Hi Experts When using the following eval, I would like to declare a variable in macro as in create_var(3). | eval var_1 = if(isnull(var_1),"", var_1) , var_2 = if(isnull(var_2),"", var_2), var_3 = if(isnull(var_3),"", var_3)  In some cases, we want to use MACRO because we need to define more than 30 variables. I am thinking that I can use foreach or map in the macro, but I am not sure how to do it. Any advice you could give me would be greatly appreciated!

I've been trying to set up Splunk Security Essentials but keep running into Javascript errors and other odd behaviour. When I run the Automated data introspection in "Step One: CIM Searches" I always get 42 completed searches and the remaining 22 searches complete but are never marked as completed (clicking the link to the search brings up the results I'd expect to see). In the browser Dev Tools Console it shows an error that window.updateOrMergeProducts is not a function and this seems to match up with the searches that are never marked as being completed. I've also noticed that it's getting a 400 Bad Request when doing a POST request to __raw/servicesNS/<username>/Splunk_Security_Essentials/search/jobs. Checking these I can see that they are all for searches like | from datamodel:Identity_Management.All_Assets | head 300000| stats count and the error that comes from searching is that the data model doesn't exist. I'm unsure if this is because something went wrong with the installation or if it's because the inventorying hasn't been completed yet. Unfortunately I also get errors when trying to configure the Data Inventory manually where I can't attach a product to 2 categories - e.g. successful authentications & failed authentications. I've tried resetting several times without any progress. I'm running Splunk Enterprise 8.2.5 and Splunk Security Essentials 3.5.0. Has anyone come across this behaviour before?

Hello I use an input text token in my search like this town=$town$ By defaut, town = * The problem is that sometimes the field town doesnt exist in my events When i chose * i would be able to retrieve this kind of évents? Is it possible ? Thanks

We have upgraded our NIPS and the management tool has a different IP address than the old one. The NIPS is sending data to our syslog server and putting it in our unassigned folder. I edited the syslog filters to put any messages from the new IP address in the NIPS folder for monitoring. I have restarted the syslog-ng service and the Splunk service. I have confirmed the logs are being written to the NIPS folder on the syslog server now, but Splunk is still importing them to the unassigned index instead of the NIPS index and showing the source as the old folder. I have also confirmed that no new entries have been put in the old folder since the change. The inputs.conf looks like this. Where else can I look that might be causing the data to not go into the NIPS index?     [monitor:///app01/syslog/data/siem01/nips/.../*messages] _rcvbuf = 1572864 disabled = false host = siem01 host_segment = 6 index = nips sourcetype = mcafee:ips [monitor:///app01/syslog/data/siem01/unassigned/.../*messages] _rcvbuf = 1572864 disabled = false host = siem01 host_segment = 6 index = unassigned sourcetype = syslog      

If I want to use a field(alarm_time) from the main search as a search criteria for a sub-search, what code should I write? In the following code, I want to search for the time they are working  I want to search Conditions : work_start < alarm_time < work_end  search results you want to get : (work_name=work_b) ____________________________________ | makeresults |eval _raw="alarm_time,host,message 2022/03/26 18:05,test_node,test_down" | multikv forceheader=1 | eval alarm_time_strp = strptime(alarm_time,"%Y/%m/%d %H:%M") | join type=left host [| makeresults |eval _raw="host,work_start,work_end,work_name test_node,2022/03/26 17:00,2022/03/26 18:00,work_a test_node,22022/03/26 18:00,2022/03/26 19:00,work_b test_node,2022/03/26 19:00,2022/03/26 20:00,work_c" | multikv forceheader=1 | eval work_start_strp = strptime(work_start,"%Y/%m/%d %H:%M") | eval work_end_strp = strptime(work_end,"%Y/%m/%d %H:%M") ]

Hello, I am trying to setup a search where we look for single source IP's hitting multiple destination IP's on our firewall. 1. When I do a search, I get TONS of results for destinations, but I want to limit the destination results to only show a few sample set. 2. I also have results showing up which only show one destination IP, which we do not want.   The search I am using as an example is    index=pan_logs eventtype=pan_traffic dvc="FD0*.*" action=allow OR action=allowed OR action=alert app=sip OR dest_port=5060 OR dest_port=5061 AND src_ip!=10.0.0.0/8 AND src_ip!=172.16.0.0/12 AND src_ip!=192.168.0.0/16  | stats values(rule) values(dest_ip) values(dest_port) count by src_ip vendor_action app dvc vsys | sort bt count desc limit=10 | sort dest_ip | where count > 500 | fields src_ip dvc vsys values(rule) app values(dest_ip) values(dest_port) vendor_action count | rename src_ip AS "Source IP", vendor_action AS "Action", values(rule) AS "Firewall Rule", values(dest_ip) AS "Target IP", values(dest_port) AS "Destination Port", count AS "Total Count", dvc AS "Device", app AS "Application" | head 20     Example search result

Hi there, hoping this is a quick question: I've got a search which polls for several eventlog types, and I want to put them into a table by event type using number of hosts in each event type, rather than just the total of events per type. Right now it looks something like: (searchForA=A) (searchForB=B) (searchForC=C) (searchForD=D)  | eval EventType=case( match(searchForA, "A"), "Results of A", match(searchForB, "B"), "Results of B", match(searchForC, "C"), "Results of C", match(searchForD, "D"), "Results of D") stats count by EventType This shows me the counts of each event type no problem, and it works to show really big numbers, but what I'd like to show is a count of hosts per event type.... so like... | stats count by host PER EventType. Any help would be great!

Hi, I have a simple stats      | stats values(Field1) sum(TB) by Field2 date_month     This gives me one row for each month.  Field1 10 Field2 Jan Field1 15 Field2 Feb I want to see it like below so each month is on the same row grouped by the fields.  Field1 Field2 Jan 10 Feb 15 Tried transpose and some other suggestions. I just keep missing.  Thanks, Chris

Hi! I have unstructured log in the following format, and I can't seem to figure out how I can count the number of occurrences for each key in "keys"   log: I, [2022-03-25T18:29:43.325002 #55] INFO -- : {:entry=>[{:op=>"operation1", :keys=>["key:my_key5, size:6309"]}]} log: I, [2022-03-25T18:29:43.324043 #56] INFO -- : {:entry=>[{:op=>"operation2", :keys=>["key:my_key6, size:159", "key:my_key5, size:6309", "key:my_key7, size:151", "key:my_key8, size:132"]}]} log: I, [2022-03-25T18:29:43.322759 #57] INFO -- : {:entry=>[{:op=>"operation3", :keys=>["key:smy_key9, size:4"]}]} log: I, [2022-03-25T18:29:43.317421 #58] INFO -- : {:entry=>[{:op=>"operation3", :keys=>["key:my_key6, size:159"]}]} log: I, [2022-03-25T18:29:43.311789 #55] INFO -- : {:entry=>[{:op=>"operation1", :keys=>["key:7, size:151"]}]}    What I'm trying to get is the count of each key in "keys[]". For example, the above would yield the following result:     my_key5 2 my_key6 2 my_key7 1 my_key8 1 my_key9 1     Ideally I can display the "size" of each key as well, like a table or something. But that might be too complicated.   What I have so far is only a query that can count the number of occurrences for each operation:   | rex field=log "op=>\"(?<operation>\w*)\"" | stats count by operation    but not sure how I can count the unique keys inside the array.