When using the DLTK, I get a lot of different error messages rather frequently, the most often occurring being:"Could not parse xml reply (no reply from script). See splunkd.log for more info.." with "02-25-2022 11:21:05.426 +0100 WARN HttpListener [16744 HttpDedicatedIoThread-7] - Socket error from 127.0.0.1:60124 while accessing /services/mltk-container/sync: Winsock error 10053" as the corresponding entry in the log file. The state of the DLTK on my machine is, that a connection with Docker has been successfully established, but no containers are found in the containers context menu except for the __dev__ container, which cant be started. I have pulled some of the images from dockerhub as described in the setup guide for air gapped environments, even though mine is not. These are not found by Splunk. Has anyone got any idea of what I might be doing wrong, I have tried to follow the setup guide as closely as possible without success. Thanks in advance

I've this | eval status=if(CODE=200,"success","failure")  i need to have 3 fields like success, failure , total I'm trying this  | stats eval(if(c(CODE=200))) as success but its not working  Could you please help ?

Hello Splunk Community,  I am trying to replicate a heat map using the table formats app available through Splunk.  I see the coloring of the cells when I use the stats command as below, but I need to have the data show as a chart. The issue is when I use chart all the color goes away from the table. Is there a work around for this problem?    <dashboard> <label>Table Formats</label> <description>Format columns using built-in table formats (coloring, number formatting).</description> <row> <panel> <table> <search> <query> index="Dept_data_idx" eventType="Created" status="success" host=* | bucket _time span=1h | stats count by _time host </query> <earliest>-7d</earliest> <latest>now</latest> </search> <format type="color" field="count"> <colorPalette type="minMidMax" maxColor="#31A35F" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> </table> <html> </html> </panel> </row> </dashboard>    

Hi, I'm writing a splunk query to find emails with specific file types attached I have the regex working which pulls the files and also extracts the file extensions which I'll be using for data collection purposes later. I will then use this extracted file extension to search and return specific emails containing files with said extension (hope that makes sense) The problem is that when I use |where FileExtension=".doc" I get events returned where it contains a .doc file which is fine. But it also shows all the other files attached which I do not want. For example I want my output to be sender recipient file.doc   But what I am getting is  sender recipient file.doc file.a file.b file.c file.d   Is there any way to do some kind of exclusive search that will ignore the extra data in the file field that are not .doc's as they are of no interest to me at the moment?

Trying to run a query that has a token field.  The output injects a space before and after the token provided keyword, which breaks the query..  Simple, but baffling.  Original query     |inputlookup somelookup.csv | eval raw="" | foreach * [eval raw=raw.",".coalesce('<<FIELD>>',"") ] | search raw="*$token$*" | table field1, field2, field3     Output of query     |inputlookup somelookup.csv | eval raw="" | foreach * [eval raw=raw.",".coalesce('<<FIELD>>',"") ] | search raw="* <keyword> *" | table field1, field2, field3       How do I get rid of the spaces before and after the keyword?

I supposed to get the some data in Splunk twice in a day. I want to create 2 email alerts as follows: 9 AM email alert: should alert if no data received at 5 AM and/or if no data received previous day at noon.  3 PM email alert: should alert if no data received at noon and/or if no data received earlier the same morning at 5. Thanks for your help in advance. @bowesmana 

I am in the process of creating a search to detect significant hard drive decreases.  Using the results from my search, I would like to then create a timechart to show how the usage has changed over time.  This is my search:    index=perfmon collection=LogicalDisk sourcetype="Perfmon:LogicalDisk" counter="% Free Space" (instance!="HarddiskVolume*") (instance!=_Total) | eval usedSpace=round(100-Value,0) |stats min(usedSpace) as min, avg(usedSpace) as avg by host, instance |eval delta = avg - min |where delta>10 |rename instance as drive      My results return the hostname, the drive letter, the minimum, the average, and the delta for the disk space usage in a tabular format.   Let's say it returns one host, I would then like to use that same host to return a timechart for the host and drive.   Is this possible?