How would I write the following statements in Splunk? Variables are start_access and last_access Statement If 20 days have passed from the start_access AND there was no last_access since the last start_access, then the result is not active.

Hi, Everyone I try to collect log with "Prisma Cloud Compute (Twistlock) App for Splunk" (Prisma Cloud Compute (Twistlock) App for Splunk | Splunkbase) but I found many error messages from the python script follow as the picture below and this is my inputs.conf Does anyone have any suggestions?   Thank you

Hi Community, I have this problem about data correlation, here's the detail. The source file is a test result summary named summary.xml, and it's not time sensitive.  Splunk will parse the file to some events like event1,2,3,etc.  The test info is in event 1 and results are in even 2,3,4. My goal is to count the results of all tests under the same info. I don't know how to link these info.  What kind of SPL search I could use? For example: Summary1.xml: event1 test info: alpha event2 Pass   event3 Fail   event4 Fail   Summary2.xml: event1 test info: beta event2 Pass   event3 Pass   event4 Pass     The results I expected： Test info results alpha pass：1， failed：2 beta pass:   3, failed:0  

Hi I have a basic statement, however, I want the answers to be in per second. So I need to provide all the results by 60, however, as I am using the by command I cant do something like eval count = count/60. As all the columns are different - I might be able to use a for - but this might affect _time. Any ideas? Am i missing something simple hear?   index="murex_logs" | timechart span=1m count by mx.env              

Hi All , I am trying to login into splunk instance  with javascript sdk  credentials but it is not working well. var http = new splunkjs.ProxyHttp("/proxy"); // Create a Service instance and log in var service = new splunkjs.Service(http, { username: "admin", password: "yourpassword", scheme: "https", host: "localhost", port:"8089", version:"5.0" }); // Verify we logged in // Print installed apps to the console to verify login service.apps().fetch(function(err, apps) { if (err) { alert("Error listing apps"); return; } var myapps = ""; var appsList = apps.list(); for(var i = 0; i < appsList.length; i++) { myapps += "App " + i + ": " + appsList[i].name + "<br/>" } document.getElementById("applist").innerHTML=myapps; }); }    

Hi, I'm trying to reduce the incidents in our environment as a part of which trying to group the events if they have similar fields and error messages. As a part of which I have below itsi_entity=xxx (hostname) itsi_correlation_key=alertname."~".fingerprint (finger print is a unique for each alert) Now in my environment, have multiple hosts which may generate same alert My search is working well when it comes to single host where it is giving correlation key like below itsi_entity- xxx itsi-correlation-key-spacealert ~6089797 itsi_message : Nodes affected: xxx description:space alert If an itsi_entity is having multiple hosts which are impacted then it looks below itsi-entity- abc,xvz,def itsi-correction-key - null (does not display anything) itsi-message: Nodes affected abc,xvz,def description:high Cpu alert   I need some help here to display the correlation key if the entity has multiple values.          

Hello! I want to ask about Private Spacebridge for Splunk Secure Gateway. Anyone got respond from submitting in Beta? After long time of waiting i don`t have any respond from splunk. I really want to test it out in my company. Is there any other chance to make it private (on-prem) version? I`m talking about it: https://www.splunk.com/en_us/form/privately-hosted-spacebridge-for-splunk-secure-gateway.html

Hi, I'm trying to load a excel file from phantom vault for updating the data inside. I'm able to fetch file but couldn't open it for updating the cell values. Can anyone help me with the custom code to read and write the vault files.

Hello, I am trying to use the Java SDK to update a Lookup automatically on a daily basis. My source is a csv File with ca. 22000 rows. My current approach (and the approach from the other thread in the community) consists of reading the csv row per row and updating the KV Store by search jobs using outputlookup. After some hundreds of lines the server refuses the connection and my searches raise exceptions. My question is: Is there a smarter way of updating the KV Store (or uploading the csv as whole) using the Java SDK? I can get information about the KV Store using:     service.getConfs().get("collections").get("KV_Name")     But I did not find a way of accessing the data within the KVStore inside the documentation/javadoc. Thanks in advance 

Hi,   Closing high number of incident was always done but the slowness is a new thing.   Now we are facing the slowness when close a high number of incident. Is there a way to enhancement this, please your support.   We have Splunk version 8.2.4 and Enterprise security 7.0.0.   Regards 

Hi Team,  I have below JSON structure  data.searchByUserName.customerDetails.... data.searchByLastName.customerDetails.... data.searchByUUID.customerDetails.... data.searchByDOB.customerDetails....   While creating a search query I need to give the search type highlighted above in bold wild char like  data.*.customerDetails is there any way I can achieve it?   Thanks in Advance!  

Hi, Im trying to set up HTTP integration in ChirpStack for some IOT devices, to forward json data into Splunk via the HTTP Event Collector, however when the data is sent, splunk reports "ERROR HttpInputDataHandler...  reply=5... parsing_err="No data" " I've been logging the data sent to the Splunk server from the Chirpstack server with wireshark. If i pull the JSON data and URI from each packet, and send that to Splunk via CURL instead, it imports just fine and i get a Success response back from Splunk. Has anyone had a similar issue in the past? I've found essentially nothing on a Chirpstack/Splunk  stack out there. This is (part of ) the CURL command I've tested with, which works successfully: curl -H "Authorization: Splunk 11f6095d-9907-4649-a706-b75ebca67ecc" http://192.168.16.18:8088/services/collector/event?event=up -d '{"event":{"applicationID":"1","applicationName":"LHT65","deviceName":"LHT65-Test3","objectJSON":"{\"BatV\":2.918,\"Ext_sensor\":\"Temperature Sensor\",\"Hum_SHT\":\"41.1\",\"TempC_DS\":\"-4.00\",\"TempC_SHT\":\"4.29\"}","deviceProfileName":"LHT65"}}'