I am new to splunk and i cannot figure out how to check the Values and evaluate True/False. Below is the query that i tried.   index=windows host=testhost1 EventID IN ("4688","4103","4104","4768","4769") | eval ev_field = if('EventID' IN ("4688","4103","4104","4768","4769"), "True","False") | dedup host,EventID,ev_field | table host,EventID,ev_field   Requirement is to check if the ex: "testhost1" has particular values in the EventID field and if not to mark as "false" or something like that... The query that i made evaluates and adds TRUE to the "ev_field" for the EventIDs that it finds but i can't figure out how to add False for the EventIDs that it does not match or find in logs. The EventIDs that are not present in logs there simply wont show in results. This is the result that i get: This is what i actually need: The second image is edited just as an example to make my point what i need as a result.

I'm using Splunk Enterprise 8.2.5 on Windows (both indexers and Forwarders). I have modified inputs.conf on the indexer as follows to referebce my PJI signed certificate/key pair: [splunktcp-ssl:9998] disabled = 0 [SSL] serverCert = C:\Program Files\Splunk\etc\auth\mycert\my.pem sslPassword = mypassword requireClientCert = false sslVersions = *,-ssl2,-ssl3,-tls1.0,-tls1.1 After service restart I see port 9998 listening on the indexer. I added the following config to the outputs.conf of my forwarder: [tcpout:production] server = myindexerfqdn:9998 useSSL = true No data is getting forwarded though and the following is raised in splunkd.log at the forwarder: 03-29-2022 13:01:11.229 +0100 ERROR SSLCommon [37916 parsing] - Can't read certificate file errno=33558528 error:02001000:system library:fopen:system library 03-29-2022 13:01:11.229 +0100 ERROR TcpOutputProc [37916 parsing] - Error initializing SSL context - check splunkd.log regarding configuration error for server myindexerfqdn:9998 What is the windows forwarder looking for? I set the indexer not to verify client certs but does the forwarder need a client certificate (self-signed or otherwise) generated regardless to use SSL ?

i have a table in dashboard generated from stats  and a time picker in my dashboard. Based on value selected in timepicker the dashboard table value changes.The column values are not links. the first column has error message values which will be unique .if i click on a value in the 1st column then the events having those message (field.msg) should be displayed in another window. this is applicable for all values in that first column   Thanks for ur time and ur intention to help...

Hi All, Any idea on how to generate an alert when the password does not contain any special characters? Like when ever in my data the password is of only in plain text format, I should generate an alert. I'm a newbie,Please help out with the query. Thanks in advance.

Hi, how do i craft a search to match 2 fields from my raw events with  2 fields from a CSV file and output if one of the fields is different  ?  Requirement is to match the country_name and email from raw events versus to what is there in the csv file.  Basically If the country_name in the raw events in DIFFERENT as in if it does not match the "Country" field in the lookup (based on user's email) then display those results only.   Lookup file structure: Email_id Country         The Raw events have fields called email and country_name. Below is what i am trying but its not working.       index=xxx | search [inputlookup file.csv ] where (country_name != Country) AND (Email!=Email_id) table displayName, Email_id country_name        

Hello, Need to create a date/time token for a dbxlookup. The default values for start needs to be Thursday from the previous week, and the end needs to be Monday from the current week. Here is the dbxlookup command.   | dbxquery connection="SPLUNK" maxrows=0 query="select * from VW_SPLUNK where to_date (TO_CHAR (create_date_time, 'yyyy-mm-dd hh24:mi:ss'), 'yyyy-mm-dd hh24:mi:ss') between to_date ('$tokFromDate1$ $tok_startTime$','yyyy-mm-dd hh24:mi:ss') AND to_date ('$tokToDate1$ $tok_EndTime$','yyyy-mm-dd hh24:mi:ss') "   Here is the XML I have for the tokens.   <input type="radio" token="tok_toggleTime"> <label>Select date: Thu-Mon vs Mon-Thu</label> <choice value="ThM">Last Thursday to Monday</choice> <choice value="MTh">Last Monday to Thursday</choice> <change> <condition value="ThM"> <set token="tok_startTime1">06:45:00</set> <set token="tok_endTime1">09:30:00</set> <set token="tok_textStartTime">1</set> <set token="tokFromDate1">@w0-3d</set> <set token="tokToDate1">@w0+1d</set> </condition> <condition value="MTh"> <set token="tok_startTime1">06:45:00</set> <set token="tok_endTime1">09:30:00</set> <set token="tok_textEndTime">1</set> <set token="tokFromDate1">@w0+1d</set> <set token="tokToDate1">@w0-3d</set> </condition> </change> </input> <input type="text" token="tok_startTime" searchWhenChanged="true"> <label>Start Time - Can enter new time</label> <default>$tok_startTime1$</default> <suffix/> </input> <input type="text" token="tok_endTime" searchWhenChanged="true"> <label>End Time - Can enter new time</label> <default>$tok_endTime1$</default> <suffix/> </input>     Thanks and God bless, Genesius

Hi, Let's say I have a Company directory lookup (e.g. Company_Directory) and I want to lookup the entire hierarchy of supervisors for a specific employee. For instance>>> Alice reports to Bob, then take Bob as new lookup criteria... Bob reports to Cathy, etc....   and append this all  in a chain of command >>> Alice, Bob, Cathy, Donna, Eric, Fred.... etc Does Splunk have a command/capability to take the results as feed back to a lookup loop? Thank you

I'm trying to create a multi-series line chart in a Splunk dashboard that shows the availability percentages of a given service across multiple individual days for a set of hosts.  In other words, date is my x-axis, availability is my y-axis, and my legend contains the various hosts.  Since a picture is worth a thousand words, here's an example of what I'm trying to create:   And here is my attempt at the query that's currently not working (it's using the rhnsd service as an example and assumes ps.sh is being run every 1800 seconds so it calculates availability based off ps.sh running 86400/1800=48 times per day):     index=os host="my-db-*" sourcetype=ps rhnsd | timechart span=1d count by host | eval availability=if(count>=86400/1800,100,count/floor(86400/1800)*100) | rename _time as Date host as Host availability as Availability | fieldformat Date = strftime(Date, "%m/%d/%Y") | chart first(Availability) over Host by Date     Any assistance with getting this query working so I can visualize it in a multi-series line chart in a dashboard panel would be greatly appreciated.

When I navigate to https://<splunk-server>:8089/ServiceNS I am running into an error. When I go to other pages..."/services" and so on, they work fine. Could I get some guidance on what to do in order to bring this up?