab. Is this normal?  How do I ensure that they both display the proper amount of AD accounts monitored?

Does anyone happen to know if there is a default time range from eventhub input from Splunk Add-on for Microsoft Cloud Services and where the checkpoint value is stored?  I am unable to find out the information from https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configureeventhubs. Thanks.

Hi, I am struggling with an SPL.  I am trying to create a report which lists the Online status of specific Site/location pending if there is a message received from it. I need the Online (or Offline) status to be group in a daily format which I have achieved so far with the below SPL.  However, the challenge for me is, when a Site/location goes "Offline", I would like to know the exact hour:min that Last communication was logged.  Currently, the Last_Communication Column is showing me the Date but time is 00:00:00 which I know is not true, I need the exact hour/min the last event got logged for that specific day if it was "Online". Current SPL:       | from datamodel:"mydatamodel" | bin _time span=1d | search field1="comm_message" | eval Online_Status=if(like(Location_field,"xyz"),1,0) | stats sum(Online_Status) AS Message_Counts by _time | eval Online_Status=if(Message_Counts=0,"OFFLINE", "ONLINE") | eval Last_Communication=if(Online_Status="ONLINE",(_time), "OFFLINE") | convert ctime(Last_Communication)         Any help would be greatly appreciated. Thanks

Can you create a query that search for all the logs that got entered in an index for the last 24hours and group it by index? That similar to a table with the number of logs added per index in the period of time you select. It would be much appreciated thank you so much for your help:)

I'm trying to count the number of sessions (known as sessionId) that have more than 2 intents. (An intent is a field value). And also include the total number of sessions, including sessions with 0 or 1 intents. I can't figure out the concept for this query.    index=conversation botId=ccb | eval intent_total=if(intent=*, 1, 0) | stats sum(intent_total) by sessionId | where intent_total > 2 | table sessionId intent_count    

I want to check if the user is detected in other areas based on IP. Detection criteria are pre-written scenarios. In this scenario, we inserted numbers such as rule_1 and rule_2. The purpose of this task is to see that a user who should be in a specified location is detected in a scenario in another location. This is my log table country title Area detail userlist ip USA WA Washington Washington Monument user1 192.168.0.100 USA WA Washington Washington Monument user2 192.168.0.101 USA VA Virginia   user3 192.168.0.102 USA NJ New Jersey   user4 192.168.0.103   i want view

Is there an easy way to implement a recovery alert in the same query as the alert query? For example if I have a system that creates a log file every 10 min if everything is working. I built a query that runs every half an hour and tells me if there is something new in the log location. That part is easy enough but I would also like the same query to be able to send a recovery notification. Or is this not going to be possible because I want to trigger two different actions because from what I can tell you can only configure the one email or slack action per alert?  I did see that there is a splunk addon with VictorOps that has this functionality but I wanted to check here first before I went down that route.

Hi  I am following this documentation from GCP [1], which mentions to omit YOUR_SPLUNK_HEC_URL must not include the HEC endpoint path, for example, /services/collector My question is more specifically related to this section [2], it mentions that format should be  <protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint> You must add http-inputs- before the <host> which one would be the correct url, for eg https://http-inputs.xxxx.splunkcloud.com:433 or https://http-inputs-xxxx.splunkcloud.com:433 Send data to HTTP Event Collector on Splunk Cloud Platform  [1]https://cloud.google.com/architecture/deploying-production-ready-log-exports-to-splunk-using-dataflow#deploy_the_dataflow_pipeline [2]https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Configure_HTTP_Event_Collector_on_Splunk_Cloud_Platform