Working with this query, I'm hoping to get only results where field values are greater than the other.     index="index*" | eval MonthNumber=strftime(_time,"%m") | chart eval(round(avg(durationMs), 0)) AS avg_durationMs by properties.url, MonthNumber | rename 04 AS "Apr", 05 AS "May"      I want to get only results of where Apr values is greater than May by 10  

The Splunk documentation for setting up Predictive Analytics Alerting has you create a correlation PER Service that Predictive Analytics is setup on.  Has anyone tried to create a single correlation search to handle all their Predictive Analytics alerting and is there any documentation(Jeff Wiedemann's Alerting Blueprint didn't cover that) that would give someone some ideas on best approach? Below is the relevant Splunk Documentation: “ You click the bell icon  in the Worst Case Service Health Score panel to open the correlation search modal. You want ITSI to generate a notable event in Episode Review the next time the Middleware service's health is expected to degrade.” https://docs.splunk.com/Documentation/ITSI/4.12.1/SI/UseCase#:~:text=ITSI%20Predictive%20Analytics%20use%20case%20With%20ITSI%20Predictive,that%20you%20can%20use%20to%20make%20business%20decisions.

Hello,   I need some help. I am new to Splunk and have run into an issue. I want to have table that will display Computer Name, Physical Address, Device Type, IP Adress, and what version of Office thy Have (2013 or 365). The data is under one index but 3 different source types.   Index=Desktops SourceType 1= AssetInfo - It has lots of fields but the 3 I care about is PysAddress, DevType, ComputerName  SourceType 2 = Network - It has many fields but the only tw I want, and they are called IPAddress, Computer SourceType 3 = Software -  It has 3 fields, I care about all 3, which are Compuetr, SoftwareName, Software Verison. I want to pull info from all 3 source types and make one table. the common filed is computer name. The first issue is that in SourceType 1 the field is called ComputerName and the other 2 sourcetypes it is Computer. I know I could do a rename command on the sourcetype 1 if I had to. I have tried the OR Boolaen, Multisearch command, Union command and Join but I can never seem to get it to work right, the table gets created but the info it pulls he IP and creates one line then a seperate line for software. they are never ont eh same line. the next issue is that I need to filter on software that contains Microsoft office 2013 or Office 365.  Any Ideas would be welcomed

Hi all, I'm in the process of setting up performance reporting for services provided for a client. The logic in question is very simple: average response of the service and volume over a predetermined time period. I'm having trouble including services with 0 calls during the time period in question. It is important to the end user that they see which services are not being called as well. I've coded up two solutions and neither is giving me what I need. I've also looked at https://community.splunk.com/t5/Splunk-Search/Include-zero-count-items-from-lookup/m-p/177260, but I'm having trouble understanding how this applies to my solution outside of the outputlookup.  The format of the table desired is: Service - Average Response - Volume. Solution 1 - base search - works but does not include 0 values for obvious reasons: index=******************************************** | lookup services.csv service AS liveDataField OUTPUT service | stats avg(ResponseTime) AS AverageResponseTime, count AS Volume BY service | eval AverageResponseTime=round((1000*AverageResponseTime), 2) | fillnull value=0 AverageResponseTime My first thought was to add in a lookup table with all the services, and build off of that: index=******************************************** | inputlookup append=t services.csv | lookup services.csv service AS liveDataField OUTPUT service | stats avg(ResponseTime) AS AverageResponseTime, count AS Volume BY service | eval AverageResponseTime=round((1000*AverageResponseTime), 2) | fillnull value=0 AverageResponseTime This gives me what I need in terms of zero values, but instead of returning a count of 0, it returns Volume=1 for each service with zero hits. It also increments each service's volume by one erroneously. I suspect this is due to the inputlookup append=t. I've also tried doing an eval count=0 initially.  TL;DR - adding in a lookup to address zero count items caused each service's volume to be incremented by 1. Is there a quick fix for this? Or perhaps a better way of doing it altogether? Cheers

For the latest version, Version 5.2.4, I have vulnerability data coming in from Tenable.SC. How can I filter the results based on the scan name? Cannot seem to figure it out. I remember in previous versions, we could leverage scan_result_info.name, but not in this latest version. Any thoughts is appreciated. Thanks

Not sure if this is a limitation of Phantom prompt block or if someone has figured this out already. I am using a prompt block to allow a user build up a config file that will eventually be sent to Splunk to create a saved search. The questions allow the user to select specific values for fields to generate the metadata necessary for the splunk saved search (splunk query, time fields, eval fields, etc).  The response type for the question is a list of choices. There are two choices: The existing field value (which comes from the config file that was pulled via prior action call) CHANGE (which would be selected when the value needs to be changed) When using the response type 'list', is there a way to have #1 be set as the default response? Therefore, you would only have to select CHANGE from the drop down, rather than having to select the existing field's value every time if it doesn't need changed.

I have a project where I want to use a Splunk dashboard to show how some metrics can change over time. The metrics come from a device that we log in to via CLI and run a command to show some stats. I'm new to doing this from scratch with Splunk. I would appreciate any help in understanding the best way to do it. The workflow is as follows: Using a script: script, gain access to the target device run a command that gathers the required data Capture the output Parse/edit to a compatible format Ingest/Import into Splunk Display in Dashboard Update metrics every x minutes (provisinally 15 or 30)   Assuming we have a script that can gather the data, the questions I have are: 1) What's the best format to have the data for Splunk?  2) What's the best way to get the data into Splunk ? 3) How do I automate this process?   Thanks for any help and guidance.    

Hi all, I'm checking out the "merge-buckets" command. I created an index with 1000 events per bucket. in sum my index have    ~/splunk/bin/splunk search "| dbinspect index=testbuckets2 | stats count" count ----- 5479     buckets.   ~/splunk/bin/splunk merge-buckets --index-name=testbuckets2 --min-size=1 --max-count=1000 Using the following config: --max-count=1000 --min-size=1 --max-size=1000 --max-timespan=7776000 Found (300) buckets to merge. Starting to merge (300) buckets. Number of buckets already merged: 0/300 (0.00%). New Bucket: /Users/andreas/splunk/var/lib/splunk/testbuckets2/db/db_1653310364_1653310268_17359 Number of buckets merged: 300/300 (100.00%). Number of buckets created: 1. Time taken: 27 seconds, 21 milliseconds     after the operation i see 299 buckets less   ~/splunk/bin/splunk search "| dbinspect index=testbuckets2 | stats count" count ----- 5180     running merge-bucket a second time doesn't merge any further buckets.  It seems there is a hardcoded limit of 300 buckets?! any good reason for this? best regards, Andreas

Is it possible to apply event sampling only to a part of a search instead of complete search? For ex I have data coming from two datasets and I want the event sampling applied to only one dataset related search, is there a way to do this in splunk? 

Hi I have a use case where were are sending in Number of Metric per second 28,000 Number of Logs per second 3,360. We are using approximately 2 CPU cores, the image is from a 6 core machine so 32 is ~2 cores. Is this expected or is there something I can do to reduce this usage? Any help would be great - cheers

Hello Splunkers!   I am looking for the Splunk Add-on for Ruckus Wireless apps file.    I can't find in the Splunkbase.    Is there any place that I can find 'Splunk Add-on for Ruckus Wireless App'?   Thank you in advance. 

Error downloading update from https://splunkbase.splunk.com/app/3803/release/2.0.10/download/: Forbidden   can some one please share reason why it is throwing this error,  i m able to add-on other apps but Sailpoint adoptive response add-on is failing to install in splunk. appreciate your answer!! Thanks, Gopinadh

I'm using Database connect V3.9.0. I'm trying use it to connect to impala Database which is external Database but I cant find the external database option to add it (as shown in the attached snapshot). Should I add another app or plugin to add external database connection feature? Thanks,