how to exclude user name that start with the number "0" on a correlation search on ES This is the query: | from inputlookup:access_tracker | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | where ((now()-'lastTime')/86400)>90 and I want to remove all user that start with "0" Thank you  

Hi I have configured a 3INX 1SH 1MN cluster. I have activated the license master on the SH, I have noticed that the "index=_internal source=*license_usage.log" Is only available on the SH, meaning the data from the indexes are being sent from the indexers to the SH. I am reading this document about how we should send all _internal data to the Indexers? https://docs.splunk.com/Documentation/Splunk/7.0.1/Indexer/Forwardmasterdata?_ga=2.199674158.1222254230.1645723900-1328632051.1639410282 So, when I activated this, am I not sending back the same data that the indexers have just sent me? Or does something happen where the data is not sent at all? Thanks in advance Rob 

Hello,  I have the next following event : { [-]     dimensionMap: { [+]     }    dimensions: [ [+]     ]    timestamps: [ [-]       1645718340000      1645718400000      1645718460000      1645718520000      1645718580000      1645718640000      1645718700000      1645718760000      1645718820000      1645718880000      1645718940000    ]    values: [ [-]       0.54      0.63      0.37      0.56      0.47      0.45      0.65      0.64      1      null      null    ] } I would like to link each timestamp to its corresponding value. For instance, following this example, it could look like this as a table :       Timestamp                                                                 Value 1645716780000                                                            0.42 1645716840000                                                            0.79 1645716900000                                                            0.53 1645716960000                                                            0.63 1645717020000                                                            0.59 1645717080000                                                            0.5 1645717140000                                                            0.57 1645717200000                                                            0.59 1645717260000                                                            null 1645717380000                                                            null Thank you. Regards,

Hi I just updated splunk from 7.3.3 to 8.1.7.2 and Splunk_TA_aws from 4.6.1 to 5.2.0  (build 882) via 5.0.4. After that I cannot enter to  TA's inputs page. It open, but after that rolling "Loading" and nothing happened after that. When I look from internal logs I found the next entries on _internal       02-24-2022 16:38:02.552 +0200 ERROR AdminManagerExternal - Stack trace from python handler: Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunklib/binding.py", line 290, in wrapper return request_fun(self, *args, **kwargs) File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunklib/binding.py", line 71, in new_f val = f(*args, **kwargs) File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunklib/binding.py", line 680, in get response = self.http.get(path, all_headers, **query) File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunklib/binding.py", line 1184, in get return self.request(url, { 'method': "GET", 'headers': headers }) File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunklib/binding.py", line 1245, in request raise HTTPError(response) splunklib.binding.HTTPError: HTTP 401 Unauthorized -- call not properly authenticated During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 114, in init_persistent hand.execute(info) File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 637, in execute if self.requestedAction == ACTION_LIST: self.handleList(confInfo) File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/base_input_rh.py", line 64, in handleList inputs = self._collection.list() File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunklib/client.py", line 1479, in list return list(self.iter(count=count, **kwargs)) File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunklib/client.py", line 1438, in iter response = self.get(count=pagesize or count, offset=offset, **kwargs) File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunklib/client.py", line 1668, in get return super(Collection, self).get(name, owner, app, sharing, **query) File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunklib/client.py", line 766, in get **query) File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunklib/binding.py", line 304, in wrapper "Request failed: Session is not logged in.", he) splunklib.binding.AuthenticationError: Request failed: Session is not logged in.       and after that       02-24-2022 16:38:02.552 +0200 ERROR AdminManagerExternal - Unexpected error "<class 'splunklib.binding.AuthenticationError'>" from python handler: "Request failed: Session is not logged in.". See splunkd.log for more details.       This is an HF to get HEC and mod inputs from GCP and AWS into separate indexers. It also act as IHF for other UFs and HFs. It's on Clients own AWS environment. I found couple of answers which has some kind of similar cases (e.g. boto.cfg) but those didn't help us. Any ideas and hints how to solve this? We cannot update yet to 8.2.5+. This is probably some kind of hint: HTTP 401 Unauthorized -- call not properly authenticated All inputs are working as earlier after enabled those via conf files and restart splunkd. Before update those inputs are disabled with the same GUI (version 4.6.1). r. Ismo

I'm not that bad in searching but this case is a little over my head and I need some clever idea. I have postfix logs. They have three types of events. All events have queue_id field which identifies the message. The events have either from, to or (to and orig_to) fields set. I want to do stats values(from) by to orig_to The problem is that the fields are in separate events. And both methods of joining them together are faulted in one way or another. If I do eventstats values(from) by queue_id  I get the desired result but if I search over a longer timespan I'm hitting a memory limit. Sure, I can raise the limit in the config but it would be a better solution to find a more reasonable search for it If I try to do transaction queue_id Of course everthing works but the transaction joins the to and orig_to fields into multivalued fields and there is no reliable way to "unjoin" them (over one transaction you can have more to values than orig_to and you can't simply do mapping between the values). So I'm a little stuck how to transform my data to get from, to, orig_to tuples so I can later pass it to stats. Any hints? Of course, if nothing works I'll simply raise the limits and do eventstats but it's not a pretty solution.

Hi , In one of the OLD UF,  fish bucket has occupied the complete disk space and service has been stopped.  will deleting the fish bucket file cause forwarder to send all the old data that is already indexed ?

name uuid sysfs size dm-st paths failures action path_faults vend prod rev mpatha 360002ac000000000000010e30001c751 dm-1 120G active 4 0 0 3PARdata VV 3315 mpathb 360002ac000000000000010fb0001c751 dm-0 240G active 4 0 0 3PARdata VV 3315   The above is my multiline event in table format... I need to extract the below values(mpath, uuid): mpatha 360002ac000000000000010e30001c751 mpathb 360002ac000000000000010fb0001c751 Please help me. im new to this.. thank you so much..