I am on Splunk 8.2.4 While performing "Migrate the KV store after an upgrade to Splunk Enterprise 8.1 or higher in a clustered deployment"  (see https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/MigrateKVstore ) splunk start-shcluster-migration kvstore -storageEngine wiredTiger -isDryRun true I'm getting message "Admin handler 'shclustercaptainkvstoremigrate' not found." Searh Head KV_Store is up and running. Splunk 8.2.4 I can't find any troubleshoot topic. Does anyone know how to fix this issue?

Some of my apps are failing AppInspect's check_for_vulnerable_javascript_library_usage check but I didn't include any javascript. I did built the apps with the Splunk Add-on Builder and I see some javascript that was packaged as a result. I understand that this is resolved in the newest version of Splunk® Add-on Builder. How do I update my app to be built by this latest version of Splunk Add-on Builder, thereby resolving these issues.

How can I find the avg duration trend (timechart) of top 5 (most used) api above 5 seconds. If api has the same total calls, pick the highest duration. This is what I have so far.     <Search string> | bin _time span=1m | eventstats count as total by api | stats avg(kpi_value) as duration by _time api total | where duration >5 | timechart eval(round(avg(duration),2)) as avg_duration by api where total in top5 limit=0      

Hi Team, I am wondering if there is any command to to calculate how many times a string consecutive present. for eg :  Here I am trying to pull the letter "C" if the data is "ACDEFCCCXYZ" - output should be "3" if the data is "ACDEFCCXYCCCCZ" - output should be "4"   Not sure what could be possible way to do it. Please assit Thanks

hello As you can see, I stats events by _time in a first table panel When I click on the result count I need to display an other table panel which displays the results of the value clicked What is wrong in my example? thanks     <panel> <table> <search> <query>index=toto sourcetype=tutu | stats count as count by _time</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="count">$click.value$</set> </drilldown> </table> </panel> <panel depends="$count$"> <table> <search> <query>index=toto sourcetype=tutu | search count=$count$ | table _time crash_process_name count</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row>      

Howdy folks This is my field: ABC_Account_Name   I want to exclude these values: mcas* gmcas* I know I can do it this way: ABC_Account_Name!=mcas ABC_Account_Name!=gmcas   how do I combine them into one so that I have 1 exclusion that covers both values?  

Hi , I have created a panel in splunk dashboard which contains a table like below : account source count of events 1234567890 test_hec test_s3 123 90 0987654321 test_hec test_s3 80 900 this says : account : 1234567890 , source test_hec has 123 events count, test_s3 has 90 events count account : 0987654321, source test_hec has 80 events count, test_s3 has 900 events count I have do the coloring(highlight) to only that cell which matches below condition : account id source  count of events 0987654321 test_hec test_s3  80 900 i.e count of events from test_hec is less than count of events from test_s3 Please find screenshot I have attached. Can we achieve this ? Please let me know how we can do this ? Thanks in Advance  

Hello, I am attempting to extract from a field a seven digit number which can sometimes have a space or special character such as # in front of it. I want to be able to output it such that the new field only returns the seven digit number, no special characters or white space before and after. Also, I want to set it such that it will exclude where the seven digit number begins with zero. So far, I have only been able to come up with and tried the following in regular expression: (?<Field1>\d\d\d\d\d\d\d) *Pulls less than seven digits as well; need exactly seven. (?<Field1>[^a-zA-Z]\d{7}) *Does not omit special characters before it and pulls seven digit numbers of 0000000 (want to exclude these). Can I get some assistance on what the correct regular expression is to be able to pull a seven digit number with no special characters or space before/after and not all zeroes? Thanks!

Hello All, how can we search against 2 columns of a CSV lookup file and if the value of the field that i am searching for happens to be either of the 2 columns, then exclude those results ? Kind of a whitelist. Lets say i have a csv table of 2 columns as follows URLs UA         i am searching against my firewall logs and if the url field in the events matches  against URLs column of the table  OR the user_agent field from events matches the UA column of the table, then exclude those events This is what i have come up with but its not working...     index= firewall NOT [ | inputlookup lookup_file.csv | rename url as URLs | fields url] OR NOT [ |inputlookup lookup_file.csv | rename user_agent as UA | fields user_agent] .......      

Hi, Is it possible to make use of multiple indexes in one query. Below is the use case which I am trying to implement.  If the connection from a IP address has a threat signature match in IPS, then look for the same address in WAF and if the WAF action is alerted, then trigger the alert. If the WAF action is blocked, then the alert can be suppressed.  Is it possible to implement this use case. I am just trying to fine tune our detection capabilities as much as possible. 

A002 : A] [A004 : 2] [A005 : 2000] [A006 : 0110] [A007 : 85] [A008 : VISA Credit] [A008.ID : 9] [A010 : 1644757200000] [A019 : ANZ 407220] [A021 : 20] [A022 : A] [RESPONDER : 5] [A028 : 85] SELECT A028, responder, count( * ) as total from table where A028 <> '00' group by auth_resp_cde, auth_responder The above one is SQL query i wanted to similar query in the SPLNK please assist.