Hello, I have data that look like this : Month Key Value Number ------------------------------ Jan Key1 50 1 Feb Key1 57 2 Mar Key1 51 3 Jan Key2 101 4 Feb Key2 107 5 Mar Key2 98 6 Jan Key3 701 7 Feb Key3 703 8 Mar Key3 712 9 And I would like it to look like that : Month Key Value Number ------------------------------ Jan Key1 50 1 Feb Key1 57 1 Mar Key1 51 1 Jan Key2 101 2 Feb Key2 107 2 Mar Key2 98 2 Jan Key3 701 3 Feb Key3 703 3 Mar Key3 712 3 Is it possible ? Thanks.

hello   I timechart a lot of search in a table and it works perfectly here is the result But for the piece of code below I try to find a solution in order to be able to calculate a percentage between sign and eue2 and to timechart the results like above instead having a separate result for sign field and for eue2 result     | appendcols [ search index=toto | timechart span=1h dc(sign) as sign ] | append [ search index=toto | timechart span=1h dc(eue2) as eue2]     I need something like this : | eval perc=(sign/eueu2) | timechart values(p) span=1h  could you help please?

Hi All, I  have logs like below in Splunk: log1:  Valid from: Mon Oct 11 05:12:56 EDT 2021 until: Wed Oct 11 05:12:56 EDT 2023 log2: Serial number: 6900015f06a7454c0728c2744b000000015f06 log3: Owner: CN=sd-72m2-rt6w.nam.nsroot.net, OU=166139, O=Citigroup Inc., L=warren, ST=NJ, C=US log4: /apps/gcafews_SG/jboss-eap-7.3/ssl/server.jks log5: /apps/gcafewshlc_SG/jboss-eap-7.3/ssl/server.jks and so on... Aim is to get the validity of each Instance and CN, so created the below query to extract the required fields and to find the validity in days: ..... | rex field=_raw "\/apps\/(?P<Instance>\w+)\/" | rex field=_raw "CN\=(?P<CN>[^\,]+)\," | rex field=_raw "Serial\snumber\:(?P<Serial_Number>[^\,]+)" | rex field=_raw "OU\=(?P<CSI_ID>[^\,]+)\," | rex field=_raw "until\:\s(?P<Valid_Until>\w+\s\w+\s(\s{0,1})\d+\s\d+\:\d+\:\d+\s\w+\s\d+)" | eval From = _time | eval Until = strptime(Valid_Until, "%a %b %d %H:%M:%S %Z %Y") | eval dur=Until-From | eval Validity = round(dur/(60*60*24)) Now to represent all these data in a tabular view I used the query : | table Instance,CN,Serial_Number,CSI_ID,Valid_Until,Validity But it gave me the table in the below manner: Instance CN Serial_Number CSI_ID Valid_Until Validity         Wed Oct 11 05:12:56 EDT 2023 556     6900015f06a7454c0728c2744b000000015f06         sd-72m2-rt6w.nam.nsroot.net   166139     gcafews_SG           gcafewshlc_SG           The requirement is to create table with the values in single row as below: Instance CN Serial_Number CSI_ID Valid_Until Validity gcafews_SG sd-72m2-rt6w.nam.nsroot.net 6900015f06a7454c0728c2744b000000015f06  166139 Wed Oct 11 05:12:56 EDT 2023 556 gcafewshlc_SG sd-72m2-rt6w.nam.nsroot.net 6900015f06a7454c0728c2744b000000015f06  166139 Wed Oct 11 05:12:56 EDT 2023 556 Please help modify the query to get the table in the desired manner.

Hi everyone, I can't login to my Splunk account because I have a space at the beginning of my password. We will login to Splunk via LDAP. Does Splunk have a problem with that or is that a Bug? Thank you very much for any advice.

Is it possible to search base on the Timestamp from the Column than the _time of ingestion I'm using dB connect not the "add Data" Since ill be using this in Dashboard,  I'm Very new in splunk  

Hi, I understand that importing the evtx format into Splunk consumes more licenses than the volume displayed. (Because evtx is a compressed format.) Am I right in thinking that I will consume about 2 to 5 times more licenses? I think I saw the material about this somewhere, can anyone share it? I would be grateful if you could help me.

Hi Gurus, I am trying to extract data from log message using rex field=_raw. The regex I have is  "Event <(?<eventNo>.*)>, Super <(?<super>.*)>, Charge <(?<oic>.*)>, number <(?<pcn>.*)>, Card <(?<cn>.*)>, CO <(?<co>.*)>, Warn <(?<warn>.*)>" | table _time oic eventNo pcn cn super co warn and I am able to extract records. but the issue is may or may bot be present is the log and I still need to extract the rest of the data. I tried  "Event <(?<eventNo>.*)>, Super <(?<super>.*)>, Charge <(?<oic>.*)>, number <(?<pcn>.*)>, Card <(?<cn>.*)>, (CO <(?<co>.*)>,)? Warn <(?<warn>.*)>" | table _time oic eventNo pcn cn super co warn It gives me the records which does nto contain this item. I want to extract all the records irrestive of whether it is present or not present. Please let me know what am I doing wrong. Thanks a lot in advance.  

I have a piece of code as -  | rex field=$AppNC$ ".*\/(?<ChosenAppCode>.*" | search job_name=* U_APP_CODE=ChosenAppCode  From the drop down the AppNC (App Name Code) is chosen and the search should have the app code part. How can the following be dynamic ? U_APP_CODE=ChosenAppCode Meaning, ChosenAppCode, would be the code extracted in the line above? 

I'm kinda lost here. I'm trying to test something on my Splunk Free at home using receivers/simple endpoint and all I'm getting is 404. The "normal" HEC endpoints work OK. $ curl "http://172.16.0.3:8088/services/receivers/simple?source=www&sourcetype=web_event" -d "aaaaaaaaaaaaaa" {"text":"The requested URL was not found on this server.","code":404} It's the example almost literarily copied from REST API docs. And I'm getting 404. Where to look for diagnostic info?