Hi, I need to create some monitoring and alerts based on high response time of my landing page. The thing is there are always some blips so I want to rule that out and only trigger notifications when there is a consistently high response time for a period of time say 20 mins or 30 mins. How can a write a query like that? I have written a very generic query which gives me the average and 90th percentile response time of every 5 mins like below but I want to trigger the alert only when there is consistently high response times. Let me know if anyone has any suggestions.   index=myapp_prod sourcetype=ssl_access_combined requested_content="/myapp/products*" | eval responseTime= responseTime/1000000 | timechart span=5m avg(responseTime) as AverageResponseTime p90(responseTime) as 90thPercentile   As an example - let's say I want to run the alert every 30 mins and check the condition if there are consistently high response times in last 30 mins or 1 hour, then trigger the alert to send out notifications. Any help is appreciated. Best Regards, Sha

Hi, My requirement is i need to pull more than 10 million data from database and index in splunk. I want to understand, if this badly affects the performance of the stack, will there be any infrastructure related issues. How can we index such huge volume of data safely into Splunk?

Hello Everyone, I have a set of data with a lot of HTTP requests, where I want to extract only the tokens highlighted below.  header=Authorization=Basic MmQyXXXXXXXXNDVjOTlkNTJlM2M0ZjA1MzVjYTI4ZGZkMzJmNTBlMjk=     2022-05-13 10:07:07,772 INFO [io.undertow.request.dump] (default task-13778) ----------------------------REQUEST--------------------------- URI=/auth/realms/Public/protocol/openid-connect/token characterEncoding=null contentLength=29 contentType=[application/x-www-form-urlencoded;charset=UTF-8] header=Accept=application/json, application/x-www-form-urlencoded header=Cache-Control=no-cache header=Pragma=no-cache header=User-Agent=Java/11.0.4 header=Connection=keep-alive header=Authorization=Basic MmQyXXXXXNDVjOTlkNTJlM2M0ZjA1MzVjYTI4ZGZkMzJmNTBlMjk= header=Content-Type=application/x-www-form-urlencoded;charset=UTF-8 header=Content-Length=29     I tried with the Field Extractor wizard, but with no luck.  Can you please advise, how to achieve this? 

We have a  service for which we have splunk dashboard is in place and right now the dashboard have the limitation that it can populate based on 3 month old data due to log retention policy , but right now there is a business requirement that the dashboard should populate based on forever data. so here i want to understand what can be efficient and economical way to extend the log retention to forever in Splunk.

Hi All, I want to view all the dashboards which we have configured in Splunk. While I am trying with the below commands, but it's not giving me the expected output. Could you please anyone help me to resolve this issue?   | rest /services/data/ui/views | search isDashboard=1 .      

Hello, everyone I need help from community. I want to make search that will find two+ events from same host, for example user=David action=success AND user=Mike, but this events must be only on one host. Thank you in advance.

I have a query that calculates a certain value when a particular condition is met. | eval Other_Failures = Total_requests - (OpFail + FuncFail) |  where httpcode!=200  But I'm not getting any events from this. How can I correct this?

Hello all, The transaction command is not correctly grouping the events in query 1). The expected result is given by query 2). In the end, I need to run the query without the user_id filter which I used just for results validation. Please, help! 1)   index="myindex" system="mysystem" url="https://myurl/" | fields _raw, userId, eventDate | rex field=_raw "(?<session_id_key_value>x-sessionid:[^;]*)" | eval fields=split(session_id_key_value, ":") | eval session_id=mvindex(fields, 1) | rex field=_raw "(?<original_url>X-Original-URL:[^;]*)" | eval fields=split(original_url, ":") | eval original_url=mvindex(fields, 1) | where isnotnull(session_id) AND session_id != "" AND isnotnull(userId) AND userId != "" | rename userId as user_id | transaction session_id maxevents=150 keepevicted=true mvlist=true | where user_id="123456" | table user_id, session_id, eventcount, duration, eventDate, original_url     Result: 4 events Eventcounts: 15 (session_id: 123), 3 (session_id: 345), 4 (session_id: 345), 14 (session_id: 345) eventDates: 04/30/2022 18:57:37 - 04/30/2022 18:57:43, 04/26/2022 20:21:23 - 04/26/2022 20:21:24, 04/26/2022 20:12:04 - 04/26/2022 20:15:43, 04/26/2022 20:01:30 - 04/26/2022 20:01:39, 2)   index="myindex" system="mysystem" url="https://myurl/" userId="123456" | fields _raw, userId, eventDate | rex field=_raw "(?<session_id_key_value>x-sessionid:[^;]*)" | eval fields=split(session_id_key_value, ":") | eval session_id=mvindex(fields, 1) | rex field=_raw "(?<original_url>X-Original-URL:[^;]*)" | eval fields=split(original_url, ":") | eval original_url=mvindex(fields, 1) | where isnotnull(session_id) AND session_id != "" AND isnotnull(userId) AND userId != "" | rename userId as user_id | transaction session_id maxevents=150 keepevicted=true mvlist=true | table user_id, session_id, eventcount, duration, eventDate, original_url     2 events Eventcounts: 15 (session_id: 123), 21 (session_id: 345) eventDates: 04/30/2022 18:57:37 - 04/30/2022 18:57:43, 04/26/2022 20:01:30 - 04/26/2022 20:21:24   Thanks!

Hi, I have 2 queries: Query1: Message1,EventCode,Status aaaaa,4625,0XC0000234 Query2: Status,EventCode,action 0xC0000234,4625,denied 0XC0000234,4776,failure *note the lower and uppercase "x". Case sensitive In Query1, the status field is always uppercase (e.g. 0XC0000234 and not 0xC0000234 nor 0xc0000234) When i perform a search and lookup: index=a host=b | table Message1,EventCode,Status  | lookup blabla.csv Status OUTPUT action I'm getting the output: Message1,EventCode,Status,action aaaaa,4625,0XC0000234,failure Above is incorrect as 4625 should return "denied" instead of "failure" How do i do a lookup to first: Check the EventCode Return the corresponding action field with case insensitive Or is there a better way aside from the 2 points i mentioned above? Appreciate the help!  

I have events from a device sent to splunk every day seen in the example below. Here is an example of that I want to happen: If I ran a search on 2022-05-02, my result would show "Event 1" because the "last_fixed" date is older than "last_found" date. But if I run the same search on 2022-05-04 it will show event 5 because the "last_fixed" date is newer than "last_found" date. I am trying to search the last 30 days for all events to see what device still needs attention. I want to show the oldest event that has "last_found" date unless there's a newer event with the "last_fixed" date newer than "last_found" My Search: index=01  | dedup Device IP_Address  sortby +_time | table dest ip_address Event 1:  Time: 2022-04-29 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-04-04T21:07:01.592Z last_found: 2022-04-29T05:52:57.742Z Event2:  Time: 2022-04-30 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-04-04T21:07:01.592Z last_found: 2022-04-30T05:52:11.663Z Event3:  Time: 2022-05-01 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-04-04T21:07:01.592Z last_found: 2022-05-01T05:53:36.270Z Event4:  Time: 2022-05-02 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-04-04T21:07:01.592Z last_found: 2022-05-02T05:55:02.180Z Event5:  Time: 2022-05-03 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-05-03T05:54:03.611Z last_found: 2022-05-02T05:55:02.180Z   Would the best way to do this is by using eval? 

I want to create a custom alert action that when the alert fires, it takes the host from the search results, and uses it is a token to remotely restart a host. I can get the REST URL right, but how do I get the alert to use host as a token?

Hi, so my team is currently has some data on Splunk cloud.  My task is to use your REST API to get this data using python. On Splunk web I get this data by using the following query:   | from inputlookup:"cloud_accountList"    I have written a simple python script to get the data:   splunkTenant = 'avc3' splunkURL = { 'api': f"https://ab1.{splunkTenant}.splunkcloud.com:1234", } splunkCredentials = { 'user': 'test_user', 'password': 'SplunkIsGreat' } searchString = f"| from inputlookup:\"cloud_accountList\"" search = { 'search': searchString, 'output_mode': 'json' } splunkEndpoints = { 'returnedAppSearch': f"{splunkURL['api']}/servicesNS/{splunkCredentials['user'].upper()}", } cacertpath = '/Users/***/Downloads/cacert.pem' searchURL2 = f"{splunkEndpoints['returnedAppSearch']}/APP_NAME/search/jobs" splunk_response = requests.post( url=searchURL, auth=(str(splunkCredentials['user']), str(splunkCredentials['password'])), verify=cacertpath data=search)     When I run this script I get an error.  Can someone please help me out?    Regards

I am looking through our current alerts and we have a few evaluations that occur like below. Total_Trade: 129 Total_Value: 300 Total_Amount: 1000 I have a rex like below:       | rex max_match=0 Total_(?<Type>\w+):(?<amount>\w+)       Doing this though I get two fields with multiple events like below. Type amount Trade Value Amount 129 300 1000   What I wanted was each of these to be separate though/ Type amount Trade 129 Value 300 Amount 1000    

Hi All, i am using IF function like  |eval xxx= if ( status =="1","A", if(status =="2","A", if(status =="3","A","0") its working wherever i have single value in fields like  Example:-1 status  output 1             A 2            A 3            A   or    Example:- 2 status     output 1, 2             A 2, 3             A 1, 3             A  1,4,5,2       A   So in example 2, last values has 1 and 2 with 4 and 5,,, i want to output should be like A and 0 both. thanks in advance