Hi All, I have transaction data from a database and want to compare it with an index in splunk, filtering the transaction data which is has not exist in the index Have query like this : | dbxquery connection=monsplunk query="select userid, acctno, trxamt, trxstatus from "appdb"."apppymt" where accttyp is null " | join type=outer userid [search index=trxpayment_idx | fields userid] | eval mark = if (isnull(userid),"blank",userid) |search mark=blank |table userid, acctno, trxamt, mark when run the query above, the result still shown all data from transaction without filter from index data opposite result with lookup, using a same query and only change index in to inputlookup : | dbxquery connection=monsplunk query="select userid, acctno, trxamt, trxstatus from "appdb"."appymt" where accttyp is null " | join type=outer userid [|inputlookup trxpayment.csv] | eval mark = if (isnull(userid),"blank",userid) |search mark=blank |table userid, acctno, trxamt, mark it shown filtered data from lookup file  I prefer using index compare to lookup file , because the size of data  any one can help with index ? or if you have alternative it would be preferable too

HI All,  Not able to establish the connection, please advise  Driver used:  [sqlazure] displayName = SQLAzure useConnectionPool = false jdbcDriverClass = com.microsoft.sqlserver.jdbc.SQLServerDriver serviceClass = com.splunk.dbx2.MSSQLJDBC defaultPort = 1433  jdbcUrlFormat = jdbc:sqlserver://<host>:<port>;databaseName=<database> testQuery = SELECT 1 AS test Failure message - : Connection failure reason: The TCP/IP connection to the host projectmanagerbyshreyas.database.windows.net, port 1433 has failed. Error: "connect timed out. Verify the connection properties. Make sure that an instance of SQL Server is running on the host and accepting TCP/IP connections at the port. Make sure that TCP connections to the port are not blocked by a firewall.". Diagnosis: Either the database is unavailable, or the specified host/port is incorrect, or you are blocked by a firewall Troubleshooting recommendation: Make sure the database is running on the server and you or the database are not blocked by a firewall   Thanks in advance

How to completely remove/not select the directory path if it "remote" in its folder structure   my regex --- specification|Cu Req|Cu Spec|02 - Regulatory|\\*\\remote|| directory struture  /specification/Cu Req/remote/value --- remove complete path /specification/system/val_remote/cmd/system - remove since its has word as "remote" /specification/system/value/remote--- remove the path /specification /system/value/cmd/sys32 - consider  

hi i am hoping for some help regarding this. basically i would like to compare (subtract current to previous) the value of REX command on the latest data versus previous events REX command data. today Counters:                       Reset                Uptime              Lifetime Messages Received 13,524,598     13,524,585     13,524,598 Yesterday Counters:                       Reset                Uptime              Lifetime Messages Received 12,524,598     12,524,585     12,524,598   current filter | rex field="status detail" "(?<message_received_name>Messages Received)\\s*[0-9,]*\s*[0-9,]*\s*(?<message_received>[0-9,]*)" | rex field="status detail" "(?<current_time_text>Status as of:)\s*(?<query_time>.*)GMT" | stats latest(message_received_name) as Counter_Name latest(message_received) as Messages_Received latest(query_time) as Query_Time by Hostname   how can i use the same search on the previous event, so i can find the difference of "message_received" thanks,

We are having issues with our Splunk datamodel Endpoint Processes.process_name. The current value for Process.process_name is... case(isnotnull(process) AND parent_process!="",replace(process,".*\\\\(.*)","\1"),1=1,"unknown") The regex pulls correct and invalid results as follows... Correct: lsass.exe NmService.exe Microsoft.IdentityServer.ServiceHost.exe Incorrect: AppxData.csv" BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider RuntimeBroker.exe -Embedding The correct results show the actual process name while the incorrect ones may not show the process name or shows the process name with an extra quotation mark or command line arguments. How do we fix the regex to only show process name?

I have been trying to load balance firewall logs across a 12 node index cluster the heavy forwarder is under cluster control . It sees all 12 indexes to be able to write to from its "plunk list forward-server". But regardless of all the changes I have been making in the outputs.conf with LB settings it never want to send to more than five when I monitor | tstats summariesonly=t count WHERE index="network_traffic" by splunk_server _time | timechart span=1m sum(count) by splunk_server autoLBVolume=1048576 autoLBFrequency=5 I have split the ingest into multiple small files using syslog-ng Im just wondering is this "five" a hard limit for a forwarder? or a limitation for the old release I am currently on (will I have to create a horizontal forwarding layer for the firewall logs , artificially splitting the syslog ) Im running Splunk Enterprise 7.3.9 Many thanks , if anyone has any insight

hello,  I have a chart in my bashboard but when i click on Other, I don't have the results. It's possible to have the logs of the hosts when I click on other? index=firewall AND sourcetype=cisco:ios AND host="*r01p" OR "*r01s"| chart count by host | rename count as NumberEvent it's not possible to use the option useother=true  for chart ?    

We are using Prompt with extended time to 4 days. We have discovered that when the time of running playbook is over the Inactivity Timeout in Account Security Settings we have playbook execution error and a lot of authentication failure when we want to change status or add tag etc. Is theare an option than we can use Prompt with respond_in_mins larger than Inactivity Timeout and avoid authentication failure errors. Phantom version 4.10.

Hey, I am using a timechart on my dashboard, but it only shows NULL values. When I run the same search on search console, it shows all values as expected. What is the issue? Here is how it looks when I run it in the Search: Here is how the timechart looks in the dashboard: Here is the XML code for the dashbaord: Can you please help?

Hello,  I'm using Splunk Cloud. I have date with this format and i want splunk to identify date as the timestamp(_time value). {                "date":     "2022-03-08T13:00:46.3204337+01:00",                "Delay Time":     "0 Sec",                "OrderNumber":      "6285071",                 "Key / CLE":    "622203040258800100A",                  "Name":    "ZM400_FINCON9P"              } I have a source type defined like this but it's not working.    Did someone have a solution please ?  Thank you all