hello I use appdncols command in order to aggregate in a table the result of different search I have 2 issues with the 3 fields In yellow Issue 1 If dont use the piece of code below, the field "Tea" is not displayed (same thing for INC & OUT)       | appendpipe [ stats count as _events | where _events = 0 | eval "Tea"= 0]]       Issue 2 the appendpipe command put only "0" in the first line but not in other Here is the search :       | appendcols [ search index=titi earliest=@d+7h latest=@d+19h | bin span=1h _time | eval time = strftime(_time, "%H:%M") | stats dc(Tea) as Tea by time | rename time as Heure | appendpipe [ stats count as _events | where _events = 0 | eval Tea= 0] ] | appendcols [ search index=tutu earliest=@d+7h latest=@d+19h | bin span=1h _time | eval time = strftime(_time, "%H:%M") | stats dc(s) as "OUT" by time | rename time as Heure | appendpipe [ stats count as _events | where _events = 0 | eval "OUT"= 0]]       What is wrong please? And I have something else strange As you can, the the results is 0, the results is ususally displayed But why sometimes I have an empty field instaed 0 like in yellow? Is anybody can give the solution for displaying the results in any case when the value is 0?  

I need some help to check configure send email, and I still have not received the email alert in my mailbox. The alert is already triggered as I can see that in the "triggered alerts" section. when i configure like this,and saved. then i open again, username,passward is gone,  

When trying to enable aws_description_tasks, I'm finding it in the logs that it is erroring out due to 'Connection reset by peer', indicating that this is due to a firewall error in my network. I can ask the networking team to allow traffic from this endpoint, but I'm unsure as to what the url is. Is there any way I can go about finding the endpoint or url that aws_description_tasks uses to grab metadata from AWS? Not sure if it's simply 169.254.169.254 but would like to know how I can go about finding the endpoints used by the different aws inputs. 

I am looking for a way to check for multiple conditions to match, and if they are met, output a specific word... such as "true". Example: my_cool_search_here | eval condition_met=if(user=* AND DoW IN (Mon,Wed) AND HoD IN (01,02,03) AND hostname IN ("hostname.hostdomain","hostname.hostdomain"), "true") I don't know if that makes sense... but essentially I want to check whether "user" has ANY value, and then if the fields "DoW", "HoD", and "hostname" have specific values out of a possible range.... and if all that matches, then set the value of "condition_met" to "true". I know I can do this for a single field/value, but how would I accomplish this for multiple different conditions? Thanks!

Hello all. Thanks in advance for your assistance. I have a 6 node index cluster with a search factor of 6 and replication factor of 3. My ingest is 130GB per/day for proxy data My Hardware: 7TB hot/warm SSD and 112TB cold 10k spindle per/indexer I have a requirement for 30 days hot/warm and 1,065 days cold = 1,095 days (3 years) total Calculations I have found say: (Daily Avg. Ingest x Compression Rate x Num Days Retention) / # of Indexers So: Hot/Warm: 130GB * .6 compression * 15 days) / 6 = 390 GB p/indexer Cold: 130GB * .6 compression * 1,065 days) / 6 = 13,845 GB p/indexer Total: 130GB * .6 compression * 1,095 days) / 6 = 14,235 GB p/indexer Given that, I think my indexes.conf would have: [idx_proxy] homePath = volume:primary/idx_proxy/db coldPath = volume:secondary/idx_proxy/colddb thawedPath = $SPLUNK_DB/idx_proxy/thaweddb maxTotalDataSizeMB = 14576640 maxDataSize = auto_high_volume homePath.maxDataSizeMB = 399360 frozenTimePeriodInSecs = 94608000 The question: With replication factor, I'm thinking this answer is not complete. Can anyone help? Updated formula/calc? This is current storage: [splunk@splunkidx1 ~]$ du -sh /splunkData/*/idx_proxy/ 8.0T /splunkData/cold/idx_proxy/ 947G /splunkData/hot/idx_proxy/ [splunk@splunkidx2 ~]$ du -sh /splunkData/*/idx_proxy/ 8.0T /splunkData/cold/idx_proxy/ 826G /splunkData/hot/idx_proxy/ [splunk@splunkidx3 ~]$ 7.9T /splunkData/cold/idx_proxy/ 955G /splunkData/hot/idx_proxy/ [splunk@splunkidx4 ~]$ du -sh /splunkData/*/idx_proxy/ 7.8T /splunkData/cold/idx_proxy/ 952G /splunkData/hot/idx_proxy/ [splunk@splunkidx5 ~]$ du -sh /splunkData/*/idx_proxy/ 8.0T /splunkData/cold/idx_proxy/ 936G /splunkData/hot/idx_proxy/ [splunk@splunkidx6 ~]$ du -sh /splunkData/*/idx_proxy/ 7.8T /splunkData/cold/idx_proxy/ 911G /splunkData/hot/idx_proxy/

I'm using the Webtools Add-on to do a get request for each row on a keyword field but combine the curl results with the initial data. Ie the initial data returns _time, keyword, hostname, etc and the curl request returns curl_message, curl_status,etc and I want my final table to be _time,keyword,hostname,curl_message,curl_status . Right now I'm able to get the curl response using the map search="uri=.../$keyword$ " but that only returns the curl output.  I do see that you can use datafield without a map command to do multiple curl requests (|curl uri=... datafield=keyword) and it would have the my desired output but that made the uri look like this uri=.../?keyword. I need the uri to look like uri=.../keyword instead.  Any help/tips would be appreciated.

Hey, In a dashboard, I need a panel where it gives the user an option to download EVERY field of a specific index. Now, this index has over 100 fields. Can I use the Events Panel on the dashboard to show all the fields (admittedly a small view due to the volume of the fields) and then the user can export the respective results from the given panel? Many thanks, Patrick

Good afternoon  - We're working with a customer that would like to ingest data from AINS FOIAXpress (https://www.ains.com/foiaxpress/).  We don't see a TA for this that I could locate on Splunkbase but was wondering if anyone here has knowledge of customers that have built this TA in the past.  Any insight or direction would be greatly appreciated!

We have an outside scanning agency that is constantly doing nmap like scans of our perimeter.   It is generating a log of log data on the perimeter CISCO firewalls. We know the IPs that the scanning is coming from; is there a way to tell the forwarders to NOT forward that log data from the firewalls for those IPs? For example, if any tcp/ip log data is seen from 1.2.3.4, don't forward it, but if from any other IP address, treat it normally and forward it. Thanks for any insights on this. Our Splunk SME are looking at CRIBL to do this but reading this thread makes me believe there are configuration settings that might address this?    V/R Bob M.

Hello Guys, I make an dashboard where the users see their tasks to do, I would like to add an button or checkbox on each events that the user can checkbox when the task is done and  the result keep saved. How can I do that ?    regards,  

Hello All, I have JSON data and sometimes it is nested and sometimes it is not, whenever it is a nested array I have a {} in the field name, and when it's not there is no {}. I'm trying to make a field alias to a common field name. But, I want to write a single alias to convert the field name if {} is present or not to a new name? Any leads on how can I do it? (Either remove {} before the fields are extracted at search time or aliasing in the props.conf to a new name.) eg: items{}.description once, items.description the other other time --> rename to items.description during the search time without using rename command                        OR remove {} before fields are extracted on the search head. P.S: I don't want to do index time field extraction. #fieldaliasing #json