Hello, We are looking to create a search that will return when two similar events occur within 1 second of each other. Sample log search results: 2022-04-19 18:42:39,210 INFO [stdout] (default task-43) [core.service.RestService] ==============POST Send Family============= 2022-04-19 18:39:31,142 INFO [stdout] (default task-43) [core.service.RestService] ==============POST Send Family============= 2022-04-19 18:35:38,403 INFO [stdout] (default task-41) [core.service.RestService] ==============POST Send Family============= 2022-04-19 18:35:38,371 INFO [stdout] (default task-42) [core.service.RestService] ==============POST Send Family============= 2022-04-19 18:34:01,696 INFO [stdout] (default task-40) [core.service.RestService] ==============POST Send Family============= 2022-04-19 18:30:36,450 INFO [stdout] (default task-39) [core.service.RestService] ==============POST Send Family============= 2022-04-19 16:57:39,144 INFO [stdout] (default task-36) [core.service.RestService] ==============POST Send Family============= 2022-04-19 14:01:42,904 INFO [stdout] (default task-153) [core.service.RestService] ==============POST Send Family============= 2022-04-19 13:46:00,629 INFO [stdout] (default task-153) [core.service.RestService] ==============POST Send Family============= 2022-04-19 13:42:39,944 INFO [stdout] (default task-153) [core.service.RestService] ==============POST Send Family============= 2022-04-19 13:32:59,488 INFO [stdout] (default task-145) [core.service.RestService] ==============POST Send Family=============   We would like a query to be able to return results when events occur, like the following times, since they are so close together: 2022-04-19 18:35:38,403 INFO [stdout] (default task-41) [core.service.RestService] ==============POST Send Family============= 2022-04-19 18:35:38,371 INFO [stdout] (default task-42) [core.service.RestService] ==============POST Send Family============= Is there a way we can generate a query that would find something like that?   Thanks!    

I need to identify each Active Directory Service Accounts that are being used for authentication for my work group. I am trying to create a working list of active and disabled accounts. I am using the following, but not having any luck obtaining all Events with complete list of EventCodes.  index=xxxxxxxxxx inserted group*Svc source="xxxxxxxxx" | rex field=Account_Name "(?<Account_Name_parsed>[\w]*)\@.*" | where isnotnull(Account_Name_parsed) | eval startDate=strftime(strptime(whenCreated,"%Y%m%d%H%M"), "%Y/%m/%d %H:%M") | eval endDate=strftime(strptime(accountExpires,"%Y-%m-%dT%H:%M:%S%Z"), "%Y/%m/%d %H:%M") | eval lastDate=strftime(strptime(lastTime,"%Y-%m-%dT%H:%M:%S"), "%Y/%m/%d %H:%M") | eval Days=floor((now()-strptime(lastDate,"%Y/%m/%d %H:%M"))/(3600*24)) | rex field=userAccountControl "(?<userAccountControl_parsed>[^,]+)" | eval userAccountControl=lower(replace(mvjoin(userAccountControl_parsed, "|"), " ", "_")) | eval status=case( match(userAccountControl, "accountdisable") , "disabled", 1==1, "active" ) | stats first(_time) AS Time by Account_Name_parsed | eval Time=strftime(Time, "%b %d %H:%M:%S") The only thing showing in Statistics is the account name and time. I need for my list to show active and non-active accounts. I would also like for the Source_Workstation to be shown as well. I have attached an example of fields within an event.

Hi Splunk Community, I am currently working with a search but I am trying to filter certain events out. I am trying to remove events with user=unknown and id=123456. When I do | where (id=123456 AND user!="unknown"), it removes both events with an unknown user and events with the id = 123456. I would like to keeps all other events with an unknown user and all other events from 123456 while only dropping events where user is unknown AND id=123456. Thanks in advance!

I have a splunk event as follow: request-id=123  STOP method TYPE=ABC, ID=[678] --- TIME_TAKEN=1281ms I have lot of events like this and I want to find the max time taken. I have query as : ****QUERY**** || rex field=_raw "TIME_TAKEN=(?<TIME_TAKEN>\d+)ms" | table TIME_TAKEN Now I am able to get all Time value in table. But I dont want them in table but I just want the max entry out of this.How can i replace last operation so that I can max value from TIME_TAKEN in output.I dont need anything else

hello From the search below, I need to display only the result corresponding to the current time It means that if it's 17h15, i need to display only the count value corresponding to 17h15 in my search     `tutu` sourcetype="session" | bin _time span=15m | stats dc(s) as count by _time      The time format is 2022-04-27 17:15:00 could you help please?

Hello all, first time post. It's been a great adventure but boy there is alot to learn. I will try and be clear as possible. I have a dashboard I am making that pulls data from Splunk regarding support tickets (specifically ticket #'s and supposedly current status).  I am finding that in any date range there can be multiple Splunk entries for the same ticket. It's like Splunk is picking up an event every time there is an update to said ticket. So if I say pull any tickets for a particular queue name with the status of Assigned, there may already be a newer event that has come in that is status of Closed. How can I filter my data to pull incidents by queue and be sure I am getting the most recent possible status? Here's a code example. I cut out some the eval statements to make it easier to read. ((index="wss_desktop_os") (sourcetype="db_itsm" OR sourcetype="wss_itsm_remedy")) earliest=-24h | search (queuename AND TOTAL_TRANSFERS >= "4" NOT STATUS_TXT="Closed") | dedup INCIDENT_# | table ASSIGNED_GROUP, INCIDENT_#,STATUS_TXT, ASSIGNEE, Age-Days, TOTAL_TRANSFERS It makes an output like this: ASSIGNED_GROUP INCIDENT_# STATUS_TXT Group ticket # status   John F

hi I transpose header field time like this     | eval time=strftime(_time,"%H:%M") | sort time | fields - _time _span _origtime _events | fillnull value=0 | transpose header_field=time 0 column_name=KPI include_empty=true | sort KPI     Now I need to display only the fields for which _time is < to the current time So I am doing this and it works     | where _time < now()      But I also need to disply only the fields an hour earlier to the current time So I need something like this but I dont succeed     | where _time < now() AND _time > now()-1     Could you help please?

Hi all, I have 2 panels, I can call it like panel1 and panel2. The panel2 is detail of a value in panel1. And I didn't user post-process type. This is 2 individual panels. The problem is the panel2 search different events, it missed the time to search.  So how i fix it? Panel1 with drilldown token ipDownload       <search> <query>index=... | fields SrcIP, DownSize | chart sum(DownSize) as Download by SrcIP | sort 10 -Download</query> <earliest>$Time.earliest$</earliest> <latest>$Time.latest$</latest> <sampleRatio>1</sampleRatio> </search>       Panel2       <search> <query>index=... | search SrcIP="$ipDownload$" | stats sum(DownSize) as Download by DstIP Client AppProtocol | sort 10 -Size | table DstIP, Client, AppProtocol, Download </query> <earliest>$Time.earliest$</earliest> <latest>$Time.latest$</latest> <sampleRatio>1</sampleRatio> </search>          

We have to filter the data which has Result=pass, status=200 and send the other logs to Splunk. we have received the logs to splunk before adding props.conf and transforms.conf. we have the following configuration in props.conf & transforms.conf.  /opt/splunk/etc/apps/TA-AlibabaCloudSLS/default/transforms.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = result\=200 DEST_KEY = queue FORMAT = indexQueue [cloudnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [cloudparsing] REGEX = result\=pass DEST_KEY = queue FORMAT = indexQueue   /opt/splunk/etc/apps/TA-AlibabaCloudSLS/default/props.conf [alibaba:cloudfirewall] TRANSFORMS-set= cloudnull,cloudparsing [alibaba:waf] TRANSFORMS-set= setnull,setparsing   But we are not receiving any logs to splunk for this although there are logs in alibaba cloud. Below is the inputs.conf file   /opt/splunk/etc/apps/TA-AlibabaCloudSLS/local/inputs.conf [sls_datainput://Alibaba_Cloud_Firewall] event_retry_times = 0 event_source = alibaba:cloudfirewall event_sourcetype = alibaba:cloudfirewall hec_timeout = 120 index = ***** interval = 300 protocol = private sls_accesskey = ***** sls_cg = ****** sls_cursor_start_time = end sls_data_fetch_interval = 1 sls_endpoint = ******* sls_heartbeat_interval = 60 sls_logstore = ***** sls_max_fetch_log_group_size = 1000 sls_project = ******* unfolded_fields = {"actiontrail_audit_event": ["event"], "actiontrail_event": ["event"] }   [sls_datainput://Alibaba_waf] event_retry_times = 0 event_source = alibaba:waf event_sourcetype = alibaba:waf hec_timeout = 120 index = ***** interval = 300 protocol = private sls_accesskey = ****** sls_cg = ******* sls_cursor_start_time = end sls_data_fetch_interval = 1 sls_endpoint = **** sls_heartbeat_interval = 60 sls_logstore = ***** sls_max_fetch_log_group_size = 1000 sls_project = **** unfolded_fields = {"actiontrail_audit_event": ["event"], "actiontrail_event": ["event"] }

Hi I need to do a timechart from a single panel result In this single panel, I stats events like this   | stats count as PbPerf by s | search PbPerf>10 | stats dc(s)   The results of this search is 14 events Now I need to timechart these 14 events So I am doing this   | bin _time span=1d | stats count as PbPerf by s _time | search PbPerf>10 | timechart count span=1h    The first problem I have is that I want to retrieve the 14 events before doing the timechart is that I have to use a span=1d But of course all the 14 events are grouped with the same _time even if I use a span=1h in the timechart So how to display a timechart that display a _time value for my 14 events? Thanks

Hi I need to compare the results of 2 single panel between 2 different dates The first single panel concerns the results of the current day in the last 15 minutes and consists in a basic count   | stats dc(s)   In the second single panel, I need to do the same count but for one week before but also in the last 15 minutes compared to the current time Is it possible to do such a thing? Thanks

Hello, I would like to copy paste my app dashboards, say from the app  A/local/data/ui/views folder to the corresponding backup app, say A_backup/../views several times a day adding the timestamp to the dashboard name. The goal is to give developers the possibility to come back to their coding from like 3 hrs back. What do I need to take into consideration for that? I mean I would like to avoid restarting my splunk in-between to make the changes visible of course.  The developers should be able to access the A_backup and see their versioned dashboards by the corresponding name. I know, there are perhaps better ways (github app) for that, but I would like to keep it simple as that. I made a test with copy paste of one .xml file within the same app, but it is not visible in the UI, so I guess I miss some parts here. Can anyone help with the above? Kind Regards, Kamil