I created a table visualization in dashboard studio. Search query has large numbers. How to format that number to display millions as 1.28M i.e with letter M  Not a mini-program with eval please. Need a good function, format specifer

I'm an intermediate Splunk user.  I have a query that has 3 fields i want to turn into a chart: 1. mySearchTerm (string) 2. geoID(10 values, each is a unique 5 digit number: 10010, 20020, etc...) 3. the count of searchTerms that appear per geoID I am able to get a table going using:     <main query> | stats count(mySearchTerm) as myCount BY geoID, mySearchTerm | table geoID myCount mySearchTerm       But when I go to build a visualization of any kind (bubble, scatter, etc) the layout looks wrong. I'd like to create a visualization of count of mySearchTerm broken down by geoID 2 part question: 1. Does my query seem appropriate for my intended use? 2. Is there a specific chart type that is more suited for this information?

Hello there. I have this stanza configured for event logs on the Domain Controllers: [WinEventLog://Security] disabled = 0 index=winos_i blacklist1 = EventCode="4662" Message="Object Name:\s+CN=(?!mycn-1|mycn-2)" blacklist2 = 538,565,566,576,835,836,837,4931,4932,4933   Basically, I want only the 4662 events related to the CNs above. Well... I push the configuration to the DCs... and suddenly i get ALL 4662 events. What is wrong with that configuration? Can't figure this out. Thank you...

Hello World,  I am attempting to create a search in Splunk that will provide me with any and all changes an admin made to our firewalls. This is part of a "governance" task and we have logs coming from the FWs. Any pointers will be appreciated.  Best, AD

Documenting a solution built while working with ITSI 4.13 and CP for Monitoring and Alerting 1.5 on a Splunk 8.2.4 platform.  The content pack for monitoring and alerting creates the itsi_entity_name_normalizer import job to ensure that every entity will get an alias called entity_name.  They use this alias for other searches in the logic created from the content pack so it is important that it runs as intended.   When the number of entities grows the likelihood of this job failing increases.  Attempts to run the out-of-the-box spl on a larger entity pool will highlight a 414 error that the URI being too long since it looks at the entire pool every run. To fix this issue we need to change the logic in the 'ITSI Import Objects - itsi_entity_name_normalizer' job so it will not run against entities which already have the entity_name alias. Original SPL: | inputlookup itsi_entities | eval entity_name=title Updated SPL: | inputlookup itsi_entities where NOT _itsi_identifier_lookups=entity_name* | search retirable!=1 | eval entity_name=title | eval entity_title=title | head 5000 While the eval for entity_title is redundant it is useful when using the search for ad-hoc entity import cases as the UI will restrict us from mapping title to title.  Doesn't hurt to have it.  If others disagree please update as needed.   Additionally, since we need to control the volume in each batch the head function gives us that flexibility.  We are protected in case we get a large influx of new entities. This assumes you do not need the entity_name field continually overwritten every cycle.  I could not find a reason why it matters to be updated after reviewing the other knowledge items the content pack creates.  Lastly, with the introduction of Entity Management Policies in ITIS 4.x we added an extra filter for entities without the retirable flag set.  If an entity is flagged to be retired we concluded it should be excluded from this job.  Likelihood an entity would qualify would be rare as that function represents the end of an entity lifecycle but no harm in having the extra check. 

Need to compare between the date that the user was entered in the lookup table to the revisit month selected. add panel: <panel depends="$add$"> <title>Add User</title> <table> <search> <query> | inputlookup USB.csv | append [ | makeresults | eval user="$user_tok$", description="$description_tok$", revisit="$revisit_tok$", Action="$dropdown_tok$"] | eval today=strftime( | table _time, user, category, department, description, revisit | lookup lookup_im user as user OUTPUT category department | outputlookup USB.csv</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <unset token="add"></unset> </done> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel>   reauthorize panel: <panel depends="$reauthorize$"> <title>Reauthorize User</title> <table> <search> <query> | inputlookup USB.csv </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel>

I have some events coming in that use a lookup to resolve to an action eg : Block,block,not sent = blocked tagged, delivered, logged = delivered Occasionally a multivalue field appears such as : Tagged Logged OR Tagged Block the Logic should be :  Tagged Logged = delivered Tagged Block = Block Trying to figure out how to add this logic to utilise the lookup. Played around with nomv which creates a single value field but adds a \n so the value becomes :  Tagged\nLogged But then i need to do do a sedcmd to remove the \n and then add the result to the lookup to resolve the desired action. Is there a better approach in this scenario ?  thx  

Hi  I have two files Filed1 and Filed2, Fileld1 is procedure call and Files 2 is the arguments  i want to make a proper procedure call out of it by replacing "?"  with actual vales from the arguments  Eg:  Filed1  exec procedureABC arg1 = ?, arg2 = ?, arg3 = ? Filed2  arg1=EXEC, arg2=472.59, arg3=ABCI want to make a string like this  "exec proc1 arg1 = EXEC, arg2 = 472.59, arg3 = ABC" How can i do this ?

I have four panels: none, add, remove, reauthorize. When a user's information is added to the textbox and the add dropdown is selected it is written to a lookup table. If the remove is selected then that instance of that user is removed from the csv table. The none panel just displays the current table with the entries. I need to make it so that when add or remove is selected then it goes back to the none panel and shows the updated table. <row> <panel depends="$none"> <title>USb</title> <table> <search> <query> | inputlookup USB.csv </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel depends="$add$"> <title>Add User</title> <table> <search> <query>| inputlookup USB.csv | append [ | makeresults | eval user="$user_tok$", description="$description_tok$", revisit="$revisit_tok$", Action="$dropdown_tok$"] | eval keep_time=_time | table _time, keep_time, user, category, department, description, revisit | eval _time=keep_time | outputlookup USB.csv</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <unset token="add"></unset> </done> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel depends="$remove$"> <title>Remove User</title> <table> <search> <query>| inputlookup USB.csv | where user != "$user_tok$" | eval keep_time=_time | table _time, keep_time, user, category, description, revisit | eval _time=keep_time | outputlookup USB.csv </query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <unset token="remove"></unset> </done> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel depends="$reauthorize$"> <title>Reauthorize User</title> <table> <search> <query>|inputlookup USB.csv</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row>

Hello Splunkers!! Can anyone please help me on whether the below Solaris version is compatible with Splunk UF version as I can see only Solaris 11 Sparc and Solaris 10,11 64-bit Version UF package is there.  Is there any other way to monitor from this Solaris server?  Checked in  https://docs.splunk.com/Documentation/Splunk/8.2.6/Installation/Systemrequirements#Supported_Operating_Systems as well.   Solaris Version: SunOS 5.10 Generic_150400-49 sun4u sparc SUNW,SPARC-Enterprise Many thanks! Sarah

Hello Team, I have created a web-based python script. When I run it manually from the synthetic agent, it is running fine. But, when i deploy it in AppD and assign it to the same synthetic agent, it is failing in the home page itself. Please suggest me a solution to resolve this issue

Hi I am new to Splunk and the first app I added was Jamf Pro add-on but it won't load, in the readiness app section I saw this warning Details This app is not compatible with Python 3. Version 2.10.5 Application Path /opt/splunk/etc/apps/JAMF-Pro-addon-for-splunk Required Action Do one of the following: Petition the developer to update the app. Uninstall the app from the app listing page. Take ownership of the app and override existing code (not recommended). Dismiss AppGo to App Page Issue:  This app contains an outdated Python SDK. Update to the latest Python SDK.   Anyone else experiencing this issue? Thanks

Hi , I need to find the time difference between two events, these events are when a job on our server starts running and when it finishes. I found this answer to a very similar question https://community.splunk.com/t5/Splunk-Search/Calculate-time-difference-between-two-events/td-p/578640 but when i try this it does not show me the latency (empty). , I think it has something to do with the search words or the conditions I'm using but I am not sure. Any help is appreciated ! index="0200-pio_numb3r5_support-app" "HumanResourceImportJob" AND "transitioning from state 'Processing' to 'Succeeded'. Reason:" OR "transitioning from state 'Enqueued' to 'Processing'. Reason:" AND NOT OnStateUnapplied | where host="AUDIINSA4919" OR host="AUDIINSA4304" | stats earliest(_time) as Start_time, latest(_time) as Finished_time by host | eval Latency=tostring(Start_time-Finished_time, "duration") | table Start_time , Finished_time , Latency , host | fieldformat Finished_time=strftime(Finished_time,"%c") | fieldformat Start_time=strftime(Start_time,"%c") The output is with latency empty:              Start_time                                       Finished_time                       Latency        host 1 Wed May 18 03:30:08 2022 Wed May 18 03:42:47 2022   AUDIINSA4304

Hi Team, I am facing below error while integrating SAP CPI with Splunk through HEC. Error in SAP CPI: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target In trail account, I am not able to edit Global setting to disable EnableSSL check box. So, please let me know how to resolve this issue..