_time device1_avg device2_avg device3_avg device4_avg 2022-04-07 00:00 34 3 11 22 2022-04-07 01:00 21 76 41 87 2022-04-07 02:00 2 18 32 32 2022-04-07 03:00 12 3 36 54 2022-04-07 04:00 7 8 21 43 2022-04-07 05:00 11 3 17 21 2022-04-07 06:00 19 12 19 16 2022-04-07 07:00 15 10 12 19 2022-04-07 08:00 4 2 19 6   I have a table of averages for an arbitrary number of arbitrary devices as shown above. How do I use these averages as thresholds for alerts about these devices? I'm trying to have a search that runs every 15 minutes to check which devices have exceeded these averages. For example, if a search is run at 06:45, and returns that device1 has a count of 10, device2 has a count of 15, device3 has a count of 21, and device 4 has a count of 2, send an alert that says device2 and device3 have exceeded their averages listed for the 06:00 hour (i.e., 12 and 19, respectively).

Here's the text string from the log I'm searching: store license for Store 123456 2022-04-07 19:17:44,360 ERROR path not found   Here's my splunk search: index=* host="storelog*" "store license for " |rex field=_raw "Store\s123456\n\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d{3}\s(?P<errortext>.*)path" | stats count by errortext   Why am I getting the following when I search? No results found.

I'm trying to make a visualization showing our number of signatures, but the data is not very organized because I have 20+ results with variations of the name generic, like for example: Generic.TC.ldrvmp 1 Generic.TC.ligldq 1 Generic.TC.ljhook 1 Generic.TC.lmzdbq 1 Generic.TC.lnionm 1 Generic.TC.lniqpu 1 Generic.TC.lxboaq 1 Generic.TC.mpneia 1 Generic.TC.mpngod I want to group all these results under the name "generic", but it seems like if I try to use wild cards in the below search it gives me an error. I could do write out each signature individually in the |eval command but that seems very inefficient. I was wondering if it was possible for me to group the results in to the same name? | eval signature=case(signature="Generic.*", "generic")  |stats count by signature | sort -count

Hey Community,  I am trying to get my head around this query  My subsearch below, The query will look for the api path,src and Ip's and I am doing dns lookup to get hostname which is present in different index        site = "friendly" index=traffic_log src="*" uri="*" | eval date = date_month + "/" + date_mday + "/" + date_wday + "/" + date_year | mvexpand date | dedup src | dedup uri | lookup dnslookup clientip as src OUTPUT clienthost as ComputerName | where like (ComputerName,"p%") | dedup ComputerName |table ComputerName,src,uri,date       Main query. If see my main query Computername is the only filed which is present in main index search and want to use for searching with computername. which will give the owner details of the hostname but also I want the src,uri,date fileds from subsearch to be added in table      index="wineventlog" source="WinEventLog:Application" [ search site = "friendly.org" index=traffic_log src="*" uri="*" | eval date = date_month + "/" + date_mday + "/" + date_wday + "/" + date_year | mvexpand date | dedup src | dedup uri | lookup dnslookup clientip as src OUTPUT clienthost as ComputerName | where like (ComputerName,"p%") | dedup ComputerName |fields ComputerName,src,uri,date] | dedup ComputerName| dedup ownerEmail | dedup ownerFull | dedup ownerName | dedup ownerDept | table ComputerName, ownerEmail,ownerFull,ownerName,ownerDept,src,uri,date       Can someone throw insights into the query

Hello,  Many thanks in advance for taking the time to read/consider my question, it's always appreciated! I'm currently working on reducing the overhead of our existing Windows UF by adding to our blacklist in a way that effectively blacklists all login events for Windows where the Process Name is "-", since these are often extremely voluminous and often don't directly correlate with actual user logins (feel free to correct me if I'm wrong here). These are also indicated when the "Process ID" is "0x0", which is also shown by the blacklists I've attempted below: The blacklists that I have tried to no avail are as follows:   blacklist = EventCode="4624" Message="(?:Process Name:).+(?:C:\\Windows\\System32\\services.exe)|.+(?:C:\\Windows\\System32\\winlogon.exe)|.+(?:C:\\Windows\\CCM\\CcmExec.exe)|.+(?:[-]\sNetwork)" blacklist = EventCode="4624" Message="Process\sID:\s0x0" blacklist = EventCode="4624" Message="(?:Process\sName:\s[-])"   Please let me know if I'm missing anything with any of those blacklists above, but so far that I've tested none of those blacklists actually eliminate the "Process Name" of "-" being sent to Splunk, which increases our license ingestion while providing essentially no new information or value.  Thanks in advance, any & all answers will be rewarded with karma!  Charlie  

Does anyone have a solution for a query that will return the daily event count of every index, index by index, even the ones that have ingested zero events? | tstats count WHERE index=* OR index=_* by index ... only returns indexes that have > 0 events.  

We are trying to run some custom commands that requires cython, but Splunk's python doesnt support it. We tried creating an anaconda environment inside the app, just like MLTK and Python for Scientific Computing apps, but some issues appeared regarding anaconda symlinks. This is beign discussed in another thread: https://community.splunk.com/t5/Developing-for-Splunk-Enterprise/Why-when-installing-custom-made-app-that-contains-symlinks-the/td-p/592751 ¿Anyone managed to run python custom commands that required cython?