Hi , Thanks in Advance I am trying to onboard json file data to splunk .But i am not forwarding all the data from json file.   My json file format { "aaa": { "modified_files": [ "a/D:\\\\splunk\\\\Repos\\\\/.git/HEAD", "a/D:\\\\splunk\\\\Repos\\\\/.git/config", "a/D:\\\\splunk\\\\Repos\\\\/.git/index", "a/D:\\\\splunk\\\\Repos\\\\/.git/logs/HEAD"] }, "bbb": { "modified_files": [ "b/D:\\\\splunk\\\\Repos\\\\/.git/HEAD", "b/D:\\\\splunk\\\\Repos\\\\/.git/config", "b/D:\\\\splunk\\\\Repos\\\\/.git/index", "b/D:\\\\splunk\\\\Repos\\\\/.git/logs/HEAD" ]  } } I am getting result as like this { "aaa": { "modified_files": [ "a/D:\\\\splunk\\\\Repos\\\\/.git/HEAD", "a/D:\\\\splunk\\\\Repos\\\\/.git/config", "a/D:\\\\splunk\\\\Repos\\\\/.git/index", "a/D:\\\\splunk\\\\Repos\\\\/.git/logs/HEAD"

Any advice on how to fix this command? I pulled it from GoSplunk "Show all successful Splunk configurations by user." This is on Splunk Enterprise. Below is my entered command and I am getting the error: Comparator '=' has an invalid term on the left hand side: host=object index=_audit action=edit* info=granted operation!=list host= object=* | transaction action user operation host maxspan=30s | stats values(action) as action values(object) as modified_object by _time,operation,user,host | rename user as modified_by | table _time action modified_object modified_by  

Hi I have SPL like below: index="myindex" user | rex field=source "\/data\/(?<product>\w+)\/(?<date>\d+)\/(?<server>\w+)" | search server=server1 as we know first search "user" work more quickly but second one "server=server1" take long time specially on large data. is there any way to search "search server=server1" more efficient like "user"? Thanks

Hi, I'm looking for users that login into an application and reset the password at the same time . The logs involved are like this:   Login: 1.1.1.1 - - [31/May/2022:11:15:03 +0200] "POST /servlet/Login HTTP/1.1" 200.....   Pwd Change: 1.1.1.1 - - [31/May/2022:11:15:03 +0200] "GET /PasswordChange/ HTTP/1.1" 200 .......   IP: 1.1.1.1 action : /servlet/Login, /PasswordChange   Ip and action are already extracted, So I need something like if IP1=IP2 and time1=time2 and action1=login and action2=pwdchange.   Thanks in advance!  

Hi I have exactly two SPL, same date range, one with "tracnsaction" command another wirhout it. as you see in picture without transaction timechart show correctly but with transaction last part missed! FYI: 1-I've check log file correctly indexed and available. 2-pair of eachtransaction availabe in log in  missing part. what happen here? any idea?   Thanks  

Hi, I have an event display problem when no events matching the conditions are found. I want to filter only those events that have the "DATA_LAVORAZIONE" (STC) field greater than "OGGI" up to 7 days ahead. In the AMPLIAMENTI sourcetype there are some events for which it returns the sum, while in the DIRETTA sourcetype there are no events, and it does not show me anything. I would like the row with all 0s to be displayed anyway. I tried with fillnull value = 0 field, field, field .... but it doesn't work. Also tried fulldown, but nothing. Do you have any suggestions? Thank you   CODE: index =DATI sourcetype = AMPLIAMENTI |fields - _* |eval OGGI=strftime(relative_time(now(),"-0d@d"), "%Y-%m-%d") |eval OGGI_1=strftime(relative_time(now(),"+1d@d"), "%Y-%m-%d") |eval OGGI_2=strftime(relative_time(now(),"+2d@d"), "%Y-%m-%d") |eval OGGI_3=strftime(relative_time(now(),"+3d@d"), "%Y-%m-%d") |eval OGGI_4=strftime(relative_time(now(),"+4d@d"), "%Y-%m-%d") |eval OGGI_5=strftime(relative_time(now(),"+5d@d"), "%Y-%m-%d") |eval OGGI_6=strftime(relative_time(now(),"+6d@d"), "%Y-%m-%d") |eval OGGI_7=strftime(relative_time(now(),"+7d@d"), "%Y-%m-%d") |eval STC=strftime(strptime(DATA_LAVORAZIONE, "%Y-%m-%d"), "%Y-%m-%d") |where STC > OGGI |eval X = if(STC=OGGI,1,0) |eval X+1 = if(STC=OGGI_1,1,0) |eval X+2 = if(STC=OGGI_2,1,0) |eval X+3 = if(STC=OGGI_3,1,0) |eval X+4 = if(STC=OGGI_4,1,0) |eval X+5 = if(STC=OGGI_5,1,0) |eval X+6 = if(STC=OGGI_6,1,0) |eval X+7 = if(STC=OGGI_7,1,0) |eval TOTALE=if(STC > OGGI AND STC <= OGGI_7,1,0) |eval TUTTI=if(STC > OGGI ,1,0) |sort - DATE_UPD, LINK |dedup LINK |where STATO IN("LAVORAZIONE", "CONFERMA DATA") |stats sum(X) as X, sum(X+1) as X+1,sum(X+2) as X+2, sum(X+3) as X+3,sum(X+4) as X+4,sum(X+5) as X+5, sum(X+6) as X+6,sum(X+7) as X+7, sum(TOTALE) as TOTALE,sum(TUTTI) as OVER |eval TIPOL ="AMPLIAMENTI" |table TIPOL X X+1 X+2 X+3 X+4 X+5 X+6 X+7 TOTALE OVER |append [ search index =DATI sourcetype = diretta |fields - _* |where TIPOLOGIA IN("SUBNET","VOCE") |eval OGGI=strftime(relative_time(now(),"-0d@d"), "%Y-%m-%d") |eval OGGI_1=strftime(relative_time(now(),"+1d@d"), "%Y-%m-%d") |eval OGGI_2=strftime(relative_time(now(),"+2d@d"), "%Y-%m-%d") |eval OGGI_3=strftime(relative_time(now(),"+3d@d"), "%Y-%m-%d") |eval OGGI_4=strftime(relative_time(now(),"+4d@d"), "%Y-%m-%d") |eval OGGI_5=strftime(relative_time(now(),"+5d@d"), "%Y-%m-%d") |eval OGGI_6=strftime(relative_time(now(),"+6d@d"), "%Y-%m-%d") |eval OGGI_7=strftime(relative_time(now(),"+7d@d"), "%Y-%m-%d") |eval STC=strftime(strptime(DATA_LAVORAZIONE, "%Y-%m-%d"), "%Y-%m-%d") |where STC > OGGI |eval X = if(STC=OGGI,1,0) |eval X+1 = if(STC=OGGI_1,1,0) |eval X+2 = if(STC=OGGI_2,1,0) |eval X+3 = if(STC=OGGI_3,1,0) |eval X+4 = if(STC=OGGI_4,1,0) |eval X+5 = if(STC=OGGI_5,1,0) |eval X+6 = if(STC=OGGI_6,1,0) |eval X+7 = if(STC=OGGI_7,1,0) |eval TOTALE=if(STC > OGGI AND STC <= OGGI_7,1,0) |eval TUTTI=if(STC > OGGI ,1,0) |sort - DATE_UPD, LINK |dedup LINK |where STATO IN("CONFERMA DATA") |stats sum(X) as X, sum(X+1) as X+1,sum(X+2) as X+2, sum(X+3) as X+3,sum(X+4) as X+4,sum(X+5) as X+5, sum(X+6) as X+6,sum(X+7) as X+7, sum(TOTALE) as TOTALE,sum(TUTTI) as OVER |eval TIPOL ="SUBNET - VOCE" | fillnull value=0 TIPOL X X+1 X+2 X+3 X+4 X+5 X+6 X+7 TOTALE OVER |table TIPOL X X+1 X+2 X+3 X+4 X+5 X+6 X+7 TOTALE OVER] . (others APPEND) . . |table TIPOL X X+1 X+2 X+3 X+4 X+5 X+6 X+7 TOTALE OVER   RESULT: TIPOL                                  X    X+1   X+2    X+3 ........ TOTAL   OVER AMPLIAMENTI                0       2       1          0     .......       3            3   DESIRED:  TIPOL                                  X    X+1   X+2    X+3 ........ TOTAL   OVER AMPLIAMENTI                0       2       1          0     .......       3            3 SUBNET - VOCE             0      0        0          0  .........       0            0 TKS

Hi Spunkers, I have a request by customer never faced before. For one particular Data Model, the Email one, it is required that certaine filed are always populated, even if the logs have this fields empty and/or are not present. So for example it is required that the field subject is always filled; of course, if subject is not present in events, we have to fill it with a token, like the fillnullvalue function does. The particular part is that the customer required that this filling is performed not at search time, with a fillnull command in search, but by the Data Model itself; so, for example, if a log from mail server arrive and it not contain the subject field and/or it is not populated, the DM must fill it with a token value and so, when a search is executed, subject will be already filled with this token. My question is: is this possible to perform?

There are two queries `query 1` will give ID, TIME fields `query 2` will give list of SPECIAL_ID I want to create a table with TIME, ID, IS_SPECIAL_ID IS_SPECIAL_ID is evaluated to true/false based on the condition where is ID is part of the list SPECIAL_ID  

Hi All,   Does Splunk Security Essentials app also map our custom (user defined) correlation searches to different MITRE tactics & techniques ?  Based on what i see,  if we run the setup wizard it will do so for the pre defined ones that come with ES or with Security Essentials app itself.   There is nothing mentioned about custom correlation searches that one sets up in ES.

Hi guys, I'm using ipinfo to check IPs of my system.       <base search> | stats sum(Download) as Download by DestIP | sort 5 -Size | ipinfo DestIP       The problem is it didn't wait for the final result then call the command "ipinfo", it'll make more request than 5 times, depends on how much DestIP it had. Are there any solutions for this case?