I am trying to get the total count of a field called ID for earliest and latest time for a particular time range. Assume I am looking for a time range of Mor 8AM to 5PM . I want the count of total for a field called "ID" for 8AM TO 9AM and also count from 4PM TO 5PM for field called 'ID" and show what is different if there is a difference in values of ID for hours 8AM TO 9AM and 4PM TO 5PM .   Following is the query I am using index=test | rename "results{}.id" as "id" | bin _time span=1h | stats count(id) as total by _time | delta total as difference | fillnull value=0 |eval status=case(difference=0, "No change", difference<0, "Device(s) Removed" , difference>0 ,"Device(s) Added") | search status!="No change" | rename _time as time | eval time=strftime(time,"%m/%d/%y %H:%M:%S")

Hello everyone. I'm fairly new to Splunk, I've recently joined a job as a security analist in a SOC where I get to use this cool tool. This question is kind of a continuation to my previos post: https://community.splunk.com/t5/Splunk-Search/Help-on-query-to-filter-incoming-traffic-to-a-firewall/m-p/599607/highlight/true#M208701 I had to make a query to do two things: First, look for any potential policy with any ports enabled. Second, find out which of these policies were allowing or teardowning request coming from public IP addresses. For this I came up with this query which does the work imo:   index="sourcedb" sourcetype=fgt_traffic host="external_firewall_ip" action!=blocked | eventstats dc(dstport) as different_ports by policyid | where different_ports>=5 | eval source_ip=if(cidrmatch("10.0.0.0/8", src) OR cidrmatch("192.168.0.0/16", src) OR cidrmatch("172.16.0.0/12", src),"private","public") | where source_ip="public" | eval policy=if(isnull(policyname),policyid,policyid+" - "+policyname) | eval port_list=if(proto=6,"tcp",if(proto=17,"udp","proto"+proto))+"/"+dstport | dedup port_list | table source policy different_ports port_list | mvcombine delim=", " port_list   However, the problem I'm having is that the port list is being shown like if it was one big list, like this: 1 2 3 4 5 I'd like for it to show like this: 1, 2, 3, 4, 5 I've also tried replacing the table command with a stats delim=", " value(port_list) but I've had no success. I'd appreciate if you could give me some insight on how could I solve this, I had in mind trying mvjoin but had no clue on how to approach it. Thanks in advance.

Dear all, I have below table, FieldA (String) FieldB to FieldE (Numeric). Can we base on the FieldA value to change color for FieldB to FieldE? logic will  below 1. update cell for Field B as red when (FieldA = "1111" or "3333" or "4444") and FieldB cell value >0 2. update cell for Field C as red when (FieldA = "2222" or "3333" ) and FieldC cell value >0 3. update cell for Field D as red when (FieldA = "2222" or "3333" ) and FieldD cell value >0 4. update cell for Field E as red when (FieldA = "4444" ) and FieldE cell value >0    

I am in Splunk Enterprise trying to create a Dashboard in the source code. When I input the below code it says on the UI "Unable to create search" in regards to the User: All section Is this a user role restriction preventing me from searching all users or something else? It does not have any errors in the edit source page. Below Code: <form theme="dark"> <label>Splunk Search Activity</label> <fieldset submitButton="true" autoRun="false"> <input type="time" token="time1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="radio" token="exclude1" searchWhenChanged="true"> <label>Splunk System User</label> <choice value="user!=splunk-system-user">exclude</choice> <choice value="*">include</choice> <default>user!=splunk-system-user</default> <initialValue>user!=splunk-system-user</initialValue> </input> <input type="multiselect" token="user1"> <label>User:</label> <fieldForLabel>user1</fieldForLabel> <fieldForValue>user</fieldForValue> <search> <query>index=_audit action=search search!="'typeahead*" $exclude1$ | stats count by user</query> <earliest>$time1.earliest$</earliest> <latest>$time1.latest$</latest> </search> <choice value="*">all</choice> <default>*</default> <initialValue>*</initialValue> <delimiter> </delimiter> </input> <input type="text" token="filter1"> <label>Search Filter:</label> <default>*</default> <initialValue>*</initialValue> <prefix>"*</prefix> <suffix>*"</suffix> </input> </fieldset> <row> <panel> <table> <search> <query>index=_audit action=search search!="'typeahead*" user="$user1$" search=$filter1$ $exclude1$ | stats count by _time user search total_run_time search_id app event_count | sort -_time</query> <earliest>$time1.earliest$</earliest> <latest>$time1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>

Hi All, I have a multi-value field as shown below- _time                                      field_test 2022-05-13 04:36:00 test_data_1   test_data_2   test_data_3   test_data_4 2022-05-13 03:30:00    test_data_9   test_data_10   test_data_3   test_data_4   For the above two events, I am trying to write a query which can provide me the common values such that result is- test_data_3 test_data_4   Please help me on how can I accomplish it?    

One problem that I have with alerting from Splunk is that when I alert by email, total width of the table can exceed what the recipient can handle lookin at.  I'd like to start transposing my result table to address this.   That is, I'd like to go from sending alerted results like this time field1 field2 field 3 5/31/2022 value1 value2 really long value 3, so long that it creates a formatting problem. Oh noes! What will I do? To something more like this: Time: 5/31/2022 field1: value1 field2: values2 field3: really long value 3, so long that it creates a formatting problem. Oh noes! What will I do?   I know that I could create a field name called "alert fields" and manually create the fields, but is there a simple way to do this in Splunk

Hi, We have a tier related to a java process. The point is that this tier is related to a batch process. However, it is recognized as a normal process and it is not unregistered after a time although it finished its function time before. So, is there any way to control the time in which a node can be unregistered automatically if it doesn't have any traffic for a time? Thanks, Carlos