(1)  index=blah  Product IN (Cuteftp,Filezilla) (2)  | rex field=Image "(?<values_Image>[^\\\\]+$)" (3)  | lookup test.csv Image as values_Image OUTPUT Image (4)  | eval match=if(values_Image == Image, "yes", "no") | table _time Product Company Description ImageLoaded Image values_Image match (1) I am searching index=blah  where "Product" = Cuteftp or Filezilla (2) From my results I am removing everything before the last backslash, and the new field  is going to be  called "values_Image"  (3) I am checking the "Image" column  in the lookup file (test.csv) to see if it matches "values_Image" from my Splunk results (4) If there is a match, then I see "yes" in the match column in Splunk. If there is no match I see a "no" The problem I have: When match =yes the Image field in Splunk  is populated with the value from the Image field in the lookup file (test.csv) . This is good When match=no  the  Image field in Splunk is not populated with the value from the the Image field in the lookup file (test.csv) . This is my problem

We have a large number of hosts logging to Splunk via the Universal Forwarder. We also have the splunk servers including search heads, heavy forwarders and indexers logging their local OS logs to splunk as well. All systems are linux OS. We use a custom app to collect the local linux OS logs in /var/log. All hosts running the Universal Forwarder and the search heads and the heavy forwarders get the app from the deployment server so they all have the identical app to collect the linux os logs. Recently we wanted to divide up the indexes the logs are sent to based on processes. In our custom app on the indexers we created an entry in props and the transforms and deployed it. We then used the deployment server and pushed the new sourcetype out to all hosts. All of the hosts logs coming from the UF's worked fine and the indexers began to divide up the linux OS logs from them as expected. However the splunk search heads and heavy forwarders local linux OS logs continued to go to the old index even though their sourcetype did change to reflect the new sourcetype we created and deployed via the deployment server. Question: why does this config work fine for the hosts using the UF but not the splunk servers themselves if they all have the same app installed from the same deployment server and are all logging to the same indexer? props.conf [company_linux_messages_syslog] pulldown_type = 1 MAX_TIMESTAMP_LOOKAHEAD = 32 TIME_FORMAT = %b %d %H:%M:%S TRANSFORMS-newindex = company_syslog_catchall, company_syslog, syslog-host REPORT-syslog = syslog-extractions SHOULD_LINEMERGE = False category = Operating System description = Format found within the Linux log file /var/log/messages transforms.conf [company_syslog] DEST_KEY =_MetaData:Index REGEX = ^[A-Z][a-z]{2}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s.*?\s*(docker|tkproxy|auditd|dockerd)\[ FORMAT = syslog [company_syslog_catchall] DEST_KEY =_MetaData:Index REGEX = . FORMAT = syslog_catchall

Hi, I am running a single instance Splunk deployment on Linux and am planning on upgrading a bunch of Apps on my Splunk Enterprise server (there are about 7 that need upgrading ... a mix of Apps and Add-ons) . I was intending to upgrade the Apps using the GUI. My question is whether it is better to restart when prompted by Splunk (potentially after each app is upgraded) or whether it is possible to do all of the upgrades and then do a single restart of the Splunkd service at the end?   Thanks,

Hi All, I was working on a case where i have 2 fields extracted as "actordisplayName" & "targetUser" in the same raw log. actordisplayName - who initiated the change, targetUser - to which user it was changed. index=something  displayMes="User update password" | where actordisplayName!= targetUser | table _time user, displayMes, actordisplayName, targetUser outcome.result Running this for 30 days Requirement: I need to search only for users where actordisplayName & targetUser is not same. Eg: I want only the results for my admin/someone who has done password reset for me, I don't want the results for me resetting the passwords for my account. In short i need results for where actordisplayName & targetUser is not same.

Hi all   My first post on this Community. I am a veteran of another BI tool that starts with a Q, and very keen to learn new tools and play with new toys!   I scanned on community but could not find a relevant answer, so please forgive if this is not a new subject.   I installed a forwarder on my Pi Zero, but cannot start it. Downloaded the ARM version with  sudo wget -O splunkforwarder-8.2.5-77015bc7a462-Linux-armv8.tgz "https://download.splunk.com/products/universalforwarder/releases/8.2.5/linux/splunkforwarder-8.2.5-77015bc7a462-Linux-armv8.tgz"   Then untarred it: sudo tar -xvzf splunkforwarder-8.2.5-77015bc7a462-Linux-armv8.tgz   Then tried to start: sudo ./splunk start --accept-license I just get this weird error message. No idea how to proceed.  

Hello Splunkers!   In my knowledge, mono db is only for the internal uses and able to access with internal Splunk SPL.    Is there any official documentation about this?   Thank you in advance.

Hi everybody, I need to upgrade Splunk Enterprise from 7.3.X to 8.1.0 and then to 8.2.5 (Windows).  The architecture includes: - 1 cluster master - 1 search head - 2 indexers (cluster)  - 1 deployment servers - 1 heavy forwarder - n universal forwarders Looking at the documentation, these are the steps to follow: Download the MSI file to the host. Double-click the MSI file. The installer runs and attempts to detect the existing version of Splunk Enterprise installed on the machine. When it locates the prior installation, it displays a panel that asks you to accept the licensing agreement. Accept the license agreement. The installer then installs the updated Splunk Enterprise. This method of upgrade retains all parameters from the existing installation. The installer restarts Splunk Enterprise services when the upgrade is complete, and places a log of the changes made to configuration files during the upgrade in %TEMP%. Shouldn't I stop the the splunk service before? Do I only need to double click on the installer and follow the wizard on each host? That's it? Is there something that I'm missing?   About Splunk apps and add-ons: I need to update some of them, should I do it before or after the Splunk upgrade? Example: Add-on for VMware ESXi Logs is now 3.4.2 and needs to be upgraded to 4.0.3 (which doesn't support Splunk 7.X). I think I should upgrade Splunk first, then add-ons and apps, correct?   Thanks in advance for any help.