Hi all I have a riddle. Query A and query B does not collect the same events and I don’t understand why. Query A) results 2 events as transaction   | multisearch [search (11111111 OR 22222222) host=x index=y level=z (logger=a "text_a") ] [search (11111111 OR 22222222) host=x index=y level=z (logger=b message="text_b") ] | rex field=_raw "<sg: ID>(?<ID>.*?)<" | transaction ID keepevicted=false startswith="text_a" endswith=message="text_b"     Query B) results 1 event as transaction   | multisearch [search (11111111 OR 22222222) host=x index=y level=z (logger=a "text_a") ] [search host=x index=y level=z (logger=b message="text_b") ] | rex field=_raw "<sg: ID>(?<ID>.*?)<" | transaction ID keepevicted=false startswith="text_a" endswith=message="text_b"     11111111 and 22222222 is used as an ID to test the query and to confirm the correctness. But if I remove these IDs from second search like in query B) than I get only one result, the other is missing.   I thought at the first time, it is because of the enormous amount of records. I used a time filter to reduce the records, at the end with 19.351 events. Unfortunately it didn’t help. Of course, if I replace the multisearch to OR, it works. Query C) If I move the ID filter in second search, booth events are there.   | multisearch [search host=x index=y level=z (logger=a "text_a") ] [search (11111111 OR 22222222) host=x index=y level=z (logger=b message="text_b") ] | rex field=_raw "<sg: ID>(?<ID>.*?)<" | transaction ID keepevicted=false startswith="text_a" endswith=message="text_b"     Query D) Just to be sure, if I remove the "text_a" and message="text_b" from search the event is still missing.   | multisearch [search (11111111 OR 22222222) host=x index=y level=z logger=a ] [search host=x index=y level=z logger=b ] | rex field=_raw "<sg:ID>(?<ID>.*?)<" | transaction ID keepevicted=false startswith="text_a" endswith=message="text_b"     Maybe someone of you already had similar issues in transaction with multi-search and know, what could cause this problem. Thank you for your answers. Best regards, Robert

I'm trying to create a search macro which accepts a field to match on and enriches the results with matches and outputs those enriching fields appending the matching value's matching field name as the new field names. For example: `my_macro(sourceAddress)` Should output the following field names (if it matches): sourceAddress_WHOIS sourceAddress_Severity sourceAddress_lastCheck Where WHOIS, Severity, and lastCheck are field names in the lookup table. This should also exhibit the same behavior, dynamically, for `my_macro(destinationAddress)`: destinationAddress_WHOIS destinationAddress_Severity destinationAddress_lastCheck This macro may be called multiple times against multiple field names in a single search.  destinationAddress, sourceAddress, clientAddress, proxyAddress, and more are all potential field names in the searches this macro would be used for and multiple combinations of each can potentially exist in each result.  I'd like to be able to clearly see which fields were enriched by the lookup table, if enrichment occurred.

Disclaimer: Totally new to Splunk.  Started using it this week and nobody else in my office knows Splunk either. I created dashboards for Windows events like this one:  EventCode=4625 | timechart count by host sep=1hr.  That shows a nice bar chart which gives information, like the number of events, when hovering the mouse over a bar.  I want to either/or:  1.) click on a bar and show all the event(s) information.  2.) display all the events in another panel in the dashboard.  Thank you for you assistance.

Hello Splunk friends, I'm trying to send a report from Splunk that contains an attached report. The email subject needs to be last months date, i.e. "My Report Name _ Mar_22", and the same for the email attachment filename.  I currently have this working using hidden field eval values like so, but I've noticed that if my table returns no results, I'll also get no value for last months date. My Search looks like so:         Index = myIndex Process = myProcess earliest=-1mon@mon latest=now | eval _date_one_month_ago = relative_time (now(), "-1mon@mon") | eval _reporting_date = strftime (_date_one_month_ago, "%b_%Y") | stats count by orgName           Any help would be really appreciated in populating the email subject and attachment name with last months date, without depending on my table to have data. Thank you

In Splunk documentation for the outlier command, it say: " The transform option truncates the outlying values to the threshold for outliers." Would like to understand how it calculates the threshold mentioned above.  For this SPL below, the total_bytes value of 92000, is replaced with 000244. How does Splunk come up with the value of 244?   | makeresults | fields - _time | eval data="101,20220101,3;101,20220102,200;101,20220103,210;101,20220104,220;101,20220105,200;101,20220106,210;101,20220107,220;101,20220108,92000;101,20220109,200;101,20220110,3;" | makemv delim=";" data | mvexpand data | eval splitted = split(data,",") | eval day_hour_key=mvindex(splitted,0,0), date=mvindex(splitted,1,1) , total_bytes=mvindex(splitted,2,2) | fields day_hour_key,total_bytes,date| outlier action=transform mark=true total_bytes | rename total_bytes as transform_total_bytes    

Hi Splunkers, I am struggling to verify connection status of master node in indexer through VM using linux command.  Does someone know what command can I use to view the connection status between them?