Hi  I requested to exclude 2 values from one field value. I mean for each event I have "file_name", that written in the same shape. the city is first, and than the tool, so i want to extract these value for each event file_name city tool montreal - tool3 - SFR - Alert ID 123456 - (3 May 2022 01:20:24 IDT) montreal tool3

Hello! I would like to count from a field based on another field. I have a events with following  2 fields (Doors_Order & RQM_Order). I would like to count based on Doors_Order field from entire RQM_Order fields. In excel this look like this: =COUNTIF(E:E;C9)   I have tried with this: | basesearch | eventstats count(eval(RQMOrder_NotValidated=RQMOrder)) as ReqGap2 But this will count only if the 2 field is same in 1 event, not in entire events lists. I have tired lots of another things, but non of them worked. In excel this looks easy. Is there any solution in splunk?    

Is there a way of showing a warning to the user based on their SPL. My use case is that users should not generally search indexes which are fed into an accelerated data model. Specifically it's faster and more accurate to search the network_traffic ADM than a firewall index.

Hi,  I am having the following query:  index=* sourcetype=CustomAccessLog | table "host", "source"   The output is: host source server32.de.db.com /path/to/server/instances/IFM_RT_1/logs/subdir_logs/log.file server31.de.db.com /path/to/server/instances/IFM_RT_2/logs/subdir_logs/log.file   I would need to alter the search query so that the output is becoming: host source 32 IFM_RT_1 31 IFM_RT_2   Tried using the following for the IFM_RT_ index=* sourcetype=CustomAccessLog | rex field=_raw "(?<IFM_RT_>.*)", but I couldn't get the needed data.  Can I have your help here?   Thanks!

  Hi folks. I posted here recently exploring how to automatically add an index when docker-compose is bringing up the splunk container.  That post is at https://forums.docker.com/t/add-an-entrypoint-and-command-without-messing-up-the-invocation/123686 I had it working, but it no longer does, and I somewhat-suspect a docker volume problem as well as somewhat-suspect a permissions issue, and also somewhat suspect an OS upgrade.  But I really don't know what the problem is. Inside the splunk container, I see: [root@splunk splunk]# cat /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf [http] disabled = 0 [http://splunk_hec_token] disabled = 0 token = really-big-token-thingie Which is really not what I want. And outside the splunk container (on the MacOS side), I see: $ cat splunk-files/opt-splunk-etc-apps-splunk_httpinput-local/inputs.conf cmd output started 2022 Mon May 02 04:19:43 PM PDT [http] disabled = 0 [http://splunk_hec_token] disabled = 0 token = really-big-token-thingie index = dev_game-publishing That is what I want. In my docker-compose, I have (among other things) : volumes: - ./splunk-files/opt-splunk-etc-apps-splunk_httpinput-local/ /opt/splunk/etc/apps/splunk_httpinput/local/ (That long volume line is all-one-line.  It may or may not be wrapping when you view it, though it is wrapping in this editor) I tried both setting up a volume for the entire directory, as well as just that one file.    I'm hearing that doing an entire directory tends to be more reliable, but both failed the same way. The directory containing the file is owned by splunk and has restrictive permissions: [ansible@splunk splunk]$ cat /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf cat: /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf: Permission denied [ansible@splunk splunk]$ ls -l /opt/splunk/etc/apps/splunk_httpinput/ total 12 drwxr-xr-x 2 splunk splunk 4096 Jan 15 03:31 default drwx------ 2 splunk splunk 4096 May 2 22:14 local drwx------ 2 splunk splunk 4096 May 2 22:14 metadata [ansible@splunk splunk]$ Which explains why the ansible user can't cat it.  But is ansible painting itself into a corner and preventing itself from making all the changes I need? I also upgraded from MacOS 11.x to 12.3 in between when this was working, and when it stopped.  I don't know if that's related or not. I have next to no Splunk and even less Ansible. Thanks for any and all suggestions!

Hi. Has any one come across  hidden Double Quotes (") in a field and how to remove it? (maybe a "sed" regex) The double quotes don't appear in the Splunk Field or even in an excel csv export. It only appears when you save the csv as a txt file.  Apparently Splunk sees it because it adds additional lines in my search. See below for Excel export and corresponding saved txt  It looks to be Quoting the contents of the AdminGroup field.   csv src_host AdminGroup computer1 Domain Admins LocalAdmins   Text file src_host        AdminGroup computer1 "Domain Admins                            LocalAdmins"  

Scenario: We have a data source of interest that we wish to analyze. The data source is hourly host activity events. An endpoint agent installed on a user's host monitors for specific events. The endpoint agent reports theses events to the central server, aka manager/collector. Then the central server sends the data/events to Splunk for ingest. We found that a distinct count of specific action events per hour per host is very interesting to us. If the hourly count per user is greater than "the normal behavior" average then we want to be alerted. We define normal behavior as the "90 day average of distinct hourly counts per host/user". We define an outlier/alert as an hourly distinct count above 2 standard deviations from the 90day hourly average. For instance, if the 90 day hourly average is 2 events for a host, then 10 events in a single hour for that host would fire an alert. We tried many different methods and found some anomalies. One issue is the events' arrival time to Splunk. Specifically, the data does not always arrive to Splunk in a consistent interval. The endpoint agent may be delayed in processing or sending the data to the central server if the network connection is lost or the running host was suspended/shutdown shortly after the events of interest occurred.  We have accepted this issue as its very infrequent. Methodology: In order to conduct our analysis we have multiple phases. Phase 1 > prepare the data and output to KVstore lookup We run a query to prime the historic data.         index=foo earliest=-90d@h latest=-1h@h foo_event=* host=* | timechart span=1h dc(foo_event) as Foo_Count by host limit=0 | untable _time host Foo_Count |outputlookup 90d-Foo_Coun         Then we modify and save the query to append the new data, we use the -2h@h and -1h@h to mitigate lagging events.  This report runs first every hour at minute=0.         index=foo earliest=-2@h latest=-1h@h foo_event=* host=* | timechart span=1h dc(foo_event) as Foo_Count by host limit=0 | untable _time host Foo_Count |outputlookup 90d-Foo_Count append=t          Phase 2 > calculate the upperBound for each user This report runs second every hour at minute=15.  We add additional statistics for investigation purposes.         |inputlookup 90d-Foo_Count |timechart span=1h values(Foo_Count) as Foo_Count by host limit=0 | untable _time host Foo_Count | stats min(Foo_Count) as Mini max(Foo_Count) as Maxi mean(Foo_Count) as Averg stdev(Foo_Count) as sdev median(Foo_Count) as Med mode(Foo_Count) as Mod range(Foo_Count) as Rng by host | eval upperBound=(Averg+sdev*exact(2)) | outputlookup Foo_Count-upperBound         Phase 3 > trim the oldest data to maintain a 90d@h interval This report runs third every hour at minute=30.         |inputlookup 90d-Foo_Count | eval trim_time = relative_time(now(),"-90d@h") | where _time>trim_time | convert ctime(trim_time) |outputlookup 90d-Foo_Count         Phase 4 > detect outliers This alert runs fourth (last) every hour the minute=45.         index=foo earliest=-1h@h latest=@h foo_event=* host=* | stats dc(foo_event) as as Foo_Count by host limit=0 | lookup Foo_Count-upperBound host output upperBound | eval isOutlier=if('Foo_Count' > upperBound, 1, 0)         This method is successful alerting on outliers. RE: event lag, we monitor and keep track of how significant. Originally, we tried using the MLTK with a DensityFunction and partial fit, however we have approximately 65 million data points which causes issues with the Smart Outlier Detection assistant. The question is whether anyone has a different or more efficient way to do this? Thank you for your time!  

I'm currently building a query that will pull data from today to April 26th,  the field value contains the following time format      termination_initiated (field value name) 2022-05-02T11:47:01.011-07:00 2022-05-02T11:42:10.820-07:00      I'm currently trying to convert is so that i can only get results between today and April 26th. I've tried this piece of code with no luck     | eval terminiation_started=strptime(termination_initiated,"%Y-%m-%dT %H:%M:%S.%QZ") | where termination_started>=relative_time(now(),"-6d@d")