Hi Community, I dealt with csv files before, splunk would auto extracted so many fields, shown as figure 1. But today, when I try to search these files again, only fewer fields are displayed... shown as figure 2. And the fields I exacted manually also didn't shown... I don't know why... Really need help~~ figure1: Figure 2: Thanks in advance~ BR. Cecilia

Hello, Help me please. I'd like to define multiple search or subsearch to merge all relevant information about alerts. Interesting fields in search are  the hosts - as managed_host field and an uniqe alert number. I do not need alert about all the hosts, so i sort the relevant ones:  index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num |  eval alert=alert_num Thats simple, will show the relevant alert numbers. After that i need to simple search the selected alerts to get ALL the logs ( some of them doesn't contain managed_host filed, so will not appear at first search.) Index=main alert_num=$alert$ How could be merged this two search in one to generate an alert that will contain all relevant information? Thanks, Gabor    

My current Splunk regex query 10.66.189.62 -- -- -[17/May/2022:05:59:16--0400]--502- "POST /astra/sliceHTTP/1.1" req_len=1776-req_cont_len=117-req_cont_enc="-"-res_body_len=341 res_len=733 "https://ninepoint.blackrock.com/astra/". "Mozilla/5.0- (Macintosh; Intel-Mac-OS-X-10_15_7) -AppleWebKit/537.36-(KHTML,-Like-Gecko) Chrome/10.0.4896.127 Safari/537.36" x_fw_for="-".req_time=278.326-ups_res_time=278.326 ups_con_time=0.011-ups_status=502-pipe=. -VNDRegID=undefined- gives me; POST /astra/sliceHTTP/1.1   I want to apply another query on the result of above query to get  POST/astra/sliceHTTP/1.1     ,i.e /astra Is there a way or a better regex pattern which can provide me the following?

I would like to change the color of a cell based on the date. If the date is in the future, then green. If the date is today, then yellow. If the date is in the past, then red. I have read many posts about how to do this based on _time and appending a word to the date ("overdue", for example), but I can't seem to make this work in my case. The field I'm working with is dueDate (not based on _time), and it's formatted as %Y-%m-%d. 

Hi, I'm pretty new in splunk, I've been reading a lot of documentation and other questions here, but I don't find the help that I need. I have this search, every day is a left join like this:   index=myIndex sourcetype=mySource | eval weekday=strftime(_time,"%A") | where weekday = "Monday" | where Systems= "SYSTEM 1" OR "SYSTEM 2" OR "SYSTEM 3" OR "SYSTEM 4" | eval ExpectedTime = case( System="SYSTEM 1", "6:30am", System="SYSTEM 2", "6:35am", System="SYSTEM 3", "6:45am", System="SYSTEM 4", "6:40am" ) | eval CurrentSLO= case( System="SYSTEM 1", "7:15am", System="SYSTEM 2", "7:20am", System="SYSTEM 3", "7:10am", System="SYSTEM 4", "7:10am" ) | eval EndHour=substr(time, 50, 1) | eval EndMin=substr(time, 52, 2) | eval time = EndHour.":".EndMin | eval Mon = " (" .EndHour. ":" .EndMin. "am)" | eval category="CATEGORY 1" | table category Systems ExpectedTime CurrentSLO Mon Tue Wed Thu Fri | rename ExpectedTime as "Expected Time" | rename CurrentSLO as "Current SLO" | rename category as "Category" | join type=left Systems [ search index=myIndex sourcetype=mySource | eval weekday=strftime(_time,"%A") | where weekday = "Tusday" | where Systems= "SYSTEM 1" OR "SYSTEM 2" OR "SYSTEM 3" OR "SYSTEM 4" | eval ExpectedTime = case( System="SYSTEM 1", "6:30am", System="SYSTEM 2", "6:35am", System="SYSTEM 3", "6:45am", System="SYSTEM 4", "6:40am" ) | eval CurrentSLO= case( System="SYSTEM 1", "7:15am", System="SYSTEM 2", "7:20am", System="SYSTEM 3", "7:10am", System="SYSTEM 4", "7:10am" ) | eval EndHour=substr(time, 50, 1) | eval EndMin=substr(time, 52, 2) | eval time = EndHour.":".EndMin | eval Tue = " (" .EndHour. ":" .EndMin. "am)" | eval category="CATEGORY 1" | table category Systems ExpectedTime CurrentSLO Mon Tue Wed Thu Fri | rename ExpectedTime as "Expected Time" | rename CurrentSLO as "Current SLO" | rename category as "Category" . . .   I need to trigger an alert when there is no information for a day of the week. I've been trying whit search count=0, transaction and other failed solution attempts.

hello I count events in a single panel from a relative time like below As you can see, I search only events between 7h and 20h 7 days ago    earliest=-7d@d+7h latest=-7d@d+20h   Now, I dont know if it is possible but I would like to add a condition in this relative time because even if  I  use the timepicker, the result count dont change So I would like to count events only for the last 60 minutes during 7h and 20h for the 7 days ago Is it possible? Thanks