Hi folks. I'm attempting to run Splunk in a docker container.  Or rather, I have that working - it was pretty easy with docker-compose based on https://splunk.github.io/docker-splunk/EXAMPLES.html#create-standalone-from-compose However, I want to create an index automatically, when the container first starts up.  This I'm finding difficult. I've tried a variety of methods, but they all failed in one way or another: yum and dnf are missing from the container, and microdnf appears to be broken.  This makes it difficult to customize the container's configuration. The container so configured appears to be based on RHEL, and we don't have any RHEL entitlements.  This too makes it difficult to customize the container's behavior. I tried setting up a volume and adding a script that would start splunk and shortly thereafter add the index, but I found that Splunk was missing lots of config files this way.  This may or may not be due to my relative inexperience with docker. I invoked the script with the following in docker-compose.yml: entrypoint: /bin/bash command: /spunk-files/start   I needed to copy these files, which I didn't have to copy before the entrypoint+command change: $SPLUNK_HOME/etc/splunk-launch.conf $SPLUNK_HOME/etc/splunk.version I also needed to create some logging directories, otherwise Splunk would fail to start. One of my favorite troubleshooting techniques, using a system call tracer like "strace", wasn't working because I couldn't install it - see above under microdnf. Does anyone know of a good way to auto-create a Splunk index at container creation time, without an RHEL entitlement? Thanks!  

I am hoping you could help me out with this query, as I am quite stuck. I want to be able to retrieve the name of the server that acts as a provider and the name of the server that acts as a consumer.  The way you could check this is a log has a ConsumerId that equals the ID of the other server. For instance, here are two logs: ServerName="Server1", ID="1", IDConsumer=null ServerName="Server2", ID="2" , IDConsumer="1"  And what I want to retrieve is a table like this: To              From         IDConsumer   IDProvider Server1  Server2    1                          2   Appreciate a lot!

Hello Community,   I'm working on a search for a dashboard panel and I need some help. I'm looking to get the owner, search_name, status_label, and the last comment. The search I have so far is below: `notable` | where owner =="User1" OR owner=="User2" OR owner=="User3" OR owner=="User4" OR owner=="User5" OR owner=="User6" | where status_label=="Ready for Review" OR status_label=="Closed: False Positive" OR status_label=="Pending" OR status_label=="Closed: Valid - Remediated" | stats earliest(owner) AS Analyst, earliest(search_name) AS "Alert Name", latest(status_label) AS Status, latest(comment) AS Summary

I am currently using a bar chart visualization but I need to sort the bars by descending order.  I can't use a simple  chart count by EVNTSEVCAT | sort -count  because the SEVCAT field contains multiple values and we only need I,II, and III. below is my query         search * | eval CATI = if(SEVCAT=="I", 1,0) | eval CATII = if(SEVCAT=="II", 1,0) | eval CATIII = if(SEVCAT=="III", 1,0) | chart sum(CATI) sum(CATII) sum(CATIII) | transpose           The visualization:   I need the visualization to be sorted in descending order. Any suggestions help :-).   Thank you, Marco

This is a log example:  2022-04-19 11:33:41 Local1.Info 10.0.6.1 Apr 19 12:34:20 FireboxM470_HA2 801002AA8CC3A FireboxM471_HA (2022-04-19T18:34:20) firewall: msg_id="3000-0151" Allow Firebox External-H udp 206.131.15.124 78.243.26.213 2267 53 geo_src="USA" geo_dst="USA" duration="36" sent_bytes="105" rcvd_bytes="121" (Any From Firebox-00) I need to extract the src_ip (206.131.15.124 ) and the dst_ip (78.243.26.213).  Splunk do not create a proper regex by itself, no matter how many examples I give. I am looking for a regex that matches the 2nd IP in the log, and another one for the 3rd one.  Till now, I have done this: "(\d{1,3}\.){3}\d{1,3}", wich matches the 3 IPs, but I don´t know how to select one of them. And this: "(tcp|udp)\s((\d{1,3}\.){3}\d{1,3})"  wich returns the second IP with the protocol, don't know how to remove the protocol and the space.  Does anyone knows how to extract those fields as new fields?

Below is my raw logs. I want to extract "analystVerdict" & its corresponding result from raw logs. can someone please help   \"mitigationStartedAt\": \"2022-04-13T03:57:58.393000Z\", \"status\": \"success\"}], \"threatInfo\": {\"analystVerdict\": \"false_positive\", \"analystVerdictDescription\": \"False positive\", \"automaticallyResolved\": false, \"browserType\": null, \"certificateId\": \"\", \"classification\": \"Malware\",   I tried below. But i am failing to get the result index=test_summary  | rex field=_raw ":\\\"(?<analystVerdict>\w+)\\\"" |table search_name analystVerdict

Hello, I have a tricky question. I'm trying to count tickets by providers we have. I am using the parent and subtasks to check to which team we are sending a subtask + using the service to know the provider. I'm stuck in cases like these ones. 3 events which are - the parent task .1 with no to_team and no provider - subtask 1 with one to_team - subtask num 2 with a provider (different to the team above) Now I have the three of them counted as Provider1 (subtask num1), Provider2 (subtask number 2) and Other (parent task). However, what I need is to avoid counting the parent task if there's a subtask with the needed information.   There are some parent task with no information that have to be in "Other" section because they need to be counted, but just when there's no subtask attached. Is it possible? I have tried subsearches but I cannot achieve one that works.   Thank you in advance.